Cyb3rWard0g/net.xml

## net.xml
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  - <System>
      <Provider Name="Microsoft-Windows-Sysmon" Guid="{5770385F-C22A-43E0-BF4C-06F5698FFBD9}" />
      <EventID>1</EventID>
      <Version>5</Version>
      <Level>4</Level>
      <Task>1</Task>
      <Opcode>0</Opcode>
      <Keywords>0x8000000000000000</Keywords>
      <TimeCreated SystemTime="2018-07-06T14:05:04.230108800Z" />
      <EventRecordID>12772</EventRecordID>
      <Correlation />
      <Execution ProcessID="5940" ThreadID="3192" />
      <Channel>Microsoft-Windows-Sysmon/Operational</Channel>
      <Computer>DESKTOP-LFD11QP</Computer>
      <Security UserID="S-1-5-18" />
    </System>
  - <EventData>
      <Data Name="RuleName">technique_id=T1136,technique_name=Create_Account,tactic=persistence, platform=windows</Data>
      <Data Name="UtcTime">2018-07-06 14:05:04.225</Data>
      <Data Name="ProcessGuid">{1C9FDC81-7710-5B3F-0000-0010EA1B9B01}</Data>
      <Data Name="ProcessId">328</Data>
      <Data Name="Image">C:\Windows\System32\net.exe</Data>
      <Data Name="FileVersion">10.0.14393.0 (rs1_release.160715-1616)</Data>
      <Data Name="Description">Net Command</Data>
      <Data Name="Product">Microsoft® Windows® Operating System</Data>
      <Data Name="Company">Microsoft Corporation</Data>
      <Data Name="CommandLine">net.exe localgroup Administrators wardog /add</Data>
      <Data Name="CurrentDirectory">c:\Sysmon\</Data>
      <Data Name="User">DESKTOP-LFD11QP\pedro</Data>
      <Data Name="LogonGuid">{1C9FDC81-5182-5B3F-0000-0020D3ED5100}</Data>
      <Data Name="LogonId">0x51edd3</Data>
      <Data Name="TerminalSessionId">1</Data>
      <Data Name="IntegrityLevel">High</Data>
      <Data Name="Hashes">SHA1=900FDD63E033FD88910D3231429AC7DC7ACBB698,MD5=9B1E2A711EA151F766EA24389E2D4442,SHA256=7D76325D4092C9C9FE48B36C275C0255E461D8197A7960DF35DFBC270A9C6613,IMPHASH=C41B15F592DE4589047CE5119CE87468</Data>
      <Data Name="ParentProcessGuid">{1C9FDC81-6029-5B3F-0000-0010DBFE7E01}</Data>
      <Data Name="ParentProcessId">692</Data>
      <Data Name="ParentImage">C:\Windows\System32\cmd.exe</Data>
      <Data Name="ParentCommandLine">"C:\Windows\system32\cmd.exe"</Data>
    </EventData>
  </Event>
	- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
	- <System>
	<Provider Name="Microsoft-Windows-Sysmon" Guid="{5770385F-C22A-43E0-BF4C-06F5698FFBD9}" />
	<EventID>1</EventID>
	<Version>5</Version>
	<Level>4</Level>
	<Task>1</Task>
	<Opcode>0</Opcode>
	<Keywords>0x8000000000000000</Keywords>
	<TimeCreated SystemTime="2018-07-06T14:05:04.230108800Z" />
	<EventRecordID>12772</EventRecordID>
	<Correlation />
	<Execution ProcessID="5940" ThreadID="3192" />
	<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
	<Computer>DESKTOP-LFD11QP</Computer>
	<Security UserID="S-1-5-18" />
	</System>
	- <EventData>
	<Data Name="RuleName">technique_id=T1136,technique_name=Create_Account,tactic=persistence, platform=windows</Data>
	<Data Name="UtcTime">2018-07-06 14:05:04.225</Data>
	<Data Name="ProcessGuid">{1C9FDC81-7710-5B3F-0000-0010EA1B9B01}</Data>
	<Data Name="ProcessId">328</Data>
	<Data Name="Image">C:\Windows\System32\net.exe</Data>
	<Data Name="FileVersion">10.0.14393.0 (rs1_release.160715-1616)</Data>
	<Data Name="Description">Net Command</Data>
	<Data Name="Product">Microsoft® Windows® Operating System</Data>
	<Data Name="Company">Microsoft Corporation</Data>
	<Data Name="CommandLine">net.exe localgroup Administrators wardog /add</Data>
	<Data Name="CurrentDirectory">c:\Sysmon\</Data>
	<Data Name="User">DESKTOP-LFD11QP\pedro</Data>
	<Data Name="LogonGuid">{1C9FDC81-5182-5B3F-0000-0020D3ED5100}</Data>
	<Data Name="LogonId">0x51edd3</Data>
	<Data Name="TerminalSessionId">1</Data>
	<Data Name="IntegrityLevel">High</Data>
	<Data Name="Hashes">SHA1=900FDD63E033FD88910D3231429AC7DC7ACBB698,MD5=9B1E2A711EA151F766EA24389E2D4442,SHA256=7D76325D4092C9C9FE48B36C275C0255E461D8197A7960DF35DFBC270A9C6613,IMPHASH=C41B15F592DE4589047CE5119CE87468</Data>
	<Data Name="ParentProcessGuid">{1C9FDC81-6029-5B3F-0000-0010DBFE7E01}</Data>
	<Data Name="ParentProcessId">692</Data>
	<Data Name="ParentImage">C:\Windows\System32\cmd.exe</Data>
	<Data Name="ParentCommandLine">"C:\Windows\system32\cmd.exe"</Data>
	</EventData>
	</Event>