Skip to content

Instantly share code, notes, and snippets.

@jsecurity101
Last active May 28, 2024 22:40
Show Gist options
  • Save jsecurity101/4f82d1ec608671bdf722a43b9291a8ba to your computer and use it in GitHub Desktop.
Save jsecurity101/4f82d1ec608671bdf722a43b9291a8ba to your computer and use it in GitHub Desktop.
Kerberos Detection/Investigation
Display the source blob
Display the rendered blob
Raw
{
"cells": [
{
"cell_type": "code",
"execution_count": 33,
"id": "31e98d20-b644-4be7-a9c4-2c7259074ee3",
"metadata": {},
"outputs": [],
"source": [
"%%capture\n",
"!pip install splunk-sdk\n",
"!pip install pandas\n",
"!pip install pandasql\n",
"import matplotlib.pyplot as plt\n",
"import pandas as pd\n",
"import pandasql\n",
"pd.set_option('display.max_columns', None) \n",
"pd.set_option('display.expand_frame_repr', False)\n",
"pd.set_option('max_colwidth', 0)\n",
"\n",
"import splunklib.client as client\n",
"# Create a Service instance and log in \n",
"service = client.connect(\n",
" host='', #Input your Splunk's IP here\n",
" port='8089',\n",
" username=\"admin\",\n",
" password=\"\",\n",
" scheme='https')"
]
},
{
"cell_type": "code",
"execution_count": 34,
"id": "5c31741f-49da-40ae-9ec3-4baa9d6abee5",
"metadata": {},
"outputs": [
{
"name": "stderr",
"output_type": "stream",
"text": [
"/tmp/ipykernel_447/1547866794.py:5: DeprecationWarning: ResultsReader is a deprecated function. Use the JSONResultsReader function instead in conjuction with the 'output_mode' query param set to 'json'\n",
" reader = results.ResultsReader(query_results)\n"
]
}
],
"source": [
"import splunklib.results as results\n",
"#Query: \n",
"query = \"search index=windows sourcetype=Security EventCode=4769 Service_Name!=*$ Service_Name!=krbtgt Failure_Code =0x0 Account_Name!=*$* AND ((Ticket_Encryption_Type=0x17 AND (Ticket_Options=0x40800018) OR (Ticket_Options=0x40800000)) OR (Ticket_Encryption_Type=0x12 AND Ticket_Options=0x40800000)) earliest=-1hr\"\n",
"query_results = service.jobs.oneshot(query, count=0)\n",
"reader = results.ResultsReader(query_results)\n",
"\n",
"results = []\n",
"\n",
"for result in reader:\n",
" results.append(result)\n",
" \n",
"df_EID =pd.DataFrame(results)\n",
"df2_EID = df_EID.Message\n",
"df3_EID = df2_EID.str.split('\\n')\n",
"df4_EID = [{a.split(\":\")[0].strip():\":\".join(a.split(\":\")[1:]).strip() for a in b if \":\".join(a.split(\":\")[1:]).strip() != ''} for b in df3_EID]\n",
"df5_EID_4769_kerberoasting = pd.DataFrame(df4_EID)"
]
},
{
"cell_type": "code",
"execution_count": null,
"id": "b6eba2c8-0c2b-462b-a8c3-3254aa051352",
"metadata": {},
"outputs": [],
"source": [
"import splunklib.results as results\n",
"#Query: \n",
"query = \"search index=windows sourcetype=Security EventCode=4769 earliest=-1hr\"\n",
"query_results = service.jobs.oneshot(query, count=0)\n",
"reader = results.ResultsReader(query_results)\n",
"\n",
"results = []\n",
"\n",
"for result in reader:\n",
" results.append(result)\n",
" \n",
"df_EID=pd.DataFrame(results)\n",
"df2_EID = df_EID.Message\n",
"df3_EID = df2_EID.str.split('\\n')\n",
"df4_EID = [{a.split(\":\")[0].strip():\":\".join(a.split(\":\")[1:]).strip() for a in b if \":\".join(a.split(\":\")[1:]).strip() != ''} for b in df3_EID]\n",
"df5_EID_4769_s4u2self = pd.DataFrame(df4_EID)"
]
},
{
"cell_type": "code",
"execution_count": 52,
"id": "35ef8ecb-646b-4c02-b377-83fe591bcc6a",
"metadata": {},
"outputs": [
{
"name": "stderr",
"output_type": "stream",
"text": [
"/tmp/ipykernel_447/3561581670.py:5: DeprecationWarning: ResultsReader is a deprecated function. Use the JSONResultsReader function instead in conjuction with the 'output_mode' query param set to 'json'\n",
" reader = results.ResultsReader(query_results)\n"
]
}
],
"source": [
"import splunklib.results as results\n",
"#Query: \n",
"query = \"search index=windows sourcetype=Security EventCode=4768 Ticket_Encryption_Type=0x17 earliest=-1hr\"\n",
"query_results = service.jobs.oneshot(query, count=0)\n",
"reader = results.ResultsReader(query_results)\n",
"\n",
"results = []\n",
"\n",
"for result in reader:\n",
" results.append(result)\n",
" \n",
"df_EID=pd.DataFrame(results)\n",
"df2_EID = df_EID.Message\n",
"df3_EID = df2_EID.str.split('\\n')\n",
"df4_EID = [{a.split(\":\")[0].strip():\":\".join(a.split(\":\")[1:]).strip() for a in b if \":\".join(a.split(\":\")[1:]).strip() != ''} for b in df3_EID]\n",
"df5_EID_4768_asktgt = pd.DataFrame(df4_EID)"
]
},
{
"cell_type": "code",
"execution_count": 64,
"id": "f8c60fef-093a-42a7-8c57-7da1e4d3f74b",
"metadata": {},
"outputs": [
{
"name": "stderr",
"output_type": "stream",
"text": [
"/tmp/ipykernel_447/2979222138.py:5: DeprecationWarning: ResultsReader is a deprecated function. Use the JSONResultsReader function instead in conjuction with the 'output_mode' query param set to 'json'\n",
" reader = results.ResultsReader(query_results)\n"
]
}
],
"source": [
"import splunklib.results as results\n",
"#Query: \n",
"query = \"search index=windows sourcetype=Security EventCode=5156 Destination_Port=88 host!=*DC* earliest=-1hr\"\n",
"query_results = service.jobs.oneshot(query, count=0)\n",
"reader = results.ResultsReader(query_results)\n",
"\n",
"results = []\n",
"\n",
"for result in reader:\n",
" results.append(result)\n",
" \n",
"df_EID=pd.DataFrame(results)\n",
"df2_EID = df_EID.Message\n",
"df3_EID = df2_EID.str.split('\\n')\n",
"df4_EID = [{a.split(\":\")[0].strip():\":\".join(a.split(\":\")[1:]).strip() for a in b if \":\".join(a.split(\":\")[1:]).strip() != ''} for b in df3_EID]\n",
"df5_EID_5156_Client = pd.DataFrame(df4_EID)\n",
"\n",
"\n",
"AccountName = df5_EID_4768_asktgt['Account Name'].str.split('@').str[-2]\n",
"df5_EID_4768_asktgt.update(AccountName)\n",
"ServiceID = df5_EID_4768_asktgt['Service ID'].str.split('\\\\').str[-1]\n",
"df5_EID_4768_asktgt.update(ServiceID)\n",
"ClientAddress = df5_EID_4768_asktgt['Client Address'].str.split(':').str[-1]\n",
"df5_EID_4768_asktgt.update(ClientAddress)\n",
"#df5_EID_5156_Client['Process ID'] = pd.to_numeric(df5_EID_5156_Client['Process ID']).apply(hex)\n",
"df5_EID_5156_Client['Process ID'] = pd.to_numeric(df5_EID_5156_Client['Process ID'])"
]
},
{
"cell_type": "code",
"execution_count": 65,
"id": "3bd17173-6842-4952-9a75-271ba1213178",
"metadata": {},
"outputs": [
{
"data": {
"text/html": [
"<div>\n",
"<style scoped>\n",
" .dataframe tbody tr th:only-of-type {\n",
" vertical-align: middle;\n",
" }\n",
"\n",
" .dataframe tbody tr th {\n",
" vertical-align: top;\n",
" }\n",
"\n",
" .dataframe thead th {\n",
" text-align: right;\n",
" }\n",
"</style>\n",
"<table border=\"1\" class=\"dataframe\">\n",
" <thead>\n",
" <tr style=\"text-align: right;\">\n",
" <th></th>\n",
" <th>Process ID</th>\n",
" <th>Application Name</th>\n",
" <th>Direction</th>\n",
" <th>Source Address</th>\n",
" <th>Source Port</th>\n",
" <th>Destination Address</th>\n",
" <th>Destination Port</th>\n",
" <th>Protocol</th>\n",
" <th>Filter Run-Time ID</th>\n",
" <th>Layer Name</th>\n",
" <th>Layer Run-Time ID</th>\n",
" </tr>\n",
" </thead>\n",
" <tbody>\n",
" <tr>\n",
" <th>0</th>\n",
" <td>5552</td>\n",
" <td>\\device\\harddiskvolume2\\users\\thor\\desktop\\rubeus.exe</td>\n",
" <td>Outbound</td>\n",
" <td>192.168.2.10</td>\n",
" <td>52411</td>\n",
" <td>192.168.2.11</td>\n",
" <td>88</td>\n",
" <td>6</td>\n",
" <td>0</td>\n",
" <td>Connect</td>\n",
" <td>48</td>\n",
" </tr>\n",
" <tr>\n",
" <th>1</th>\n",
" <td>3548</td>\n",
" <td>\\device\\harddiskvolume2\\users\\thor\\desktop\\rubeus.exe</td>\n",
" <td>Outbound</td>\n",
" <td>192.168.2.10</td>\n",
" <td>52394</td>\n",
" <td>192.168.2.11</td>\n",
" <td>88</td>\n",
" <td>6</td>\n",
" <td>0</td>\n",
" <td>Connect</td>\n",
" <td>48</td>\n",
" </tr>\n",
" <tr>\n",
" <th>2</th>\n",
" <td>3548</td>\n",
" <td>\\device\\harddiskvolume2\\users\\thor\\desktop\\rubeus.exe</td>\n",
" <td>Outbound</td>\n",
" <td>192.168.2.10</td>\n",
" <td>52393</td>\n",
" <td>192.168.2.11</td>\n",
" <td>88</td>\n",
" <td>6</td>\n",
" <td>0</td>\n",
" <td>Connect</td>\n",
" <td>48</td>\n",
" </tr>\n",
" <tr>\n",
" <th>3</th>\n",
" <td>3548</td>\n",
" <td>\\device\\harddiskvolume2\\users\\thor\\desktop\\rubeus.exe</td>\n",
" <td>Outbound</td>\n",
" <td>192.168.2.10</td>\n",
" <td>52391</td>\n",
" <td>192.168.2.11</td>\n",
" <td>88</td>\n",
" <td>6</td>\n",
" <td>0</td>\n",
" <td>Connect</td>\n",
" <td>48</td>\n",
" </tr>\n",
" <tr>\n",
" <th>4</th>\n",
" <td>728</td>\n",
" <td>\\device\\harddiskvolume2\\windows\\system32\\lsass.exe</td>\n",
" <td>Outbound</td>\n",
" <td>192.168.2.10</td>\n",
" <td>52390</td>\n",
" <td>192.168.2.11</td>\n",
" <td>88</td>\n",
" <td>6</td>\n",
" <td>0</td>\n",
" <td>Connect</td>\n",
" <td>48</td>\n",
" </tr>\n",
" <tr>\n",
" <th>5</th>\n",
" <td>728</td>\n",
" <td>\\device\\harddiskvolume2\\windows\\system32\\lsass.exe</td>\n",
" <td>Outbound</td>\n",
" <td>192.168.2.10</td>\n",
" <td>52389</td>\n",
" <td>192.168.2.11</td>\n",
" <td>88</td>\n",
" <td>6</td>\n",
" <td>0</td>\n",
" <td>Connect</td>\n",
" <td>48</td>\n",
" </tr>\n",
" <tr>\n",
" <th>6</th>\n",
" <td>728</td>\n",
" <td>\\device\\harddiskvolume2\\windows\\system32\\lsass.exe</td>\n",
" <td>Outbound</td>\n",
" <td>192.168.2.10</td>\n",
" <td>52388</td>\n",
" <td>192.168.2.11</td>\n",
" <td>88</td>\n",
" <td>6</td>\n",
" <td>0</td>\n",
" <td>Connect</td>\n",
" <td>48</td>\n",
" </tr>\n",
" <tr>\n",
" <th>7</th>\n",
" <td>728</td>\n",
" <td>\\device\\harddiskvolume2\\windows\\system32\\lsass.exe</td>\n",
" <td>Outbound</td>\n",
" <td>192.168.2.10</td>\n",
" <td>52387</td>\n",
" <td>192.168.2.11</td>\n",
" <td>88</td>\n",
" <td>6</td>\n",
" <td>0</td>\n",
" <td>Connect</td>\n",
" <td>48</td>\n",
" </tr>\n",
" <tr>\n",
" <th>8</th>\n",
" <td>728</td>\n",
" <td>\\device\\harddiskvolume2\\windows\\system32\\lsass.exe</td>\n",
" <td>Outbound</td>\n",
" <td>192.168.2.10</td>\n",
" <td>52386</td>\n",
" <td>192.168.2.11</td>\n",
" <td>88</td>\n",
" <td>6</td>\n",
" <td>0</td>\n",
" <td>Connect</td>\n",
" <td>48</td>\n",
" </tr>\n",
" <tr>\n",
" <th>9</th>\n",
" <td>7204</td>\n",
" <td>\\device\\harddiskvolume2\\users\\thor\\desktop\\rubeus.exe</td>\n",
" <td>Outbound</td>\n",
" <td>192.168.2.10</td>\n",
" <td>52263</td>\n",
" <td>192.168.2.11</td>\n",
" <td>88</td>\n",
" <td>6</td>\n",
" <td>0</td>\n",
" <td>Connect</td>\n",
" <td>48</td>\n",
" </tr>\n",
" <tr>\n",
" <th>10</th>\n",
" <td>7204</td>\n",
" <td>\\device\\harddiskvolume2\\users\\thor\\desktop\\rubeus.exe</td>\n",
" <td>Outbound</td>\n",
" <td>192.168.2.10</td>\n",
" <td>52262</td>\n",
" <td>192.168.2.11</td>\n",
" <td>88</td>\n",
" <td>6</td>\n",
" <td>0</td>\n",
" <td>Connect</td>\n",
" <td>48</td>\n",
" </tr>\n",
" <tr>\n",
" <th>11</th>\n",
" <td>7204</td>\n",
" <td>\\device\\harddiskvolume2\\users\\thor\\desktop\\rubeus.exe</td>\n",
" <td>Outbound</td>\n",
" <td>192.168.2.10</td>\n",
" <td>52260</td>\n",
" <td>192.168.2.11</td>\n",
" <td>88</td>\n",
" <td>6</td>\n",
" <td>0</td>\n",
" <td>Connect</td>\n",
" <td>48</td>\n",
" </tr>\n",
" <tr>\n",
" <th>12</th>\n",
" <td>728</td>\n",
" <td>\\device\\harddiskvolume2\\windows\\system32\\lsass.exe</td>\n",
" <td>Outbound</td>\n",
" <td>192.168.2.10</td>\n",
" <td>52259</td>\n",
" <td>192.168.2.11</td>\n",
" <td>88</td>\n",
" <td>6</td>\n",
" <td>0</td>\n",
" <td>Connect</td>\n",
" <td>48</td>\n",
" </tr>\n",
" <tr>\n",
" <th>13</th>\n",
" <td>728</td>\n",
" <td>\\device\\harddiskvolume2\\windows\\system32\\lsass.exe</td>\n",
" <td>Outbound</td>\n",
" <td>192.168.2.10</td>\n",
" <td>52258</td>\n",
" <td>192.168.2.11</td>\n",
" <td>88</td>\n",
" <td>6</td>\n",
" <td>0</td>\n",
" <td>Connect</td>\n",
" <td>48</td>\n",
" </tr>\n",
" <tr>\n",
" <th>14</th>\n",
" <td>728</td>\n",
" <td>\\device\\harddiskvolume2\\windows\\system32\\lsass.exe</td>\n",
" <td>Outbound</td>\n",
" <td>192.168.2.10</td>\n",
" <td>52232</td>\n",
" <td>192.168.2.11</td>\n",
" <td>88</td>\n",
" <td>6</td>\n",
" <td>0</td>\n",
" <td>Connect</td>\n",
" <td>48</td>\n",
" </tr>\n",
" <tr>\n",
" <th>15</th>\n",
" <td>728</td>\n",
" <td>\\device\\harddiskvolume2\\windows\\system32\\lsass.exe</td>\n",
" <td>Outbound</td>\n",
" <td>192.168.2.10</td>\n",
" <td>52231</td>\n",
" <td>192.168.2.11</td>\n",
" <td>88</td>\n",
" <td>6</td>\n",
" <td>0</td>\n",
" <td>Connect</td>\n",
" <td>48</td>\n",
" </tr>\n",
" <tr>\n",
" <th>16</th>\n",
" <td>728</td>\n",
" <td>\\device\\harddiskvolume2\\windows\\system32\\lsass.exe</td>\n",
" <td>Outbound</td>\n",
" <td>192.168.2.10</td>\n",
" <td>52230</td>\n",
" <td>192.168.2.11</td>\n",
" <td>88</td>\n",
" <td>6</td>\n",
" <td>0</td>\n",
" <td>Connect</td>\n",
" <td>48</td>\n",
" </tr>\n",
" <tr>\n",
" <th>17</th>\n",
" <td>200</td>\n",
" <td>\\device\\harddiskvolume2\\users\\thor\\desktop\\rubeus.exe</td>\n",
" <td>Outbound</td>\n",
" <td>192.168.2.10</td>\n",
" <td>52209</td>\n",
" <td>192.168.2.11</td>\n",
" <td>88</td>\n",
" <td>6</td>\n",
" <td>0</td>\n",
" <td>Connect</td>\n",
" <td>48</td>\n",
" </tr>\n",
" <tr>\n",
" <th>18</th>\n",
" <td>728</td>\n",
" <td>\\device\\harddiskvolume2\\windows\\system32\\lsass.exe</td>\n",
" <td>Outbound</td>\n",
" <td>192.168.2.10</td>\n",
" <td>52208</td>\n",
" <td>192.168.2.11</td>\n",
" <td>88</td>\n",
" <td>6</td>\n",
" <td>0</td>\n",
" <td>Connect</td>\n",
" <td>48</td>\n",
" </tr>\n",
" <tr>\n",
" <th>19</th>\n",
" <td>728</td>\n",
" <td>\\device\\harddiskvolume2\\windows\\system32\\lsass.exe</td>\n",
" <td>Outbound</td>\n",
" <td>192.168.2.10</td>\n",
" <td>52207</td>\n",
" <td>192.168.2.11</td>\n",
" <td>88</td>\n",
" <td>6</td>\n",
" <td>0</td>\n",
" <td>Connect</td>\n",
" <td>48</td>\n",
" </tr>\n",
" <tr>\n",
" <th>20</th>\n",
" <td>728</td>\n",
" <td>\\device\\harddiskvolume2\\windows\\system32\\lsass.exe</td>\n",
" <td>Outbound</td>\n",
" <td>192.168.2.10</td>\n",
" <td>52206</td>\n",
" <td>192.168.2.11</td>\n",
" <td>88</td>\n",
" <td>6</td>\n",
" <td>0</td>\n",
" <td>Connect</td>\n",
" <td>48</td>\n",
" </tr>\n",
" </tbody>\n",
"</table>\n",
"</div>"
],
"text/plain": [
" Process ID Application Name Direction Source Address Source Port Destination Address Destination Port Protocol Filter Run-Time ID Layer Name Layer Run-Time ID\n",
"0 5552 \\device\\harddiskvolume2\\users\\thor\\desktop\\rubeus.exe Outbound 192.168.2.10 52411 192.168.2.11 88 6 0 Connect 48 \n",
"1 3548 \\device\\harddiskvolume2\\users\\thor\\desktop\\rubeus.exe Outbound 192.168.2.10 52394 192.168.2.11 88 6 0 Connect 48 \n",
"2 3548 \\device\\harddiskvolume2\\users\\thor\\desktop\\rubeus.exe Outbound 192.168.2.10 52393 192.168.2.11 88 6 0 Connect 48 \n",
"3 3548 \\device\\harddiskvolume2\\users\\thor\\desktop\\rubeus.exe Outbound 192.168.2.10 52391 192.168.2.11 88 6 0 Connect 48 \n",
"4 728 \\device\\harddiskvolume2\\windows\\system32\\lsass.exe Outbound 192.168.2.10 52390 192.168.2.11 88 6 0 Connect 48 \n",
"5 728 \\device\\harddiskvolume2\\windows\\system32\\lsass.exe Outbound 192.168.2.10 52389 192.168.2.11 88 6 0 Connect 48 \n",
"6 728 \\device\\harddiskvolume2\\windows\\system32\\lsass.exe Outbound 192.168.2.10 52388 192.168.2.11 88 6 0 Connect 48 \n",
"7 728 \\device\\harddiskvolume2\\windows\\system32\\lsass.exe Outbound 192.168.2.10 52387 192.168.2.11 88 6 0 Connect 48 \n",
"8 728 \\device\\harddiskvolume2\\windows\\system32\\lsass.exe Outbound 192.168.2.10 52386 192.168.2.11 88 6 0 Connect 48 \n",
"9 7204 \\device\\harddiskvolume2\\users\\thor\\desktop\\rubeus.exe Outbound 192.168.2.10 52263 192.168.2.11 88 6 0 Connect 48 \n",
"10 7204 \\device\\harddiskvolume2\\users\\thor\\desktop\\rubeus.exe Outbound 192.168.2.10 52262 192.168.2.11 88 6 0 Connect 48 \n",
"11 7204 \\device\\harddiskvolume2\\users\\thor\\desktop\\rubeus.exe Outbound 192.168.2.10 52260 192.168.2.11 88 6 0 Connect 48 \n",
"12 728 \\device\\harddiskvolume2\\windows\\system32\\lsass.exe Outbound 192.168.2.10 52259 192.168.2.11 88 6 0 Connect 48 \n",
"13 728 \\device\\harddiskvolume2\\windows\\system32\\lsass.exe Outbound 192.168.2.10 52258 192.168.2.11 88 6 0 Connect 48 \n",
"14 728 \\device\\harddiskvolume2\\windows\\system32\\lsass.exe Outbound 192.168.2.10 52232 192.168.2.11 88 6 0 Connect 48 \n",
"15 728 \\device\\harddiskvolume2\\windows\\system32\\lsass.exe Outbound 192.168.2.10 52231 192.168.2.11 88 6 0 Connect 48 \n",
"16 728 \\device\\harddiskvolume2\\windows\\system32\\lsass.exe Outbound 192.168.2.10 52230 192.168.2.11 88 6 0 Connect 48 \n",
"17 200 \\device\\harddiskvolume2\\users\\thor\\desktop\\rubeus.exe Outbound 192.168.2.10 52209 192.168.2.11 88 6 0 Connect 48 \n",
"18 728 \\device\\harddiskvolume2\\windows\\system32\\lsass.exe Outbound 192.168.2.10 52208 192.168.2.11 88 6 0 Connect 48 \n",
"19 728 \\device\\harddiskvolume2\\windows\\system32\\lsass.exe Outbound 192.168.2.10 52207 192.168.2.11 88 6 0 Connect 48 \n",
"20 728 \\device\\harddiskvolume2\\windows\\system32\\lsass.exe Outbound 192.168.2.10 52206 192.168.2.11 88 6 0 Connect 48 "
]
},
"execution_count": 65,
"metadata": {},
"output_type": "execute_result"
}
],
"source": [
"df5_EID_5156_Client"
]
},
{
"cell_type": "code",
"execution_count": 66,
"id": "ac0bd7f0-91ab-4411-a6c2-25c77a3f1d9f",
"metadata": {},
"outputs": [],
"source": [
"from pandasql import sqldf\n",
"ClientSide_AskTGT_Kerberoasting = pandasql.sqldf(\n",
"\"\"\"\n",
"SELECT *\n",
"FROM df5_EID_4768_asktgt a\n",
"JOIN df5_EID_5156_Client b \n",
"ON a.'Client Port' == b.'Source Port'\n",
"AND a.'Client Address' == b.'Source Address'\n",
"\"\"\"\n",
"\n",
").drop_duplicates().reset_index().drop(\"index\", axis=1)"
]
},
{
"cell_type": "code",
"execution_count": null,
"id": "0fc540f5-7b3d-4058-bbb6-481b3e34d25f",
"metadata": {},
"outputs": [],
"source": [
"from pandasql import sqldf\n",
"ClientSide_S4U2Self = pandasql.sqldf(\n",
"\"\"\"\n",
"SELECT *\n",
"FROM df5_EID_4769_s4u2self a\n",
"JOIN df5_EID_5156_Client b \n",
"ON a.'Client Port' == b.'Source Port'\n",
"AND a.'Client Address' == b.'Source Address'\n",
"WHERE a.'Ticket Options' == \"0x40800018\" AND a.'Failure Code' == \"0x0\"\n",
"\"\"\"\n",
"\n",
").drop_duplicates().reset_index().drop(\"index\", axis=1)"
]
},
{
"cell_type": "code",
"execution_count": 67,
"id": "7504e827-63cd-499e-b55b-044af4a6ca8d",
"metadata": {},
"outputs": [
{
"data": {
"text/html": [
"<div>\n",
"<style scoped>\n",
" .dataframe tbody tr th:only-of-type {\n",
" vertical-align: middle;\n",
" }\n",
"\n",
" .dataframe tbody tr th {\n",
" vertical-align: top;\n",
" }\n",
"\n",
" .dataframe thead th {\n",
" text-align: right;\n",
" }\n",
"</style>\n",
"<table border=\"1\" class=\"dataframe\">\n",
" <thead>\n",
" <tr style=\"text-align: right;\">\n",
" <th></th>\n",
" <th>Account Name</th>\n",
" <th>Supplied Realm Name</th>\n",
" <th>User ID</th>\n",
" <th>Service Name</th>\n",
" <th>Service ID</th>\n",
" <th>Client Address</th>\n",
" <th>Client Port</th>\n",
" <th>Ticket Options</th>\n",
" <th>Result Code</th>\n",
" <th>Ticket Encryption Type</th>\n",
" <th>Pre-Authentication Type</th>\n",
" <th>Process ID</th>\n",
" <th>Application Name</th>\n",
" <th>Direction</th>\n",
" <th>Source Address</th>\n",
" <th>Source Port</th>\n",
" <th>Destination Address</th>\n",
" <th>Destination Port</th>\n",
" <th>Protocol</th>\n",
" <th>Filter Run-Time ID</th>\n",
" <th>Layer Name</th>\n",
" <th>Layer Run-Time ID</th>\n",
" </tr>\n",
" </thead>\n",
" <tbody>\n",
" <tr>\n",
" <th>0</th>\n",
" <td>panther</td>\n",
" <td>marvel.local</td>\n",
" <td>MARVEL\\panther</td>\n",
" <td>krbtgt</td>\n",
" <td>krbtgt</td>\n",
" <td>192.168.2.10</td>\n",
" <td>52411</td>\n",
" <td>0x40800010</td>\n",
" <td>0x0</td>\n",
" <td>0x17</td>\n",
" <td>2</td>\n",
" <td>5552</td>\n",
" <td>\\device\\harddiskvolume2\\users\\thor\\desktop\\rubeus.exe</td>\n",
" <td>Outbound</td>\n",
" <td>192.168.2.10</td>\n",
" <td>52411</td>\n",
" <td>192.168.2.11</td>\n",
" <td>88</td>\n",
" <td>6</td>\n",
" <td>0</td>\n",
" <td>Connect</td>\n",
" <td>48</td>\n",
" </tr>\n",
" <tr>\n",
" <th>1</th>\n",
" <td>panther</td>\n",
" <td>marvel.local</td>\n",
" <td>MARVEL\\panther</td>\n",
" <td>krbtgt</td>\n",
" <td>krbtgt</td>\n",
" <td>192.168.2.10</td>\n",
" <td>52209</td>\n",
" <td>0x40800010</td>\n",
" <td>0x0</td>\n",
" <td>0x17</td>\n",
" <td>2</td>\n",
" <td>200</td>\n",
" <td>\\device\\harddiskvolume2\\users\\thor\\desktop\\rubeus.exe</td>\n",
" <td>Outbound</td>\n",
" <td>192.168.2.10</td>\n",
" <td>52209</td>\n",
" <td>192.168.2.11</td>\n",
" <td>88</td>\n",
" <td>6</td>\n",
" <td>0</td>\n",
" <td>Connect</td>\n",
" <td>48</td>\n",
" </tr>\n",
" </tbody>\n",
"</table>\n",
"</div>"
],
"text/plain": [
" Account Name Supplied Realm Name User ID Service Name Service ID Client Address Client Port Ticket Options Result Code Ticket Encryption Type Pre-Authentication Type Process ID Application Name Direction Source Address Source Port Destination Address Destination Port Protocol Filter Run-Time ID Layer Name Layer Run-Time ID\n",
"0 panther marvel.local MARVEL\\panther krbtgt krbtgt 192.168.2.10 52411 0x40800010 0x0 0x17 2 5552 \\device\\harddiskvolume2\\users\\thor\\desktop\\rubeus.exe Outbound 192.168.2.10 52411 192.168.2.11 88 6 0 Connect 48 \n",
"1 panther marvel.local MARVEL\\panther krbtgt krbtgt 192.168.2.10 52209 0x40800010 0x0 0x17 2 200 \\device\\harddiskvolume2\\users\\thor\\desktop\\rubeus.exe Outbound 192.168.2.10 52209 192.168.2.11 88 6 0 Connect 48 "
]
},
"execution_count": 67,
"metadata": {},
"output_type": "execute_result"
}
],
"source": [
"ClientSide_AskTGT_Kerberoasting"
]
},
{
"cell_type": "code",
"execution_count": 68,
"id": "b9d760a8-a5f9-4150-8c4f-12232f51ebbd",
"metadata": {},
"outputs": [
{
"name": "stderr",
"output_type": "stream",
"text": [
"/tmp/ipykernel_447/3290488740.py:7: DeprecationWarning: ResultsReader is a deprecated function. Use the JSONResultsReader function instead in conjuction with the 'output_mode' query param set to 'json'\n",
" reader = results.ResultsReader(query_results)\n"
]
}
],
"source": [
"Query_4688 = []\n",
"for a in ClientSide_AskTGT_Kerberoasting['Process ID']:\n",
" import splunklib.results as results\n",
" #Query: \n",
" query = \"search index=windows sourcetype=Sysmon EventCode=1 ProcessId={} earliest=-4hr\".format(a)\n",
" query_results = service.jobs.oneshot(query, count=0)\n",
" reader = results.ResultsReader(query_results)\n",
"\n",
" results = []\n",
"\n",
" for result in reader:\n",
" results.append(result)\n",
"\n",
" df_EID=pd.DataFrame(results)\n",
" df2_EID = df_EID.Message\n",
" df3_EID = df2_EID.str.split('\\n')\n",
" df4_EID = [{a.split(\":\")[0].strip():\":\".join(a.split(\":\")[1:]).strip() for a in b if \":\".join(a.split(\":\")[1:]).strip() != ''} for b in df3_EID]\n",
" Query_4688.append(pd.DataFrame(df4_EID))\n",
" break\n",
"df = pd.concat(Query_4688)"
]
},
{
"cell_type": "code",
"execution_count": 69,
"id": "02363626-4e96-46fb-b7b3-548f6d860461",
"metadata": {},
"outputs": [
{
"data": {
"text/html": [
"<div>\n",
"<style scoped>\n",
" .dataframe tbody tr th:only-of-type {\n",
" vertical-align: middle;\n",
" }\n",
"\n",
" .dataframe tbody tr th {\n",
" vertical-align: top;\n",
" }\n",
"\n",
" .dataframe thead th {\n",
" text-align: right;\n",
" }\n",
"</style>\n",
"<table border=\"1\" class=\"dataframe\">\n",
" <thead>\n",
" <tr style=\"text-align: right;\">\n",
" <th></th>\n",
" <th>RuleName</th>\n",
" <th>UtcTime</th>\n",
" <th>ProcessGuid</th>\n",
" <th>ProcessId</th>\n",
" <th>Image</th>\n",
" <th>FileVersion</th>\n",
" <th>Description</th>\n",
" <th>Product</th>\n",
" <th>Company</th>\n",
" <th>OriginalFileName</th>\n",
" <th>CommandLine</th>\n",
" <th>CurrentDirectory</th>\n",
" <th>User</th>\n",
" <th>LogonGuid</th>\n",
" <th>LogonId</th>\n",
" <th>TerminalSessionId</th>\n",
" <th>IntegrityLevel</th>\n",
" <th>Hashes</th>\n",
" <th>ParentProcessGuid</th>\n",
" <th>ParentProcessId</th>\n",
" <th>ParentImage</th>\n",
" <th>ParentCommandLine</th>\n",
" <th>ParentUser</th>\n",
" </tr>\n",
" </thead>\n",
" <tbody>\n",
" <tr>\n",
" <th>0</th>\n",
" <td>-</td>\n",
" <td>2022-07-13 15:36:14.649</td>\n",
" <td>{56d91ad3-e66e-62ce-5e2f-000000002f00}</td>\n",
" <td>5552</td>\n",
" <td>C:\\Users\\thor\\Desktop\\Rubeus.exe</td>\n",
" <td>1.0.0.0</td>\n",
" <td>Rubeus</td>\n",
" <td>Rubeus</td>\n",
" <td>-</td>\n",
" <td>Rubeus.exe</td>\n",
" <td>\"C:\\Users\\thor\\Desktop\\Rubeus.exe\" asktgt /user:panther /password:WakandaForever!</td>\n",
" <td>C:\\Users\\thor\\Desktop\\</td>\n",
" <td>MARVEL\\thor</td>\n",
" <td>{56d91ad3-c9cc-62cd-3f60-0b0000000000}</td>\n",
" <td>0xB603F</td>\n",
" <td>2</td>\n",
" <td>High</td>\n",
" <td>SHA1=5C8540D53ECD89542515C479D765D0B2E6481F35,MD5=A097BADFC8B38B5387B7B28AF6486C47,SHA256=AA29640B9A094E0A0A38AFCBE31C3C467852B5795991FACEE10628D62458D769,IMPHASH=F34D5F2D4577ED6D9CEEC516C1F5A744</td>\n",
" <td>{56d91ad3-ca5e-62cd-5501-000000002f00}</td>\n",
" <td>7968</td>\n",
" <td>C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe</td>\n",
" <td>\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"</td>\n",
" <td>MARVEL\\thor</td>\n",
" </tr>\n",
" <tr>\n",
" <th>1</th>\n",
" <td>-</td>\n",
" <td>2022-07-13 15:06:17.648</td>\n",
" <td>{56d91ad3-df69-62ce-452e-000000002f00}</td>\n",
" <td>5552</td>\n",
" <td>C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe</td>\n",
" <td>103.0.5060.114</td>\n",
" <td>Google Chrome</td>\n",
" <td>Google Chrome</td>\n",
" <td>Google LLC</td>\n",
" <td>chrome.exe</td>\n",
" <td>\"C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe\" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=47 --launch-time-ticks=71269923481 --mojo-platform-channel-handle=6468 --field-trial-handle=1700,i,7950739293659264102,16766236593476826016,131072 /prefetch:1</td>\n",
" <td>C:\\Program Files\\Google\\Chrome\\Application\\103.0.5060.114\\</td>\n",
" <td>MARVEL\\thor</td>\n",
" <td>{56d91ad3-c9cc-62cd-c160-0b0000000000}</td>\n",
" <td>0xB60C1</td>\n",
" <td>2</td>\n",
" <td>Low</td>\n",
" <td>SHA1=AF8A6E7216F67CA5D220084D07E1ED922AC72817,MD5=D3E37D1F3304AB7EDAA2E4D3AC183980,SHA256=AA395EE3B33142BD96382709C515F321D122E2499F773A457868C8666C9177A2,IMPHASH=6B4443349D1BF3B7F64F196B03E28222</td>\n",
" <td>{56d91ad3-ca26-62cd-2801-000000002f00}</td>\n",
" <td>4240</td>\n",
" <td>C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe</td>\n",
" <td>\"C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe\"</td>\n",
" <td>MARVEL\\thor</td>\n",
" </tr>\n",
" <tr>\n",
" <th>2</th>\n",
" <td>-</td>\n",
" <td>2022-07-13 14:58:55.922</td>\n",
" <td>{56d91ad3-ddaf-62ce-f92d-000000002f00}</td>\n",
" <td>5552</td>\n",
" <td>C:\\Windows\\System32\\smartscreen.exe</td>\n",
" <td>10.0.19041.1052 (WinBuild.160101.0800)</td>\n",
" <td>Windows Defender SmartScreen</td>\n",
" <td>Microsoft® Windows® Operating System</td>\n",
" <td>Microsoft Corporation</td>\n",
" <td>smartscreen.exe</td>\n",
" <td>C:\\Windows\\System32\\smartscreen.exe -Embedding</td>\n",
" <td>C:\\Windows\\system32\\</td>\n",
" <td>MARVEL\\thor</td>\n",
" <td>{56d91ad3-c9cc-62cd-c160-0b0000000000}</td>\n",
" <td>0xB60C1</td>\n",
" <td>2</td>\n",
" <td>Medium</td>\n",
" <td>SHA1=183E877F488F2DF9F304F60A42514A334720399F,MD5=521ED922765BCA8F79BD76188F879311,SHA256=9605680FC164ACB985C031ECA2C8BC4909CF8B749C571DB6DE2B0B2C204C2163,IMPHASH=6DFBF12753AF176E3C203C407493A5B9</td>\n",
" <td>{56d91ad3-c9b2-62cd-0f00-000000002f00}</td>\n",
" <td>844</td>\n",
" <td>C:\\Windows\\System32\\svchost.exe</td>\n",
" <td>C:\\Windows\\system32\\svchost.exe -k DcomLaunch -p</td>\n",
" <td>NT AUTHORITY\\SYSTEM</td>\n",
" </tr>\n",
" <tr>\n",
" <th>3</th>\n",
" <td>-</td>\n",
" <td>2022-07-13 14:56:00.159</td>\n",
" <td>{56d91ad3-dd00-62ce-e12d-000000002f00}</td>\n",
" <td>5552</td>\n",
" <td>C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe</td>\n",
" <td>-</td>\n",
" <td>-</td>\n",
" <td>-</td>\n",
" <td>-</td>\n",
" <td>-</td>\n",
" <td>\"c:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe\" --ps2</td>\n",
" <td>C:\\Windows\\system32\\</td>\n",
" <td>NT AUTHORITY\\SYSTEM</td>\n",
" <td>{56d91ad3-c9b1-62cd-e703-000000000000}</td>\n",
" <td>0x3E7</td>\n",
" <td>0</td>\n",
" <td>System</td>\n",
" <td>SHA1=E73E8A345775B9E136D131758073B194CC629086,MD5=16D726D7FB24044AA736D7E3A0C6C307,SHA256=417219BE9BC27BF2906BE8BF3C253094B7A3B79A134CEDAEF9366E88A48D5E24,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9</td>\n",
" <td>{56d91ad3-c9b8-62cd-5500-000000002f00}</td>\n",
" <td>3452</td>\n",
" <td>C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunkd.exe</td>\n",
" <td>\"c:\\Program Files\\SplunkUniversalForwarder\\bin\\splunkd.exe\" service</td>\n",
" <td>NT AUTHORITY\\SYSTEM</td>\n",
" </tr>\n",
" </tbody>\n",
"</table>\n",
"</div>"
],
"text/plain": [
" RuleName UtcTime ProcessGuid ProcessId Image FileVersion Description Product Company OriginalFileName CommandLine CurrentDirectory User LogonGuid LogonId TerminalSessionId IntegrityLevel Hashes ParentProcessGuid ParentProcessId ParentImage ParentCommandLine ParentUser\n",
"0 - 2022-07-13 15:36:14.649 {56d91ad3-e66e-62ce-5e2f-000000002f00} 5552 C:\\Users\\thor\\Desktop\\Rubeus.exe 1.0.0.0 Rubeus Rubeus - Rubeus.exe \"C:\\Users\\thor\\Desktop\\Rubeus.exe\" asktgt /user:panther /password:WakandaForever! C:\\Users\\thor\\Desktop\\ MARVEL\\thor {56d91ad3-c9cc-62cd-3f60-0b0000000000} 0xB603F 2 High SHA1=5C8540D53ECD89542515C479D765D0B2E6481F35,MD5=A097BADFC8B38B5387B7B28AF6486C47,SHA256=AA29640B9A094E0A0A38AFCBE31C3C467852B5795991FACEE10628D62458D769,IMPHASH=F34D5F2D4577ED6D9CEEC516C1F5A744 {56d91ad3-ca5e-62cd-5501-000000002f00} 7968 C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe \"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" MARVEL\\thor \n",
"1 - 2022-07-13 15:06:17.648 {56d91ad3-df69-62ce-452e-000000002f00} 5552 C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe 103.0.5060.114 Google Chrome Google Chrome Google LLC chrome.exe \"C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe\" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=47 --launch-time-ticks=71269923481 --mojo-platform-channel-handle=6468 --field-trial-handle=1700,i,7950739293659264102,16766236593476826016,131072 /prefetch:1 C:\\Program Files\\Google\\Chrome\\Application\\103.0.5060.114\\ MARVEL\\thor {56d91ad3-c9cc-62cd-c160-0b0000000000} 0xB60C1 2 Low SHA1=AF8A6E7216F67CA5D220084D07E1ED922AC72817,MD5=D3E37D1F3304AB7EDAA2E4D3AC183980,SHA256=AA395EE3B33142BD96382709C515F321D122E2499F773A457868C8666C9177A2,IMPHASH=6B4443349D1BF3B7F64F196B03E28222 {56d91ad3-ca26-62cd-2801-000000002f00} 4240 C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe \"C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe\" MARVEL\\thor \n",
"2 - 2022-07-13 14:58:55.922 {56d91ad3-ddaf-62ce-f92d-000000002f00} 5552 C:\\Windows\\System32\\smartscreen.exe 10.0.19041.1052 (WinBuild.160101.0800) Windows Defender SmartScreen Microsoft® Windows® Operating System Microsoft Corporation smartscreen.exe C:\\Windows\\System32\\smartscreen.exe -Embedding C:\\Windows\\system32\\ MARVEL\\thor {56d91ad3-c9cc-62cd-c160-0b0000000000} 0xB60C1 2 Medium SHA1=183E877F488F2DF9F304F60A42514A334720399F,MD5=521ED922765BCA8F79BD76188F879311,SHA256=9605680FC164ACB985C031ECA2C8BC4909CF8B749C571DB6DE2B0B2C204C2163,IMPHASH=6DFBF12753AF176E3C203C407493A5B9 {56d91ad3-c9b2-62cd-0f00-000000002f00} 844 C:\\Windows\\System32\\svchost.exe C:\\Windows\\system32\\svchost.exe -k DcomLaunch -p NT AUTHORITY\\SYSTEM\n",
"3 - 2022-07-13 14:56:00.159 {56d91ad3-dd00-62ce-e12d-000000002f00} 5552 C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe - - - - - \"c:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe\" --ps2 C:\\Windows\\system32\\ NT AUTHORITY\\SYSTEM {56d91ad3-c9b1-62cd-e703-000000000000} 0x3E7 0 System SHA1=E73E8A345775B9E136D131758073B194CC629086,MD5=16D726D7FB24044AA736D7E3A0C6C307,SHA256=417219BE9BC27BF2906BE8BF3C253094B7A3B79A134CEDAEF9366E88A48D5E24,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9 {56d91ad3-c9b8-62cd-5500-000000002f00} 3452 C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunkd.exe \"c:\\Program Files\\SplunkUniversalForwarder\\bin\\splunkd.exe\" service NT AUTHORITY\\SYSTEM"
]
},
"execution_count": 69,
"metadata": {},
"output_type": "execute_result"
}
],
"source": [
"df"
]
},
{
"cell_type": "code",
"execution_count": 70,
"id": "9fc420f1-8f0b-4f19-9d6c-ad988a10f92a",
"metadata": {},
"outputs": [
{
"name": "stderr",
"output_type": "stream",
"text": [
"/tmp/ipykernel_447/23119429.py:8: DeprecationWarning: ResultsReader is a deprecated function. Use the JSONResultsReader function instead in conjuction with the 'output_mode' query param set to 'json'\n",
" reader = results.ResultsReader(query_results)\n"
]
}
],
"source": [
"LogonData = []\n",
"for a in df['LogonId']:\n",
" if a != \"0x3E7\":\n",
" import splunklib.results as results\n",
" #Query: \n",
" query = \"search index=windows sourcetype=Sysmon EventCode=1 LogonId={}\".format(a)\n",
" query_results = service.jobs.oneshot(query, count=0)\n",
" reader = results.ResultsReader(query_results)\n",
"\n",
" results = []\n",
"\n",
" for result in reader:\n",
" results.append(result)\n",
"\n",
" df_EID=pd.DataFrame(results)\n",
" df2_EID = df_EID.Message\n",
" df3_EID = df2_EID.str.split('\\n')\n",
" df4_EID = [{a.split(\":\")[0].strip():\":\".join(a.split(\":\")[1:]).strip() for a in b if \":\".join(a.split(\":\")[1:]).strip() != ''} for b in df3_EID]\n",
" LogonData.append(pd.DataFrame(df4_EID))\n",
" break\n",
"Logondf = pd.concat(LogonData)"
]
},
{
"cell_type": "code",
"execution_count": 71,
"id": "fcd72a97-b331-46e9-a7bb-16398a4c2287",
"metadata": {},
"outputs": [
{
"data": {
"text/html": [
"<div>\n",
"<style scoped>\n",
" .dataframe tbody tr th:only-of-type {\n",
" vertical-align: middle;\n",
" }\n",
"\n",
" .dataframe tbody tr th {\n",
" vertical-align: top;\n",
" }\n",
"\n",
" .dataframe thead th {\n",
" text-align: right;\n",
" }\n",
"</style>\n",
"<table border=\"1\" class=\"dataframe\">\n",
" <thead>\n",
" <tr style=\"text-align: right;\">\n",
" <th></th>\n",
" <th>RuleName</th>\n",
" <th>UtcTime</th>\n",
" <th>ProcessGuid</th>\n",
" <th>ProcessId</th>\n",
" <th>Image</th>\n",
" <th>FileVersion</th>\n",
" <th>Description</th>\n",
" <th>Product</th>\n",
" <th>Company</th>\n",
" <th>OriginalFileName</th>\n",
" <th>CommandLine</th>\n",
" <th>CurrentDirectory</th>\n",
" <th>User</th>\n",
" <th>LogonGuid</th>\n",
" <th>LogonId</th>\n",
" <th>TerminalSessionId</th>\n",
" <th>IntegrityLevel</th>\n",
" <th>Hashes</th>\n",
" <th>ParentProcessGuid</th>\n",
" <th>ParentProcessId</th>\n",
" <th>ParentImage</th>\n",
" <th>ParentCommandLine</th>\n",
" <th>ParentUser</th>\n",
" </tr>\n",
" </thead>\n",
" <tbody>\n",
" <tr>\n",
" <th>0</th>\n",
" <td>-</td>\n",
" <td>2022-07-13 15:36:14.649</td>\n",
" <td>{56d91ad3-e66e-62ce-5e2f-000000002f00}</td>\n",
" <td>5552</td>\n",
" <td>C:\\Users\\thor\\Desktop\\Rubeus.exe</td>\n",
" <td>1.0.0.0</td>\n",
" <td>Rubeus</td>\n",
" <td>Rubeus</td>\n",
" <td>-</td>\n",
" <td>Rubeus.exe</td>\n",
" <td>\"C:\\Users\\thor\\Desktop\\Rubeus.exe\" asktgt /user:panther /password:WakandaForever!</td>\n",
" <td>C:\\Users\\thor\\Desktop\\</td>\n",
" <td>MARVEL\\thor</td>\n",
" <td>{56d91ad3-c9cc-62cd-3f60-0b0000000000}</td>\n",
" <td>0xB603F</td>\n",
" <td>2</td>\n",
" <td>High</td>\n",
" <td>SHA1=5C8540D53ECD89542515C479D765D0B2E6481F35,MD5=A097BADFC8B38B5387B7B28AF6486C47,SHA256=AA29640B9A094E0A0A38AFCBE31C3C467852B5795991FACEE10628D62458D769,IMPHASH=F34D5F2D4577ED6D9CEEC516C1F5A744</td>\n",
" <td>{56d91ad3-ca5e-62cd-5501-000000002f00}</td>\n",
" <td>7968</td>\n",
" <td>C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe</td>\n",
" <td>\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"</td>\n",
" <td>MARVEL\\thor</td>\n",
" </tr>\n",
" <tr>\n",
" <th>1</th>\n",
" <td>-</td>\n",
" <td>2022-07-13 15:32:19.853</td>\n",
" <td>{56d91ad3-e583-62ce-382f-000000002f00}</td>\n",
" <td>3548</td>\n",
" <td>C:\\Users\\thor\\Desktop\\Rubeus.exe</td>\n",
" <td>1.0.0.0</td>\n",
" <td>Rubeus</td>\n",
" <td>Rubeus</td>\n",
" <td>-</td>\n",
" <td>Rubeus.exe</td>\n",
" <td>\"C:\\Users\\thor\\Desktop\\Rubeus.exe\" kerberoast /tgtdeleg</td>\n",
" <td>C:\\Users\\thor\\Desktop\\</td>\n",
" <td>MARVEL\\thor</td>\n",
" <td>{56d91ad3-c9cc-62cd-3f60-0b0000000000}</td>\n",
" <td>0xB603F</td>\n",
" <td>2</td>\n",
" <td>High</td>\n",
" <td>SHA1=5C8540D53ECD89542515C479D765D0B2E6481F35,MD5=A097BADFC8B38B5387B7B28AF6486C47,SHA256=AA29640B9A094E0A0A38AFCBE31C3C467852B5795991FACEE10628D62458D769,IMPHASH=F34D5F2D4577ED6D9CEEC516C1F5A744</td>\n",
" <td>{56d91ad3-ca5e-62cd-5501-000000002f00}</td>\n",
" <td>7968</td>\n",
" <td>C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe</td>\n",
" <td>\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"</td>\n",
" <td>MARVEL\\thor</td>\n",
" </tr>\n",
" <tr>\n",
" <th>2</th>\n",
" <td>-</td>\n",
" <td>2022-07-13 15:32:18.204</td>\n",
" <td>{56d91ad3-e582-62ce-372f-000000002f00}</td>\n",
" <td>2476</td>\n",
" <td>C:\\Windows\\System32\\klist.exe</td>\n",
" <td>10.0.19041.1387 (WinBuild.160101.0800)</td>\n",
" <td>Tool for managing the Kerberos ticket cache</td>\n",
" <td>Microsoft® Windows® Operating System</td>\n",
" <td>Microsoft Corporation</td>\n",
" <td>klist.exe</td>\n",
" <td>\"C:\\Windows\\system32\\klist.exe\" purge</td>\n",
" <td>C:\\Users\\thor\\Desktop\\</td>\n",
" <td>MARVEL\\thor</td>\n",
" <td>{56d91ad3-c9cc-62cd-3f60-0b0000000000}</td>\n",
" <td>0xB603F</td>\n",
" <td>2</td>\n",
" <td>High</td>\n",
" <td>SHA1=12F183A0F99F35026E7BAFF0D26A5548A361BECB,MD5=0ED88604DAA88979CE5B96D03FEBCFE4,SHA256=26E63196C5739A2D5CAFAAFE77842C7D48193B74D3416243D6A155B19B63A524,IMPHASH=D235A5641DE014C6EFBCA43F72899449</td>\n",
" <td>{56d91ad3-ca5e-62cd-5501-000000002f00}</td>\n",
" <td>7968</td>\n",
" <td>C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe</td>\n",
" <td>\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"</td>\n",
" <td>MARVEL\\thor</td>\n",
" </tr>\n",
" <tr>\n",
" <th>3</th>\n",
" <td>-</td>\n",
" <td>2022-07-13 15:01:18.712</td>\n",
" <td>{56d91ad3-de3e-62ce-152e-000000002f00}</td>\n",
" <td>7204</td>\n",
" <td>C:\\Users\\thor\\Desktop\\Rubeus.exe</td>\n",
" <td>1.0.0.0</td>\n",
" <td>Rubeus</td>\n",
" <td>Rubeus</td>\n",
" <td>-</td>\n",
" <td>Rubeus.exe</td>\n",
" <td>\"C:\\Users\\thor\\Desktop\\Rubeus.exe\" kerberoast /tgtdeleg</td>\n",
" <td>C:\\Users\\thor\\Desktop\\</td>\n",
" <td>MARVEL\\thor</td>\n",
" <td>{56d91ad3-c9cc-62cd-3f60-0b0000000000}</td>\n",
" <td>0xB603F</td>\n",
" <td>2</td>\n",
" <td>High</td>\n",
" <td>SHA1=5C8540D53ECD89542515C479D765D0B2E6481F35,MD5=A097BADFC8B38B5387B7B28AF6486C47,SHA256=AA29640B9A094E0A0A38AFCBE31C3C467852B5795991FACEE10628D62458D769,IMPHASH=F34D5F2D4577ED6D9CEEC516C1F5A744</td>\n",
" <td>{56d91ad3-ca5e-62cd-5501-000000002f00}</td>\n",
" <td>7968</td>\n",
" <td>C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe</td>\n",
" <td>\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"</td>\n",
" <td>MARVEL\\thor</td>\n",
" </tr>\n",
" <tr>\n",
" <th>4</th>\n",
" <td>-</td>\n",
" <td>2022-07-13 14:59:38.424</td>\n",
" <td>{56d91ad3-ddda-62ce-012e-000000002f00}</td>\n",
" <td>9228</td>\n",
" <td>C:\\Users\\thor\\Desktop\\Rubeus.exe</td>\n",
" <td>1.0.0.0</td>\n",
" <td>Rubeus</td>\n",
" <td>Rubeus</td>\n",
" <td>-</td>\n",
" <td>Rubeus.exe</td>\n",
" <td>\"C:\\Users\\thor\\Desktop\\Rubeus.exe\" kerberoast</td>\n",
" <td>C:\\Users\\thor\\Desktop\\</td>\n",
" <td>MARVEL\\thor</td>\n",
" <td>{56d91ad3-c9cc-62cd-3f60-0b0000000000}</td>\n",
" <td>0xB603F</td>\n",
" <td>2</td>\n",
" <td>High</td>\n",
" <td>SHA1=5C8540D53ECD89542515C479D765D0B2E6481F35,MD5=A097BADFC8B38B5387B7B28AF6486C47,SHA256=AA29640B9A094E0A0A38AFCBE31C3C467852B5795991FACEE10628D62458D769,IMPHASH=F34D5F2D4577ED6D9CEEC516C1F5A744</td>\n",
" <td>{56d91ad3-ca5e-62cd-5501-000000002f00}</td>\n",
" <td>7968</td>\n",
" <td>C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe</td>\n",
" <td>\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"</td>\n",
" <td>MARVEL\\thor</td>\n",
" </tr>\n",
" <tr>\n",
" <th>5</th>\n",
" <td>-</td>\n",
" <td>2022-07-13 14:58:33.255</td>\n",
" <td>{56d91ad3-dd99-62ce-f52d-000000002f00}</td>\n",
" <td>3100</td>\n",
" <td>C:\\Users\\thor\\Desktop\\Rubeus.exe</td>\n",
" <td>1.0.0.0</td>\n",
" <td>Rubeus</td>\n",
" <td>Rubeus</td>\n",
" <td>-</td>\n",
" <td>Rubeus.exe</td>\n",
" <td>\"C:\\Users\\thor\\Desktop\\Rubeus.exe\" asktgt kerberoast</td>\n",
" <td>C:\\Users\\thor\\Desktop\\</td>\n",
" <td>MARVEL\\thor</td>\n",
" <td>{56d91ad3-c9cc-62cd-3f60-0b0000000000}</td>\n",
" <td>0xB603F</td>\n",
" <td>2</td>\n",
" <td>High</td>\n",
" <td>SHA1=5C8540D53ECD89542515C479D765D0B2E6481F35,MD5=A097BADFC8B38B5387B7B28AF6486C47,SHA256=AA29640B9A094E0A0A38AFCBE31C3C467852B5795991FACEE10628D62458D769,IMPHASH=F34D5F2D4577ED6D9CEEC516C1F5A744</td>\n",
" <td>{56d91ad3-ca5e-62cd-5501-000000002f00}</td>\n",
" <td>7968</td>\n",
" <td>C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe</td>\n",
" <td>\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"</td>\n",
" <td>MARVEL\\thor</td>\n",
" </tr>\n",
" <tr>\n",
" <th>6</th>\n",
" <td>-</td>\n",
" <td>2022-07-13 14:53:51.822</td>\n",
" <td>{56d91ad3-dc7f-62ce-cc2d-000000002f00}</td>\n",
" <td>200</td>\n",
" <td>C:\\Users\\thor\\Desktop\\Rubeus.exe</td>\n",
" <td>1.0.0.0</td>\n",
" <td>Rubeus</td>\n",
" <td>Rubeus</td>\n",
" <td>-</td>\n",
" <td>Rubeus.exe</td>\n",
" <td>\"C:\\Users\\thor\\Desktop\\Rubeus.exe\" asktgt /user:panther /password:WakandaForever!</td>\n",
" <td>C:\\Users\\thor\\Desktop\\</td>\n",
" <td>MARVEL\\thor</td>\n",
" <td>{56d91ad3-c9cc-62cd-3f60-0b0000000000}</td>\n",
" <td>0xB603F</td>\n",
" <td>2</td>\n",
" <td>High</td>\n",
" <td>SHA1=5C8540D53ECD89542515C479D765D0B2E6481F35,MD5=A097BADFC8B38B5387B7B28AF6486C47,SHA256=AA29640B9A094E0A0A38AFCBE31C3C467852B5795991FACEE10628D62458D769,IMPHASH=F34D5F2D4577ED6D9CEEC516C1F5A744</td>\n",
" <td>{56d91ad3-ca5e-62cd-5501-000000002f00}</td>\n",
" <td>7968</td>\n",
" <td>C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe</td>\n",
" <td>\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"</td>\n",
" <td>MARVEL\\thor</td>\n",
" </tr>\n",
" <tr>\n",
" <th>7</th>\n",
" <td>-</td>\n",
" <td>2022-07-13 14:53:48.482</td>\n",
" <td>{56d91ad3-dc7c-62ce-cb2d-000000002f00}</td>\n",
" <td>8680</td>\n",
" <td>C:\\Windows\\System32\\klist.exe</td>\n",
" <td>10.0.19041.1387 (WinBuild.160101.0800)</td>\n",
" <td>Tool for managing the Kerberos ticket cache</td>\n",
" <td>Microsoft® Windows® Operating System</td>\n",
" <td>Microsoft Corporation</td>\n",
" <td>klist.exe</td>\n",
" <td>\"C:\\Windows\\system32\\klist.exe\" purge</td>\n",
" <td>C:\\Users\\thor\\Desktop\\</td>\n",
" <td>MARVEL\\thor</td>\n",
" <td>{56d91ad3-c9cc-62cd-3f60-0b0000000000}</td>\n",
" <td>0xB603F</td>\n",
" <td>2</td>\n",
" <td>High</td>\n",
" <td>SHA1=12F183A0F99F35026E7BAFF0D26A5548A361BECB,MD5=0ED88604DAA88979CE5B96D03FEBCFE4,SHA256=26E63196C5739A2D5CAFAAFE77842C7D48193B74D3416243D6A155B19B63A524,IMPHASH=D235A5641DE014C6EFBCA43F72899449</td>\n",
" <td>{56d91ad3-ca5e-62cd-5501-000000002f00}</td>\n",
" <td>7968</td>\n",
" <td>C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe</td>\n",
" <td>\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"</td>\n",
" <td>MARVEL\\thor</td>\n",
" </tr>\n",
" <tr>\n",
" <th>8</th>\n",
" <td>-</td>\n",
" <td>2022-07-13 14:53:38.250</td>\n",
" <td>{56d91ad3-dc72-62ce-ca2d-000000002f00}</td>\n",
" <td>8012</td>\n",
" <td>C:\\Windows\\System32\\auditpol.exe</td>\n",
" <td>10.0.19041.546 (WinBuild.160101.0800)</td>\n",
" <td>Audit Policy Program</td>\n",
" <td>Microsoft® Windows® Operating System</td>\n",
" <td>Microsoft Corporation</td>\n",
" <td>AUDITPOL.EXE</td>\n",
" <td>\"C:\\Windows\\system32\\auditpol.exe\" /set /category:* /success:enable</td>\n",
" <td>C:\\Users\\thor\\Desktop\\</td>\n",
" <td>MARVEL\\thor</td>\n",
" <td>{56d91ad3-c9cc-62cd-3f60-0b0000000000}</td>\n",
" <td>0xB603F</td>\n",
" <td>2</td>\n",
" <td>High</td>\n",
" <td>SHA1=E6A50645A361D5C763802FFA6E3C749FB81E96D7,MD5=0CBBB1FFE1AF93272D498FB8FBBFFCC6,SHA256=D1C6EC7F394B59D067DFD47A6A65978E4C2CC73437457A4B78209E5F516471CC,IMPHASH=90AC86A122E388FC7E7952289389E5B0</td>\n",
" <td>{56d91ad3-ca5e-62cd-5501-000000002f00}</td>\n",
" <td>7968</td>\n",
" <td>C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe</td>\n",
" <td>\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"</td>\n",
" <td>MARVEL\\thor</td>\n",
" </tr>\n",
" <tr>\n",
" <th>9</th>\n",
" <td>-</td>\n",
" <td>2022-07-13 14:51:28.865</td>\n",
" <td>{56d91ad3-dbf0-62ce-b02d-000000002f00}</td>\n",
" <td>7088</td>\n",
" <td>C:\\Users\\thor\\Desktop\\Rubeus.exe</td>\n",
" <td>1.0.0.0</td>\n",
" <td>Rubeus</td>\n",
" <td>Rubeus</td>\n",
" <td>-</td>\n",
" <td>Rubeus.exe</td>\n",
" <td>\"C:\\Users\\thor\\Desktop\\Rubeus.exe\" asktgt /user:panther /password:WakandaForever!</td>\n",
" <td>C:\\Users\\thor\\Desktop\\</td>\n",
" <td>MARVEL\\thor</td>\n",
" <td>{56d91ad3-c9cc-62cd-3f60-0b0000000000}</td>\n",
" <td>0xB603F</td>\n",
" <td>2</td>\n",
" <td>High</td>\n",
" <td>SHA1=5C8540D53ECD89542515C479D765D0B2E6481F35,MD5=A097BADFC8B38B5387B7B28AF6486C47,SHA256=AA29640B9A094E0A0A38AFCBE31C3C467852B5795991FACEE10628D62458D769,IMPHASH=F34D5F2D4577ED6D9CEEC516C1F5A744</td>\n",
" <td>{56d91ad3-ca5e-62cd-5501-000000002f00}</td>\n",
" <td>7968</td>\n",
" <td>C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe</td>\n",
" <td>\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"</td>\n",
" <td>MARVEL\\thor</td>\n",
" </tr>\n",
" <tr>\n",
" <th>10</th>\n",
" <td>-</td>\n",
" <td>2022-07-13 14:45:35.253</td>\n",
" <td>{56d91ad3-da8f-62ce-6c2d-000000002f00}</td>\n",
" <td>7056</td>\n",
" <td>C:\\Windows\\System32\\klist.exe</td>\n",
" <td>10.0.19041.1387 (WinBuild.160101.0800)</td>\n",
" <td>Tool for managing the Kerberos ticket cache</td>\n",
" <td>Microsoft® Windows® Operating System</td>\n",
" <td>Microsoft Corporation</td>\n",
" <td>klist.exe</td>\n",
" <td>\"C:\\Windows\\system32\\klist.exe\" purge</td>\n",
" <td>C:\\Users\\thor\\Desktop\\</td>\n",
" <td>MARVEL\\thor</td>\n",
" <td>{56d91ad3-c9cc-62cd-3f60-0b0000000000}</td>\n",
" <td>0xB603F</td>\n",
" <td>2</td>\n",
" <td>High</td>\n",
" <td>SHA1=12F183A0F99F35026E7BAFF0D26A5548A361BECB,MD5=0ED88604DAA88979CE5B96D03FEBCFE4,SHA256=26E63196C5739A2D5CAFAAFE77842C7D48193B74D3416243D6A155B19B63A524,IMPHASH=D235A5641DE014C6EFBCA43F72899449</td>\n",
" <td>{56d91ad3-ca5e-62cd-5501-000000002f00}</td>\n",
" <td>7968</td>\n",
" <td>C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe</td>\n",
" <td>\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"</td>\n",
" <td>MARVEL\\thor</td>\n",
" </tr>\n",
" <tr>\n",
" <th>11</th>\n",
" <td>-</td>\n",
" <td>2022-07-13 00:33:37.653</td>\n",
" <td>{56d91ad3-12e1-62ce-8f0d-000000002f00}</td>\n",
" <td>4736</td>\n",
" <td>C:\\Windows\\System32\\taskhostw.exe</td>\n",
" <td>10.0.19041.906 (WinBuild.160101.0800)</td>\n",
" <td>Host Process for Windows Tasks</td>\n",
" <td>Microsoft® Windows® Operating System</td>\n",
" <td>Microsoft Corporation</td>\n",
" <td>taskhostw.exe</td>\n",
" <td>taskhostw.exe</td>\n",
" <td>C:\\Windows\\system32\\</td>\n",
" <td>MARVEL\\thor</td>\n",
" <td>{56d91ad3-c9cc-62cd-3f60-0b0000000000}</td>\n",
" <td>0xB603F</td>\n",
" <td>2</td>\n",
" <td>High</td>\n",
" <td>SHA1=FED4B4A753A9541389AA670C69E624BE07569CCD,MD5=564E4806AB18F93B93D551CD10C1598E,SHA256=0322728DBCE3A577C4A13B907AD7375D27E74880B63F7371384F67D19197A0AD,IMPHASH=3A0C6863CDE566AF997DB2DEFFF9D924</td>\n",
" <td>{56d91ad3-c9b4-62cd-1f00-000000002f00}</td>\n",
" <td>1296</td>\n",
" <td>C:\\Windows\\System32\\svchost.exe</td>\n",
" <td>C:\\Windows\\system32\\svchost.exe -k netsvcs -p -s Schedule</td>\n",
" <td>NT AUTHORITY\\SYSTEM</td>\n",
" </tr>\n",
" <tr>\n",
" <th>12</th>\n",
" <td>-</td>\n",
" <td>2022-07-13 00:32:57.679</td>\n",
" <td>{56d91ad3-12b9-62ce-6d0d-000000002f00}</td>\n",
" <td>1320</td>\n",
" <td>C:\\Users\\thor\\AppData\\Local\\Temp\\844F0763-DCD0-4FAD-B804-60032786B303\\DismHost.exe</td>\n",
" <td>10.0.19041.746 (WinBuild.160101.0800)</td>\n",
" <td>Dism Host Servicing Process</td>\n",
" <td>Microsoft® Windows® Operating System</td>\n",
" <td>Microsoft Corporation</td>\n",
" <td>DismHost.exe</td>\n",
" <td>C:\\Users\\thor\\AppData\\Local\\Temp\\844F0763-DCD0-4FAD-B804-60032786B303\\dismhost.exe {432304F9-73D7-4EEE-B662-354362A6C263}</td>\n",
" <td>C:\\Windows\\system32\\</td>\n",
" <td>MARVEL\\thor</td>\n",
" <td>{56d91ad3-c9cc-62cd-3f60-0b0000000000}</td>\n",
" <td>0xB603F</td>\n",
" <td>2</td>\n",
" <td>High</td>\n",
" <td>SHA1=DBB14DCDA6502AB1D23A7C77D405DAFBCBEB439E,MD5=E5D5E9C1F65B8EC7AA5B7F1B1ACDD731,SHA256=E30508E2088BC16B2A84233CED64995F738DEAEF2366AC6C86B35C93BBCD9D80,IMPHASH=D204EB506D6ABBEB4C51A54E8F6C1789</td>\n",
" <td>{56d91ad3-12a7-62ce-5b0d-000000002f00}</td>\n",
" <td>6904</td>\n",
" <td>C:\\Windows\\System32\\cleanmgr.exe</td>\n",
" <td>C:\\Windows\\system32\\cleanmgr.exe /autoclean /d C:</td>\n",
" <td>MARVEL\\thor</td>\n",
" </tr>\n",
" <tr>\n",
" <th>13</th>\n",
" <td>-</td>\n",
" <td>2022-07-13 00:32:41.271</td>\n",
" <td>{56d91ad3-12a9-62ce-5f0d-000000002f00}</td>\n",
" <td>1096</td>\n",
" <td>C:\\Windows\\System32\\conhost.exe</td>\n",
" <td>10.0.19041.1320 (WinBuild.160101.0800)</td>\n",
" <td>Console Window Host</td>\n",
" <td>Microsoft® Windows® Operating System</td>\n",
" <td>Microsoft Corporation</td>\n",
" <td>CONHOST.EXE</td>\n",
" <td>\\??\\C:\\Windows\\system32\\conhost.exe 0xffffffff -ForceV1</td>\n",
" <td>C:\\Windows</td>\n",
" <td>MARVEL\\thor</td>\n",
" <td>{56d91ad3-c9cc-62cd-3f60-0b0000000000}</td>\n",
" <td>0xB603F</td>\n",
" <td>2</td>\n",
" <td>High</td>\n",
" <td>SHA1=BA93B6F897778B91DB9D179E14C352AF82210061,MD5=D837FA4DEE7D84C19FF6F71FC48A6625,SHA256=22117361C2C34CB18BEEE2CA9770B3AA6C8D032A0941991454DD222BEC6D9295,IMPHASH=5E04B84014354D11014564789EE9BDA7</td>\n",
" <td>{56d91ad3-12a9-62ce-5e0d-000000002f00}</td>\n",
" <td>1964</td>\n",
" <td>C:\\Windows\\System32\\sdiagnhost.exe</td>\n",
" <td>C:\\Windows\\System32\\sdiagnhost.exe -Embedding</td>\n",
" <td>MARVEL\\thor</td>\n",
" </tr>\n",
" <tr>\n",
" <th>14</th>\n",
" <td>-</td>\n",
" <td>2022-07-13 00:32:41.223</td>\n",
" <td>{56d91ad3-12a9-62ce-5e0d-000000002f00}</td>\n",
" <td>1964</td>\n",
" <td>C:\\Windows\\System32\\sdiagnhost.exe</td>\n",
" <td>10.0.19041.1 (WinBuild.160101.0800)</td>\n",
" <td>Scripted Diagnostics Native Host</td>\n",
" <td>Microsoft® Windows® Operating System</td>\n",
" <td>Microsoft Corporation</td>\n",
" <td>sdiagnhost.exe</td>\n",
" <td>C:\\Windows\\System32\\sdiagnhost.exe -Embedding</td>\n",
" <td>C:\\Windows\\system32\\</td>\n",
" <td>MARVEL\\thor</td>\n",
" <td>{56d91ad3-c9cc-62cd-3f60-0b0000000000}</td>\n",
" <td>0xB603F</td>\n",
" <td>2</td>\n",
" <td>High</td>\n",
" <td>SHA1=540745F1CE67423A156069218680B9DA873B4778,MD5=6A21B1893DDE94CB87BA56111375888A,SHA256=761815301A00D0B3A7BB4959A5004B623C55009CE701C6E867C96F468DC1323A,IMPHASH=88C840A970A1633DCA61E1CD2D926E21</td>\n",
" <td>{56d91ad3-c9b2-62cd-0f00-000000002f00}</td>\n",
" <td>844</td>\n",
" <td>C:\\Windows\\System32\\svchost.exe</td>\n",
" <td>C:\\Windows\\system32\\svchost.exe -k DcomLaunch -p</td>\n",
" <td>NT AUTHORITY\\SYSTEM</td>\n",
" </tr>\n",
" <tr>\n",
" <th>15</th>\n",
" <td>-</td>\n",
" <td>2022-07-13 00:32:39.738</td>\n",
" <td>{56d91ad3-12a7-62ce-5b0d-000000002f00}</td>\n",
" <td>6904</td>\n",
" <td>C:\\Windows\\System32\\cleanmgr.exe</td>\n",
" <td>10.0.19041.1266 (WinBuild.160101.0800)</td>\n",
" <td>Disk Space Cleanup Manager for Windows</td>\n",
" <td>Microsoft® Windows® Operating System</td>\n",
" <td>Microsoft Corporation</td>\n",
" <td>CLEANMGR.DLL</td>\n",
" <td>C:\\Windows\\system32\\cleanmgr.exe /autoclean /d C:</td>\n",
" <td>C:\\Windows\\system32\\</td>\n",
" <td>MARVEL\\thor</td>\n",
" <td>{56d91ad3-c9cc-62cd-3f60-0b0000000000}</td>\n",
" <td>0xB603F</td>\n",
" <td>2</td>\n",
" <td>High</td>\n",
" <td>SHA1=D0782098CBF41490EA1E54DB5D21A679F332A113,MD5=CD0D99EBE88D11F55136EAE39CCF8F6E,SHA256=ACD2CBFB4C9FB8FE20C21A7EC99445D1426CEE90FF3091115EB4C9484B69EA9D,IMPHASH=98FFD535813DA56E7646C88F49DBE567</td>\n",
" <td>{56d91ad3-c9b4-62cd-1f00-000000002f00}</td>\n",
" <td>1296</td>\n",
" <td>C:\\Windows\\System32\\svchost.exe</td>\n",
" <td>C:\\Windows\\system32\\svchost.exe -k netsvcs -p -s Schedule</td>\n",
" <td>NT AUTHORITY\\SYSTEM</td>\n",
" </tr>\n",
" <tr>\n",
" <th>16</th>\n",
" <td>-</td>\n",
" <td>2022-07-13 00:32:38.954</td>\n",
" <td>{56d91ad3-12a6-62ce-4f0d-000000002f00}</td>\n",
" <td>4808</td>\n",
" <td>C:\\Windows\\System32\\taskhostw.exe</td>\n",
" <td>10.0.19041.906 (WinBuild.160101.0800)</td>\n",
" <td>Host Process for Windows Tasks</td>\n",
" <td>Microsoft® Windows® Operating System</td>\n",
" <td>Microsoft Corporation</td>\n",
" <td>taskhostw.exe</td>\n",
" <td>taskhostw.exe</td>\n",
" <td>C:\\Windows\\system32\\</td>\n",
" <td>MARVEL\\thor</td>\n",
" <td>{56d91ad3-c9cc-62cd-3f60-0b0000000000}</td>\n",
" <td>0xB603F</td>\n",
" <td>2</td>\n",
" <td>High</td>\n",
" <td>SHA1=FED4B4A753A9541389AA670C69E624BE07569CCD,MD5=564E4806AB18F93B93D551CD10C1598E,SHA256=0322728DBCE3A577C4A13B907AD7375D27E74880B63F7371384F67D19197A0AD,IMPHASH=3A0C6863CDE566AF997DB2DEFFF9D924</td>\n",
" <td>{56d91ad3-c9b4-62cd-1f00-000000002f00}</td>\n",
" <td>1296</td>\n",
" <td>C:\\Windows\\System32\\svchost.exe</td>\n",
" <td>C:\\Windows\\system32\\svchost.exe -k netsvcs -p -s Schedule</td>\n",
" <td>NT AUTHORITY\\SYSTEM</td>\n",
" </tr>\n",
" <tr>\n",
" <th>17</th>\n",
" <td>-</td>\n",
" <td>2022-07-12 19:27:35.194</td>\n",
" <td>{56d91ad3-cb27-62cd-9201-000000002f00}</td>\n",
" <td>2312</td>\n",
" <td>C:\\Users\\thor\\Desktop\\Rubeus.exe</td>\n",
" <td>1.0.0.0</td>\n",
" <td>Rubeus</td>\n",
" <td>Rubeus</td>\n",
" <td>-</td>\n",
" <td>Rubeus.exe</td>\n",
" <td>\"C:\\Users\\thor\\Desktop\\Rubeus.exe\" asktgt /user:panther /password:WakandaForever!</td>\n",
" <td>C:\\Users\\thor\\Desktop\\</td>\n",
" <td>MARVEL\\thor</td>\n",
" <td>{56d91ad3-c9cc-62cd-3f60-0b0000000000}</td>\n",
" <td>0xB603F</td>\n",
" <td>2</td>\n",
" <td>High</td>\n",
" <td>SHA1=5C8540D53ECD89542515C479D765D0B2E6481F35,MD5=A097BADFC8B38B5387B7B28AF6486C47,SHA256=AA29640B9A094E0A0A38AFCBE31C3C467852B5795991FACEE10628D62458D769,IMPHASH=F34D5F2D4577ED6D9CEEC516C1F5A744</td>\n",
" <td>{56d91ad3-ca5e-62cd-5501-000000002f00}</td>\n",
" <td>7968</td>\n",
" <td>C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe</td>\n",
" <td>\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"</td>\n",
" <td>MARVEL\\thor</td>\n",
" </tr>\n",
" <tr>\n",
" <th>18</th>\n",
" <td>-</td>\n",
" <td>2022-07-12 19:26:43.102</td>\n",
" <td>{56d91ad3-caf3-62cd-7401-000000002f00}</td>\n",
" <td>2608</td>\n",
" <td>C:\\Users\\thor\\Desktop\\Rubeus.exe</td>\n",
" <td>1.0.0.0</td>\n",
" <td>Rubeus</td>\n",
" <td>Rubeus</td>\n",
" <td>-</td>\n",
" <td>Rubeus.exe</td>\n",
" <td>\"C:\\Users\\thor\\Desktop\\Rubeus.exe\" asktgt /user:panther /password:WakandaForever1!</td>\n",
" <td>C:\\Users\\thor\\Desktop\\</td>\n",
" <td>MARVEL\\thor</td>\n",
" <td>{56d91ad3-c9cc-62cd-3f60-0b0000000000}</td>\n",
" <td>0xB603F</td>\n",
" <td>2</td>\n",
" <td>High</td>\n",
" <td>SHA1=5C8540D53ECD89542515C479D765D0B2E6481F35,MD5=A097BADFC8B38B5387B7B28AF6486C47,SHA256=AA29640B9A094E0A0A38AFCBE31C3C467852B5795991FACEE10628D62458D769,IMPHASH=F34D5F2D4577ED6D9CEEC516C1F5A744</td>\n",
" <td>{56d91ad3-ca5e-62cd-5501-000000002f00}</td>\n",
" <td>7968</td>\n",
" <td>C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe</td>\n",
" <td>\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"</td>\n",
" <td>MARVEL\\thor</td>\n",
" </tr>\n",
" <tr>\n",
" <th>19</th>\n",
" <td>-</td>\n",
" <td>2022-07-12 19:26:33.398</td>\n",
" <td>{56d91ad3-cae9-62cd-6f01-000000002f00}</td>\n",
" <td>1176</td>\n",
" <td>C:\\Windows\\System32\\auditpol.exe</td>\n",
" <td>10.0.19041.546 (WinBuild.160101.0800)</td>\n",
" <td>Audit Policy Program</td>\n",
" <td>Microsoft® Windows® Operating System</td>\n",
" <td>Microsoft Corporation</td>\n",
" <td>AUDITPOL.EXE</td>\n",
" <td>\"C:\\Windows\\system32\\auditpol.exe\" /set /category:* /success:enable</td>\n",
" <td>C:\\Users\\thor\\Desktop\\</td>\n",
" <td>MARVEL\\thor</td>\n",
" <td>{56d91ad3-c9cc-62cd-3f60-0b0000000000}</td>\n",
" <td>0xB603F</td>\n",
" <td>2</td>\n",
" <td>High</td>\n",
" <td>SHA1=E6A50645A361D5C763802FFA6E3C749FB81E96D7,MD5=0CBBB1FFE1AF93272D498FB8FBBFFCC6,SHA256=D1C6EC7F394B59D067DFD47A6A65978E4C2CC73437457A4B78209E5F516471CC,IMPHASH=90AC86A122E388FC7E7952289389E5B0</td>\n",
" <td>{56d91ad3-ca5e-62cd-5501-000000002f00}</td>\n",
" <td>7968</td>\n",
" <td>C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe</td>\n",
" <td>\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"</td>\n",
" <td>MARVEL\\thor</td>\n",
" </tr>\n",
" <tr>\n",
" <th>20</th>\n",
" <td>-</td>\n",
" <td>2022-07-12 19:25:27.022</td>\n",
" <td>{56d91ad3-caa7-62cd-6501-000000002f00}</td>\n",
" <td>7304</td>\n",
" <td>C:\\Windows\\System32\\mmc.exe</td>\n",
" <td>10.0.19041.746 (WinBuild.160101.0800)</td>\n",
" <td>Microsoft Management Console</td>\n",
" <td>Microsoft® Windows® Operating System</td>\n",
" <td>Microsoft Corporation</td>\n",
" <td>mmc.exe</td>\n",
" <td>\"C:\\Windows\\system32\\mmc.exe\" \"C:\\Windows\\system32\\eventvwr.msc\" /s</td>\n",
" <td>C:\\Windows\\system32\\</td>\n",
" <td>MARVEL\\thor</td>\n",
" <td>{56d91ad3-c9cc-62cd-3f60-0b0000000000}</td>\n",
" <td>0xB603F</td>\n",
" <td>2</td>\n",
" <td>High</td>\n",
" <td>SHA1=9269F1FBCF65FEFBC88A2E239519C21EFE0F6BA5,MD5=8C86B80518406F14A4952D67185032D6,SHA256=895EEF1EDA5700A425934AE3782D4741DFEFB7DEAFA53891BDE490150187B98A,IMPHASH=6D8477830CFE8D50B7224D91F4DD7CB9</td>\n",
" <td>{56d91ad3-c9d8-62cd-d500-000000002f00}</td>\n",
" <td>7196</td>\n",
" <td>C:\\Windows\\explorer.exe</td>\n",
" <td>C:\\Windows\\Explorer.EXE</td>\n",
" <td>MARVEL\\thor</td>\n",
" </tr>\n",
" <tr>\n",
" <th>21</th>\n",
" <td>-</td>\n",
" <td>2022-07-12 19:24:14.820</td>\n",
" <td>{56d91ad3-ca5e-62cd-5601-000000002f00}</td>\n",
" <td>5084</td>\n",
" <td>C:\\Windows\\System32\\conhost.exe</td>\n",
" <td>10.0.19041.1320 (WinBuild.160101.0800)</td>\n",
" <td>Console Window Host</td>\n",
" <td>Microsoft® Windows® Operating System</td>\n",
" <td>Microsoft Corporation</td>\n",
" <td>CONHOST.EXE</td>\n",
" <td>\\??\\C:\\Windows\\system32\\conhost.exe 0xffffffff -ForceV1</td>\n",
" <td>C:\\Windows</td>\n",
" <td>MARVEL\\thor</td>\n",
" <td>{56d91ad3-c9cc-62cd-3f60-0b0000000000}</td>\n",
" <td>0xB603F</td>\n",
" <td>2</td>\n",
" <td>High</td>\n",
" <td>SHA1=BA93B6F897778B91DB9D179E14C352AF82210061,MD5=D837FA4DEE7D84C19FF6F71FC48A6625,SHA256=22117361C2C34CB18BEEE2CA9770B3AA6C8D032A0941991454DD222BEC6D9295,IMPHASH=5E04B84014354D11014564789EE9BDA7</td>\n",
" <td>{56d91ad3-ca5e-62cd-5501-000000002f00}</td>\n",
" <td>7968</td>\n",
" <td>C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe</td>\n",
" <td>\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"</td>\n",
" <td>MARVEL\\thor</td>\n",
" </tr>\n",
" <tr>\n",
" <th>22</th>\n",
" <td>-</td>\n",
" <td>2022-07-12 19:24:14.498</td>\n",
" <td>{56d91ad3-ca5e-62cd-5501-000000002f00}</td>\n",
" <td>7968</td>\n",
" <td>C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe</td>\n",
" <td>10.0.19041.546 (WinBuild.160101.0800)</td>\n",
" <td>Windows PowerShell</td>\n",
" <td>Microsoft® Windows® Operating System</td>\n",
" <td>Microsoft Corporation</td>\n",
" <td>PowerShell.EXE</td>\n",
" <td>\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"</td>\n",
" <td>C:\\Windows\\system32\\</td>\n",
" <td>MARVEL\\thor</td>\n",
" <td>{56d91ad3-c9cc-62cd-3f60-0b0000000000}</td>\n",
" <td>0xB603F</td>\n",
" <td>2</td>\n",
" <td>High</td>\n",
" <td>SHA1=F43D9BB316E30AE1A3494AC5B0624F6BEA1BF054,MD5=04029E121A0CFA5991749937DD22A1D9,SHA256=9F914D42706FE215501044ACD85A32D58AAEF1419D404FDDFA5D3B48F66CCD9F,IMPHASH=7C955A0ABC747F57CCC4324480737EF7</td>\n",
" <td>{56d91ad3-c9d8-62cd-d500-000000002f00}</td>\n",
" <td>7196</td>\n",
" <td>C:\\Windows\\explorer.exe</td>\n",
" <td>C:\\Windows\\Explorer.EXE</td>\n",
" <td>MARVEL\\thor</td>\n",
" </tr>\n",
" <tr>\n",
" <th>23</th>\n",
" <td>-</td>\n",
" <td>2022-07-12 19:23:06.122</td>\n",
" <td>{56d91ad3-ca1a-62cd-1e01-000000002f00}</td>\n",
" <td>9940</td>\n",
" <td>C:\\Windows\\System32\\taskhostw.exe</td>\n",
" <td>10.0.19041.906 (WinBuild.160101.0800)</td>\n",
" <td>Host Process for Windows Tasks</td>\n",
" <td>Microsoft® Windows® Operating System</td>\n",
" <td>Microsoft Corporation</td>\n",
" <td>taskhostw.exe</td>\n",
" <td>taskhostw.exe $(Arg0)</td>\n",
" <td>C:\\Windows\\system32\\</td>\n",
" <td>MARVEL\\thor</td>\n",
" <td>{56d91ad3-c9cc-62cd-3f60-0b0000000000}</td>\n",
" <td>0xB603F</td>\n",
" <td>2</td>\n",
" <td>High</td>\n",
" <td>SHA1=FED4B4A753A9541389AA670C69E624BE07569CCD,MD5=564E4806AB18F93B93D551CD10C1598E,SHA256=0322728DBCE3A577C4A13B907AD7375D27E74880B63F7371384F67D19197A0AD,IMPHASH=3A0C6863CDE566AF997DB2DEFFF9D924</td>\n",
" <td>{56d91ad3-c9b4-62cd-1f00-000000002f00}</td>\n",
" <td>1296</td>\n",
" <td>C:\\Windows\\System32\\svchost.exe</td>\n",
" <td>C:\\Windows\\system32\\svchost.exe -k netsvcs -p -s Schedule</td>\n",
" <td>NT AUTHORITY\\SYSTEM</td>\n",
" </tr>\n",
" <tr>\n",
" <th>24</th>\n",
" <td>-</td>\n",
" <td>2022-07-12 19:21:56.825</td>\n",
" <td>{56d91ad3-c9d4-62cd-cb00-000000002f00}</td>\n",
" <td>6308</td>\n",
" <td>C:\\Windows\\System32\\taskhostw.exe</td>\n",
" <td>10.0.19041.906 (WinBuild.160101.0800)</td>\n",
" <td>Host Process for Windows Tasks</td>\n",
" <td>Microsoft® Windows® Operating System</td>\n",
" <td>Microsoft Corporation</td>\n",
" <td>taskhostw.exe</td>\n",
" <td>taskhostw.exe</td>\n",
" <td>C:\\Windows\\system32\\</td>\n",
" <td>MARVEL\\thor</td>\n",
" <td>{56d91ad3-c9cc-62cd-3f60-0b0000000000}</td>\n",
" <td>0xB603F</td>\n",
" <td>2</td>\n",
" <td>High</td>\n",
" <td>SHA1=FED4B4A753A9541389AA670C69E624BE07569CCD,MD5=564E4806AB18F93B93D551CD10C1598E,SHA256=0322728DBCE3A577C4A13B907AD7375D27E74880B63F7371384F67D19197A0AD,IMPHASH=3A0C6863CDE566AF997DB2DEFFF9D924</td>\n",
" <td>{56d91ad3-c9b4-62cd-1f00-000000002f00}</td>\n",
" <td>1296</td>\n",
" <td>C:\\Windows\\System32\\svchost.exe</td>\n",
" <td>C:\\Windows\\system32\\svchost.exe -k netsvcs -p -s Schedule</td>\n",
" <td>NT AUTHORITY\\SYSTEM</td>\n",
" </tr>\n",
" </tbody>\n",
"</table>\n",
"</div>"
],
"text/plain": [
" RuleName UtcTime ProcessGuid ProcessId Image FileVersion Description Product Company OriginalFileName CommandLine CurrentDirectory User LogonGuid LogonId TerminalSessionId IntegrityLevel Hashes ParentProcessGuid ParentProcessId ParentImage ParentCommandLine ParentUser\n",
"0 - 2022-07-13 15:36:14.649 {56d91ad3-e66e-62ce-5e2f-000000002f00} 5552 C:\\Users\\thor\\Desktop\\Rubeus.exe 1.0.0.0 Rubeus Rubeus - Rubeus.exe \"C:\\Users\\thor\\Desktop\\Rubeus.exe\" asktgt /user:panther /password:WakandaForever! C:\\Users\\thor\\Desktop\\ MARVEL\\thor {56d91ad3-c9cc-62cd-3f60-0b0000000000} 0xB603F 2 High SHA1=5C8540D53ECD89542515C479D765D0B2E6481F35,MD5=A097BADFC8B38B5387B7B28AF6486C47,SHA256=AA29640B9A094E0A0A38AFCBE31C3C467852B5795991FACEE10628D62458D769,IMPHASH=F34D5F2D4577ED6D9CEEC516C1F5A744 {56d91ad3-ca5e-62cd-5501-000000002f00} 7968 C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe \"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" MARVEL\\thor \n",
"1 - 2022-07-13 15:32:19.853 {56d91ad3-e583-62ce-382f-000000002f00} 3548 C:\\Users\\thor\\Desktop\\Rubeus.exe 1.0.0.0 Rubeus Rubeus - Rubeus.exe \"C:\\Users\\thor\\Desktop\\Rubeus.exe\" kerberoast /tgtdeleg C:\\Users\\thor\\Desktop\\ MARVEL\\thor {56d91ad3-c9cc-62cd-3f60-0b0000000000} 0xB603F 2 High SHA1=5C8540D53ECD89542515C479D765D0B2E6481F35,MD5=A097BADFC8B38B5387B7B28AF6486C47,SHA256=AA29640B9A094E0A0A38AFCBE31C3C467852B5795991FACEE10628D62458D769,IMPHASH=F34D5F2D4577ED6D9CEEC516C1F5A744 {56d91ad3-ca5e-62cd-5501-000000002f00} 7968 C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe \"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" MARVEL\\thor \n",
"2 - 2022-07-13 15:32:18.204 {56d91ad3-e582-62ce-372f-000000002f00} 2476 C:\\Windows\\System32\\klist.exe 10.0.19041.1387 (WinBuild.160101.0800) Tool for managing the Kerberos ticket cache Microsoft® Windows® Operating System Microsoft Corporation klist.exe \"C:\\Windows\\system32\\klist.exe\" purge C:\\Users\\thor\\Desktop\\ MARVEL\\thor {56d91ad3-c9cc-62cd-3f60-0b0000000000} 0xB603F 2 High SHA1=12F183A0F99F35026E7BAFF0D26A5548A361BECB,MD5=0ED88604DAA88979CE5B96D03FEBCFE4,SHA256=26E63196C5739A2D5CAFAAFE77842C7D48193B74D3416243D6A155B19B63A524,IMPHASH=D235A5641DE014C6EFBCA43F72899449 {56d91ad3-ca5e-62cd-5501-000000002f00} 7968 C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe \"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" MARVEL\\thor \n",
"3 - 2022-07-13 15:01:18.712 {56d91ad3-de3e-62ce-152e-000000002f00} 7204 C:\\Users\\thor\\Desktop\\Rubeus.exe 1.0.0.0 Rubeus Rubeus - Rubeus.exe \"C:\\Users\\thor\\Desktop\\Rubeus.exe\" kerberoast /tgtdeleg C:\\Users\\thor\\Desktop\\ MARVEL\\thor {56d91ad3-c9cc-62cd-3f60-0b0000000000} 0xB603F 2 High SHA1=5C8540D53ECD89542515C479D765D0B2E6481F35,MD5=A097BADFC8B38B5387B7B28AF6486C47,SHA256=AA29640B9A094E0A0A38AFCBE31C3C467852B5795991FACEE10628D62458D769,IMPHASH=F34D5F2D4577ED6D9CEEC516C1F5A744 {56d91ad3-ca5e-62cd-5501-000000002f00} 7968 C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe \"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" MARVEL\\thor \n",
"4 - 2022-07-13 14:59:38.424 {56d91ad3-ddda-62ce-012e-000000002f00} 9228 C:\\Users\\thor\\Desktop\\Rubeus.exe 1.0.0.0 Rubeus Rubeus - Rubeus.exe \"C:\\Users\\thor\\Desktop\\Rubeus.exe\" kerberoast C:\\Users\\thor\\Desktop\\ MARVEL\\thor {56d91ad3-c9cc-62cd-3f60-0b0000000000} 0xB603F 2 High SHA1=5C8540D53ECD89542515C479D765D0B2E6481F35,MD5=A097BADFC8B38B5387B7B28AF6486C47,SHA256=AA29640B9A094E0A0A38AFCBE31C3C467852B5795991FACEE10628D62458D769,IMPHASH=F34D5F2D4577ED6D9CEEC516C1F5A744 {56d91ad3-ca5e-62cd-5501-000000002f00} 7968 C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe \"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" MARVEL\\thor \n",
"5 - 2022-07-13 14:58:33.255 {56d91ad3-dd99-62ce-f52d-000000002f00} 3100 C:\\Users\\thor\\Desktop\\Rubeus.exe 1.0.0.0 Rubeus Rubeus - Rubeus.exe \"C:\\Users\\thor\\Desktop\\Rubeus.exe\" asktgt kerberoast C:\\Users\\thor\\Desktop\\ MARVEL\\thor {56d91ad3-c9cc-62cd-3f60-0b0000000000} 0xB603F 2 High SHA1=5C8540D53ECD89542515C479D765D0B2E6481F35,MD5=A097BADFC8B38B5387B7B28AF6486C47,SHA256=AA29640B9A094E0A0A38AFCBE31C3C467852B5795991FACEE10628D62458D769,IMPHASH=F34D5F2D4577ED6D9CEEC516C1F5A744 {56d91ad3-ca5e-62cd-5501-000000002f00} 7968 C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe \"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" MARVEL\\thor \n",
"6 - 2022-07-13 14:53:51.822 {56d91ad3-dc7f-62ce-cc2d-000000002f00} 200 C:\\Users\\thor\\Desktop\\Rubeus.exe 1.0.0.0 Rubeus Rubeus - Rubeus.exe \"C:\\Users\\thor\\Desktop\\Rubeus.exe\" asktgt /user:panther /password:WakandaForever! C:\\Users\\thor\\Desktop\\ MARVEL\\thor {56d91ad3-c9cc-62cd-3f60-0b0000000000} 0xB603F 2 High SHA1=5C8540D53ECD89542515C479D765D0B2E6481F35,MD5=A097BADFC8B38B5387B7B28AF6486C47,SHA256=AA29640B9A094E0A0A38AFCBE31C3C467852B5795991FACEE10628D62458D769,IMPHASH=F34D5F2D4577ED6D9CEEC516C1F5A744 {56d91ad3-ca5e-62cd-5501-000000002f00} 7968 C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe \"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" MARVEL\\thor \n",
"7 - 2022-07-13 14:53:48.482 {56d91ad3-dc7c-62ce-cb2d-000000002f00} 8680 C:\\Windows\\System32\\klist.exe 10.0.19041.1387 (WinBuild.160101.0800) Tool for managing the Kerberos ticket cache Microsoft® Windows® Operating System Microsoft Corporation klist.exe \"C:\\Windows\\system32\\klist.exe\" purge C:\\Users\\thor\\Desktop\\ MARVEL\\thor {56d91ad3-c9cc-62cd-3f60-0b0000000000} 0xB603F 2 High SHA1=12F183A0F99F35026E7BAFF0D26A5548A361BECB,MD5=0ED88604DAA88979CE5B96D03FEBCFE4,SHA256=26E63196C5739A2D5CAFAAFE77842C7D48193B74D3416243D6A155B19B63A524,IMPHASH=D235A5641DE014C6EFBCA43F72899449 {56d91ad3-ca5e-62cd-5501-000000002f00} 7968 C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe \"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" MARVEL\\thor \n",
"8 - 2022-07-13 14:53:38.250 {56d91ad3-dc72-62ce-ca2d-000000002f00} 8012 C:\\Windows\\System32\\auditpol.exe 10.0.19041.546 (WinBuild.160101.0800) Audit Policy Program Microsoft® Windows® Operating System Microsoft Corporation AUDITPOL.EXE \"C:\\Windows\\system32\\auditpol.exe\" /set /category:* /success:enable C:\\Users\\thor\\Desktop\\ MARVEL\\thor {56d91ad3-c9cc-62cd-3f60-0b0000000000} 0xB603F 2 High SHA1=E6A50645A361D5C763802FFA6E3C749FB81E96D7,MD5=0CBBB1FFE1AF93272D498FB8FBBFFCC6,SHA256=D1C6EC7F394B59D067DFD47A6A65978E4C2CC73437457A4B78209E5F516471CC,IMPHASH=90AC86A122E388FC7E7952289389E5B0 {56d91ad3-ca5e-62cd-5501-000000002f00} 7968 C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe \"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" MARVEL\\thor \n",
"9 - 2022-07-13 14:51:28.865 {56d91ad3-dbf0-62ce-b02d-000000002f00} 7088 C:\\Users\\thor\\Desktop\\Rubeus.exe 1.0.0.0 Rubeus Rubeus - Rubeus.exe \"C:\\Users\\thor\\Desktop\\Rubeus.exe\" asktgt /user:panther /password:WakandaForever! C:\\Users\\thor\\Desktop\\ MARVEL\\thor {56d91ad3-c9cc-62cd-3f60-0b0000000000} 0xB603F 2 High SHA1=5C8540D53ECD89542515C479D765D0B2E6481F35,MD5=A097BADFC8B38B5387B7B28AF6486C47,SHA256=AA29640B9A094E0A0A38AFCBE31C3C467852B5795991FACEE10628D62458D769,IMPHASH=F34D5F2D4577ED6D9CEEC516C1F5A744 {56d91ad3-ca5e-62cd-5501-000000002f00} 7968 C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe \"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" MARVEL\\thor \n",
"10 - 2022-07-13 14:45:35.253 {56d91ad3-da8f-62ce-6c2d-000000002f00} 7056 C:\\Windows\\System32\\klist.exe 10.0.19041.1387 (WinBuild.160101.0800) Tool for managing the Kerberos ticket cache Microsoft® Windows® Operating System Microsoft Corporation klist.exe \"C:\\Windows\\system32\\klist.exe\" purge C:\\Users\\thor\\Desktop\\ MARVEL\\thor {56d91ad3-c9cc-62cd-3f60-0b0000000000} 0xB603F 2 High SHA1=12F183A0F99F35026E7BAFF0D26A5548A361BECB,MD5=0ED88604DAA88979CE5B96D03FEBCFE4,SHA256=26E63196C5739A2D5CAFAAFE77842C7D48193B74D3416243D6A155B19B63A524,IMPHASH=D235A5641DE014C6EFBCA43F72899449 {56d91ad3-ca5e-62cd-5501-000000002f00} 7968 C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe \"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" MARVEL\\thor \n",
"11 - 2022-07-13 00:33:37.653 {56d91ad3-12e1-62ce-8f0d-000000002f00} 4736 C:\\Windows\\System32\\taskhostw.exe 10.0.19041.906 (WinBuild.160101.0800) Host Process for Windows Tasks Microsoft® Windows® Operating System Microsoft Corporation taskhostw.exe taskhostw.exe C:\\Windows\\system32\\ MARVEL\\thor {56d91ad3-c9cc-62cd-3f60-0b0000000000} 0xB603F 2 High SHA1=FED4B4A753A9541389AA670C69E624BE07569CCD,MD5=564E4806AB18F93B93D551CD10C1598E,SHA256=0322728DBCE3A577C4A13B907AD7375D27E74880B63F7371384F67D19197A0AD,IMPHASH=3A0C6863CDE566AF997DB2DEFFF9D924 {56d91ad3-c9b4-62cd-1f00-000000002f00} 1296 C:\\Windows\\System32\\svchost.exe C:\\Windows\\system32\\svchost.exe -k netsvcs -p -s Schedule NT AUTHORITY\\SYSTEM\n",
"12 - 2022-07-13 00:32:57.679 {56d91ad3-12b9-62ce-6d0d-000000002f00} 1320 C:\\Users\\thor\\AppData\\Local\\Temp\\844F0763-DCD0-4FAD-B804-60032786B303\\DismHost.exe 10.0.19041.746 (WinBuild.160101.0800) Dism Host Servicing Process Microsoft® Windows® Operating System Microsoft Corporation DismHost.exe C:\\Users\\thor\\AppData\\Local\\Temp\\844F0763-DCD0-4FAD-B804-60032786B303\\dismhost.exe {432304F9-73D7-4EEE-B662-354362A6C263} C:\\Windows\\system32\\ MARVEL\\thor {56d91ad3-c9cc-62cd-3f60-0b0000000000} 0xB603F 2 High SHA1=DBB14DCDA6502AB1D23A7C77D405DAFBCBEB439E,MD5=E5D5E9C1F65B8EC7AA5B7F1B1ACDD731,SHA256=E30508E2088BC16B2A84233CED64995F738DEAEF2366AC6C86B35C93BBCD9D80,IMPHASH=D204EB506D6ABBEB4C51A54E8F6C1789 {56d91ad3-12a7-62ce-5b0d-000000002f00} 6904 C:\\Windows\\System32\\cleanmgr.exe C:\\Windows\\system32\\cleanmgr.exe /autoclean /d C: MARVEL\\thor \n",
"13 - 2022-07-13 00:32:41.271 {56d91ad3-12a9-62ce-5f0d-000000002f00} 1096 C:\\Windows\\System32\\conhost.exe 10.0.19041.1320 (WinBuild.160101.0800) Console Window Host Microsoft® Windows® Operating System Microsoft Corporation CONHOST.EXE \\??\\C:\\Windows\\system32\\conhost.exe 0xffffffff -ForceV1 C:\\Windows MARVEL\\thor {56d91ad3-c9cc-62cd-3f60-0b0000000000} 0xB603F 2 High SHA1=BA93B6F897778B91DB9D179E14C352AF82210061,MD5=D837FA4DEE7D84C19FF6F71FC48A6625,SHA256=22117361C2C34CB18BEEE2CA9770B3AA6C8D032A0941991454DD222BEC6D9295,IMPHASH=5E04B84014354D11014564789EE9BDA7 {56d91ad3-12a9-62ce-5e0d-000000002f00} 1964 C:\\Windows\\System32\\sdiagnhost.exe C:\\Windows\\System32\\sdiagnhost.exe -Embedding MARVEL\\thor \n",
"14 - 2022-07-13 00:32:41.223 {56d91ad3-12a9-62ce-5e0d-000000002f00} 1964 C:\\Windows\\System32\\sdiagnhost.exe 10.0.19041.1 (WinBuild.160101.0800) Scripted Diagnostics Native Host Microsoft® Windows® Operating System Microsoft Corporation sdiagnhost.exe C:\\Windows\\System32\\sdiagnhost.exe -Embedding C:\\Windows\\system32\\ MARVEL\\thor {56d91ad3-c9cc-62cd-3f60-0b0000000000} 0xB603F 2 High SHA1=540745F1CE67423A156069218680B9DA873B4778,MD5=6A21B1893DDE94CB87BA56111375888A,SHA256=761815301A00D0B3A7BB4959A5004B623C55009CE701C6E867C96F468DC1323A,IMPHASH=88C840A970A1633DCA61E1CD2D926E21 {56d91ad3-c9b2-62cd-0f00-000000002f00} 844 C:\\Windows\\System32\\svchost.exe C:\\Windows\\system32\\svchost.exe -k DcomLaunch -p NT AUTHORITY\\SYSTEM\n",
"15 - 2022-07-13 00:32:39.738 {56d91ad3-12a7-62ce-5b0d-000000002f00} 6904 C:\\Windows\\System32\\cleanmgr.exe 10.0.19041.1266 (WinBuild.160101.0800) Disk Space Cleanup Manager for Windows Microsoft® Windows® Operating System Microsoft Corporation CLEANMGR.DLL C:\\Windows\\system32\\cleanmgr.exe /autoclean /d C: C:\\Windows\\system32\\ MARVEL\\thor {56d91ad3-c9cc-62cd-3f60-0b0000000000} 0xB603F 2 High SHA1=D0782098CBF41490EA1E54DB5D21A679F332A113,MD5=CD0D99EBE88D11F55136EAE39CCF8F6E,SHA256=ACD2CBFB4C9FB8FE20C21A7EC99445D1426CEE90FF3091115EB4C9484B69EA9D,IMPHASH=98FFD535813DA56E7646C88F49DBE567 {56d91ad3-c9b4-62cd-1f00-000000002f00} 1296 C:\\Windows\\System32\\svchost.exe C:\\Windows\\system32\\svchost.exe -k netsvcs -p -s Schedule NT AUTHORITY\\SYSTEM\n",
"16 - 2022-07-13 00:32:38.954 {56d91ad3-12a6-62ce-4f0d-000000002f00} 4808 C:\\Windows\\System32\\taskhostw.exe 10.0.19041.906 (WinBuild.160101.0800) Host Process for Windows Tasks Microsoft® Windows® Operating System Microsoft Corporation taskhostw.exe taskhostw.exe C:\\Windows\\system32\\ MARVEL\\thor {56d91ad3-c9cc-62cd-3f60-0b0000000000} 0xB603F 2 High SHA1=FED4B4A753A9541389AA670C69E624BE07569CCD,MD5=564E4806AB18F93B93D551CD10C1598E,SHA256=0322728DBCE3A577C4A13B907AD7375D27E74880B63F7371384F67D19197A0AD,IMPHASH=3A0C6863CDE566AF997DB2DEFFF9D924 {56d91ad3-c9b4-62cd-1f00-000000002f00} 1296 C:\\Windows\\System32\\svchost.exe C:\\Windows\\system32\\svchost.exe -k netsvcs -p -s Schedule NT AUTHORITY\\SYSTEM\n",
"17 - 2022-07-12 19:27:35.194 {56d91ad3-cb27-62cd-9201-000000002f00} 2312 C:\\Users\\thor\\Desktop\\Rubeus.exe 1.0.0.0 Rubeus Rubeus - Rubeus.exe \"C:\\Users\\thor\\Desktop\\Rubeus.exe\" asktgt /user:panther /password:WakandaForever! C:\\Users\\thor\\Desktop\\ MARVEL\\thor {56d91ad3-c9cc-62cd-3f60-0b0000000000} 0xB603F 2 High SHA1=5C8540D53ECD89542515C479D765D0B2E6481F35,MD5=A097BADFC8B38B5387B7B28AF6486C47,SHA256=AA29640B9A094E0A0A38AFCBE31C3C467852B5795991FACEE10628D62458D769,IMPHASH=F34D5F2D4577ED6D9CEEC516C1F5A744 {56d91ad3-ca5e-62cd-5501-000000002f00} 7968 C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe \"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" MARVEL\\thor \n",
"18 - 2022-07-12 19:26:43.102 {56d91ad3-caf3-62cd-7401-000000002f00} 2608 C:\\Users\\thor\\Desktop\\Rubeus.exe 1.0.0.0 Rubeus Rubeus - Rubeus.exe \"C:\\Users\\thor\\Desktop\\Rubeus.exe\" asktgt /user:panther /password:WakandaForever1! C:\\Users\\thor\\Desktop\\ MARVEL\\thor {56d91ad3-c9cc-62cd-3f60-0b0000000000} 0xB603F 2 High SHA1=5C8540D53ECD89542515C479D765D0B2E6481F35,MD5=A097BADFC8B38B5387B7B28AF6486C47,SHA256=AA29640B9A094E0A0A38AFCBE31C3C467852B5795991FACEE10628D62458D769,IMPHASH=F34D5F2D4577ED6D9CEEC516C1F5A744 {56d91ad3-ca5e-62cd-5501-000000002f00} 7968 C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe \"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" MARVEL\\thor \n",
"19 - 2022-07-12 19:26:33.398 {56d91ad3-cae9-62cd-6f01-000000002f00} 1176 C:\\Windows\\System32\\auditpol.exe 10.0.19041.546 (WinBuild.160101.0800) Audit Policy Program Microsoft® Windows® Operating System Microsoft Corporation AUDITPOL.EXE \"C:\\Windows\\system32\\auditpol.exe\" /set /category:* /success:enable C:\\Users\\thor\\Desktop\\ MARVEL\\thor {56d91ad3-c9cc-62cd-3f60-0b0000000000} 0xB603F 2 High SHA1=E6A50645A361D5C763802FFA6E3C749FB81E96D7,MD5=0CBBB1FFE1AF93272D498FB8FBBFFCC6,SHA256=D1C6EC7F394B59D067DFD47A6A65978E4C2CC73437457A4B78209E5F516471CC,IMPHASH=90AC86A122E388FC7E7952289389E5B0 {56d91ad3-ca5e-62cd-5501-000000002f00} 7968 C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe \"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" MARVEL\\thor \n",
"20 - 2022-07-12 19:25:27.022 {56d91ad3-caa7-62cd-6501-000000002f00} 7304 C:\\Windows\\System32\\mmc.exe 10.0.19041.746 (WinBuild.160101.0800) Microsoft Management Console Microsoft® Windows® Operating System Microsoft Corporation mmc.exe \"C:\\Windows\\system32\\mmc.exe\" \"C:\\Windows\\system32\\eventvwr.msc\" /s C:\\Windows\\system32\\ MARVEL\\thor {56d91ad3-c9cc-62cd-3f60-0b0000000000} 0xB603F 2 High SHA1=9269F1FBCF65FEFBC88A2E239519C21EFE0F6BA5,MD5=8C86B80518406F14A4952D67185032D6,SHA256=895EEF1EDA5700A425934AE3782D4741DFEFB7DEAFA53891BDE490150187B98A,IMPHASH=6D8477830CFE8D50B7224D91F4DD7CB9 {56d91ad3-c9d8-62cd-d500-000000002f00} 7196 C:\\Windows\\explorer.exe C:\\Windows\\Explorer.EXE MARVEL\\thor \n",
"21 - 2022-07-12 19:24:14.820 {56d91ad3-ca5e-62cd-5601-000000002f00} 5084 C:\\Windows\\System32\\conhost.exe 10.0.19041.1320 (WinBuild.160101.0800) Console Window Host Microsoft® Windows® Operating System Microsoft Corporation CONHOST.EXE \\??\\C:\\Windows\\system32\\conhost.exe 0xffffffff -ForceV1 C:\\Windows MARVEL\\thor {56d91ad3-c9cc-62cd-3f60-0b0000000000} 0xB603F 2 High SHA1=BA93B6F897778B91DB9D179E14C352AF82210061,MD5=D837FA4DEE7D84C19FF6F71FC48A6625,SHA256=22117361C2C34CB18BEEE2CA9770B3AA6C8D032A0941991454DD222BEC6D9295,IMPHASH=5E04B84014354D11014564789EE9BDA7 {56d91ad3-ca5e-62cd-5501-000000002f00} 7968 C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe \"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" MARVEL\\thor \n",
"22 - 2022-07-12 19:24:14.498 {56d91ad3-ca5e-62cd-5501-000000002f00} 7968 C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe 10.0.19041.546 (WinBuild.160101.0800) Windows PowerShell Microsoft® Windows® Operating System Microsoft Corporation PowerShell.EXE \"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" C:\\Windows\\system32\\ MARVEL\\thor {56d91ad3-c9cc-62cd-3f60-0b0000000000} 0xB603F 2 High SHA1=F43D9BB316E30AE1A3494AC5B0624F6BEA1BF054,MD5=04029E121A0CFA5991749937DD22A1D9,SHA256=9F914D42706FE215501044ACD85A32D58AAEF1419D404FDDFA5D3B48F66CCD9F,IMPHASH=7C955A0ABC747F57CCC4324480737EF7 {56d91ad3-c9d8-62cd-d500-000000002f00} 7196 C:\\Windows\\explorer.exe C:\\Windows\\Explorer.EXE MARVEL\\thor \n",
"23 - 2022-07-12 19:23:06.122 {56d91ad3-ca1a-62cd-1e01-000000002f00} 9940 C:\\Windows\\System32\\taskhostw.exe 10.0.19041.906 (WinBuild.160101.0800) Host Process for Windows Tasks Microsoft® Windows® Operating System Microsoft Corporation taskhostw.exe taskhostw.exe $(Arg0) C:\\Windows\\system32\\ MARVEL\\thor {56d91ad3-c9cc-62cd-3f60-0b0000000000} 0xB603F 2 High SHA1=FED4B4A753A9541389AA670C69E624BE07569CCD,MD5=564E4806AB18F93B93D551CD10C1598E,SHA256=0322728DBCE3A577C4A13B907AD7375D27E74880B63F7371384F67D19197A0AD,IMPHASH=3A0C6863CDE566AF997DB2DEFFF9D924 {56d91ad3-c9b4-62cd-1f00-000000002f00} 1296 C:\\Windows\\System32\\svchost.exe C:\\Windows\\system32\\svchost.exe -k netsvcs -p -s Schedule NT AUTHORITY\\SYSTEM\n",
"24 - 2022-07-12 19:21:56.825 {56d91ad3-c9d4-62cd-cb00-000000002f00} 6308 C:\\Windows\\System32\\taskhostw.exe 10.0.19041.906 (WinBuild.160101.0800) Host Process for Windows Tasks Microsoft® Windows® Operating System Microsoft Corporation taskhostw.exe taskhostw.exe C:\\Windows\\system32\\ MARVEL\\thor {56d91ad3-c9cc-62cd-3f60-0b0000000000} 0xB603F 2 High SHA1=FED4B4A753A9541389AA670C69E624BE07569CCD,MD5=564E4806AB18F93B93D551CD10C1598E,SHA256=0322728DBCE3A577C4A13B907AD7375D27E74880B63F7371384F67D19197A0AD,IMPHASH=3A0C6863CDE566AF997DB2DEFFF9D924 {56d91ad3-c9b4-62cd-1f00-000000002f00} 1296 C:\\Windows\\System32\\svchost.exe C:\\Windows\\system32\\svchost.exe -k netsvcs -p -s Schedule NT AUTHORITY\\SYSTEM"
]
},
"execution_count": 71,
"metadata": {},
"output_type": "execute_result"
}
],
"source": [
"Logondf"
]
},
{
"cell_type": "code",
"execution_count": null,
"id": "92422cca-fb2a-47c8-a769-55fcefa103b1",
"metadata": {},
"outputs": [],
"source": []
}
],
"metadata": {
"kernelspec": {
"display_name": "Python 3 (ipykernel)",
"language": "python",
"name": "python3"
},
"language_info": {
"codemirror_mode": {
"name": "ipython",
"version": 3
},
"file_extension": ".py",
"mimetype": "text/x-python",
"name": "python",
"nbconvert_exporter": "python",
"pygments_lexer": "ipython3",
"version": "3.9.7"
}
},
"nbformat": 4,
"nbformat_minor": 5
}

Query 1 - Kerberoasting with ProcessEvents

SecurityEvent
| where EventID == 4769 
| extend ticketOptions = toint(extract("<Data Name=\\"TicketOptions\\">(.*?)</Data>", 1, EventData))
| extend IpPort = toint(extract("<Data Name=\\"IpPort\\">(.*?)</Data>", 1, EventData))
| extend IpAddress = extract("<Data Name=\\"IpAddress\\">(.*?)</Data>", 1, EventData)
| extend TargetUserName = extract("<Data Name=\\"TargetUserName\\">(.*?)@.*?</Data>", 1, EventData)
| extend ServiceName = extract("<Data Name=\\"ServiceName\\">(.*?)</Data>", 1, EventData)
| extend TicketEncryptionType = toint(extract("<Data Name=\\"TicketEncryptionType\\">(.*?)</Data>", 1, EventData))
| project ServiceName, toint(IpPort), SourceIp = toint(split(IpAddress, '::ffff:')[1]), ticketOptions, TicketEncryptionType
|join kind = inner ( 
    Sysmon
| where EventID == 3 and Computer !contains "dc" and DestinationPort == 88
| project-rename IpPort = SourcePort
| project TimeGenerated, Image, toint(IpPort), toint(ProcessId), toint(SourceIp), CommandLine, Computer
) on IpPort, SourceIp
| project TimeGenerated, Image, IpPort, ProcessId, CommandLine, Computer, ServiceName, TicketEncryptionType, ticketOptions
| join kind=inner(
DeviceProcessEvents
| project-rename Image = FileName
| project TimeGenerated ,toint(ProcessId), Image, AccountName, ProcessCommandLine, DeviceName
) on ProcessId
| project TimeGenerated, DeviceName, TimeGenerated1, Image, ProcessId, AccountName, ServiceName, ProcessCommandLine, TicketEncryptionType, ticketOptions

Query 2 - Kerberoasting w/o ProcessEvents

SecurityEvent
| where EventID == 4769 
| extend ticketOptions = toint(extract("<Data Name=\"TicketOptions\">(.*?)</Data>", 1, EventData))
| extend IpPort = toint(extract("<Data Name=\"IpPort\">(.*?)</Data>", 1, EventData))
| extend IpAddress = extract("<Data Name=\"IpAddress\">(.*?)</Data>", 1, EventData)
| extend TargetUserName = extract("<Data Name=\"TargetUserName\">(.*?)@.*?</Data>", 1, EventData)
| extend ServiceName = extract("<Data Name=\"ServiceName\">(.*?)</Data>", 1, EventData)
| extend TicketEncryptionType = toint(extract("<Data Name=\"TicketEncryptionType\">(.*?)</Data>", 1, EventData))
| extend DestinationComputer = Computer
| project ServiceName, toint(IpPort), SourceIp = toint(split(IpAddress, '::ffff:')[1]), ticketOptions, TicketEncryptionType, DestinationComputer
|join kind = inner ( 
    Sysmon
| where EventID == 3 and Computer !contains "dc" and DestinationPort == 88
| project-rename IpPort = SourcePort, SourceComputer = Computer
| project TimeGenerated, Image, toint(IpPort), toint(ProcessId), toint(SourceIp), CommandLine, SourceComputer
) on IpPort, SourceIp
| project TimeGenerated, Image, IpPort, ProcessId, CommandLine, SourceComputer, DestinationComputer, ServiceName, TicketEncryptionType, ticketOptions

Query 1 - S4U2Self:

index=windows EventCode=4769 Ticket_Options=0x40800018 AND Failure_Code=0x0
| eval temp=split(Client_Address, ":")
| eval Client_Address=mvindex(temp,-1)
| eval alt_account_name=upper(mvindex(split(Account_Name,"@"),0)) 
| eval alt_service_name=upper(mvindex(Service_Name,0))
| where alt_account_name == alt_service_name
| rename Client_Port AS SourcePort, Client_Address AS SourceAddress
| join SourcePort, SourceAddress
[
search index=windows EventCode=5156 Direction=Outbound Destination_Port=88 host!=*DC*
| rename Source_Port AS SourcePort, Source_Address AS SourceAddress, Application_Name AS ApplicationName
]
| table SourceAddress, SourcePort, ApplicationName, Ticket_Encryption_Type, Service_Name, Account_Name

Query 2 - Kerberoasting:

index=windows EventCode=4769 Service_Name!="*$" Service_Name!="krbtgt" Failure_Code ="0x0" Account_Name!="*$*"  AND ((Ticket_Encryption_Type=0x17 AND (Ticket_Options=0x40800018) OR (Ticket_Options=0x40800000)) OR (Ticket_Encryption_Type=0x12 AND Ticket_Options=0x40800000))
| eval temp=split(Client_Address, ":")
| eval Client_Address=mvindex(temp,-1)
| rename Client_Port AS SourcePort, Client_Address AS SourceAddress
| join SourcePort, SourceAddress
[
search index=windows EventCode=5156 Direction=Outbound Destination_Port=88 host!=*DC*
| rename Source_Port AS SourcePort, Source_Address AS SourceAddress, Application_Name AS ApplicationName
]
| table SourceAddress, SourcePort, ApplicationName, Ticket_Encryption_Type, Service_Name, Account_Name

Query 3 - AskTGT:

index=windows EventCode=4768 Ticket_Encryption_Type=0x17 ```Attacker can change encryption type```
| eval temp=split(Client_Address, ":")
| eval Client_Address=mvindex(temp,-1)
| rename Client_Port AS SourcePort, Client_Address AS SourceAddress
| join SourcePort, SourceAddress
[
search index=windows EventCode=5156 Direction=Outbound Destination_Port=88 host!=*DC*
| rename Source_Port AS SourcePort, Source_Address AS SourceAddress
]
| table SourceAddress, SourcePort, ApplicationName, Ticket_Encryption_Type, Service_Name, Account_Name, Application_Name
@jurelou
Copy link

jurelou commented Jul 15, 2022

Hello, I could not successfully use your detection against this sample: https://github.com/mdecrevoisier/EVTX-to-MITRE-Attack/tree/master/TA0006-Credential%20Access/T1558-Steal%20or%20Forge%20Kerberos%20Tickets

in your first search query = "search index=windows sourcetype=Security EventCode=4769 Service_Name!=*$ Service_Name!=krbtgt Failure_Code =0x0 Account_Name!=*$* AND ((Ticket_Encryption_Type=0x17 AND (Ticket_Options=0x40800018) OR (Ticket_Options=0x40800000)) OR (Ticket_Encryption_Type=0x12 AND Ticket_Options=0x40800000)) earliest=-1hr"

You are checking for RC4 + options = 0x40800018 OR 0x40800000

In my dataset, options are 0x40810000.
(the difference between the options is that the 16th bit is set)

Also, from the microsoft docs, thoses bits are marked as "unused"
Do you have any ideas why ?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment