Skip to content

Instantly share code, notes, and snippets.

@jurelou

jurelou/KerberosCorrelation.ipynb

Forked from jsecurity101/KerberosCorrelation.ipynb
Created July 13, 2022 17:36
Show Gist options
  • Save jurelou/545b6b8a3e0a21e21d64db9029504c83 to your computer and use it in GitHub Desktop.
Save jurelou/545b6b8a3e0a21e21d64db9029504c83 to your computer and use it in GitHub Desktop.
Download ZIP
Kerberos Detection/Investigation
Display the source blob
Display the rendered blob
Raw
KerberosCorrelation.ipynb
{
"cells": [
{
"cell_type": "code",
"execution_count": 33,
"id": "31e98d20-b644-4be7-a9c4-2c7259074ee3",
"metadata": {},
"outputs": [],
"source": [
"%%capture\n",
"!pip install splunk-sdk\n",
"!pip install pandas\n",
"!pip install pandasql\n",
"import matplotlib.pyplot as plt\n",
"import pandas as pd\n",
"import pandasql\n",
"pd.set_option('display.max_columns', None) \n",
"pd.set_option('display.expand_frame_repr', False)\n",
"pd.set_option('max_colwidth', 0)\n",
"\n",
"import splunklib.client as client\n",
"# Create a Service instance and log in \n",
"service = client.connect(\n",
" host='', #Input your Splunk's IP here\n",
" port='8089',\n",
" username=\"admin\",\n",
" password=\"\",\n",
" scheme='https')"
]
},
{
"cell_type": "code",
"execution_count": 34,
"id": "5c31741f-49da-40ae-9ec3-4baa9d6abee5",
"metadata": {},
"outputs": [
{
"name": "stderr",
"output_type": "stream",
"text": [
"/tmp/ipykernel_447/1547866794.py:5: DeprecationWarning: ResultsReader is a deprecated function. Use the JSONResultsReader function instead in conjuction with the 'output_mode' query param set to 'json'\n",
" reader = results.ResultsReader(query_results)\n"
]
}
],
"source": [
"import splunklib.results as results\n",
"#Query: \n",
"query = \"search index=windows sourcetype=Security EventCode=4769 Service_Name!=*$ Service_Name!=krbtgt Failure_Code =0x0 Account_Name!=*$* AND ((Ticket_Encryption_Type=0x17 AND (Ticket_Options=0x40800018) OR (Ticket_Options=0x40800000)) OR (Ticket_Encryption_Type=0x12 AND Ticket_Options=0x40800000)) earliest=-1hr\"\n",
"query_results = service.jobs.oneshot(query, count=0)\n",
"reader = results.ResultsReader(query_results)\n",
"\n",
"results = []\n",
"\n",
"for result in reader:\n",
" results.append(result)\n",
" \n",
"df_EID =pd.DataFrame(results)\n",
"df2_EID = df_EID.Message\n",
"df3_EID = df2_EID.str.split('\\n')\n",
"df4_EID = [{a.split(\":\")[0].strip():\":\".join(a.split(\":\")[1:]).strip() for a in b if \":\".join(a.split(\":\")[1:]).strip() != ''} for b in df3_EID]\n",
"df5_EID_4769_kerberoasting = pd.DataFrame(df4_EID)"
]
},
{
"cell_type": "code",
"execution_count": null,
"id": "b6eba2c8-0c2b-462b-a8c3-3254aa051352",
"metadata": {},
"outputs": [],
"source": [
"import splunklib.results as results\n",
"#Query: \n",
"query = \"search index=windows sourcetype=Security EventCode=4769 earliest=-1hr\"\n",
"query_results = service.jobs.oneshot(query, count=0)\n",
"reader = results.ResultsReader(query_results)\n",
"\n",
"results = []\n",
"\n",
"for result in reader:\n",
" results.append(result)\n",
" \n",
"df_EID=pd.DataFrame(results)\n",
"df2_EID = df_EID.Message\n",
"df3_EID = df2_EID.str.split('\\n')\n",
"df4_EID = [{a.split(\":\")[0].strip():\":\".join(a.split(\":\")[1:]).strip() for a in b if \":\".join(a.split(\":\")[1:]).strip() != ''} for b in df3_EID]\n",
"df5_EID_4769_s4u2self = pd.DataFrame(df4_EID)"
]
},
{
"cell_type": "code",
"execution_count": 52,
"id": "35ef8ecb-646b-4c02-b377-83fe591bcc6a",
"metadata": {},
"outputs": [
{
"name": "stderr",
"output_type": "stream",
"text": [
"/tmp/ipykernel_447/3561581670.py:5: DeprecationWarning: ResultsReader is a deprecated function. Use the JSONResultsReader function instead in conjuction with the 'output_mode' query param set to 'json'\n",
" reader = results.ResultsReader(query_results)\n"
]
}
],
"source": [
"import splunklib.results as results\n",
"#Query: \n",
"query = \"search index=windows sourcetype=Security EventCode=4768 Ticket_Encryption_Type=0x17 earliest=-1hr\"\n",
"query_results = service.jobs.oneshot(query, count=0)\n",
"reader = results.ResultsReader(query_results)\n",
"\n",
"results = []\n",
"\n",
"for result in reader:\n",
" results.append(result)\n",
" \n",
"df_EID=pd.DataFrame(results)\n",
"df2_EID = df_EID.Message\n",
"df3_EID = df2_EID.str.split('\\n')\n",
"df4_EID = [{a.split(\":\")[0].strip():\":\".join(a.split(\":\")[1:]).strip() for a in b if \":\".join(a.split(\":\")[1:]).strip() != ''} for b in df3_EID]\n",
"df5_EID_4768_asktgt = pd.DataFrame(df4_EID)"
]
},
{
"cell_type": "code",
"execution_count": 64,
"id": "f8c60fef-093a-42a7-8c57-7da1e4d3f74b",
"metadata": {},
"outputs": [
{
"name": "stderr",
"output_type": "stream",
"text": [
"/tmp/ipykernel_447/2979222138.py:5: DeprecationWarning: ResultsReader is a deprecated function. Use the JSONResultsReader function instead in conjuction with the 'output_mode' query param set to 'json'\n",
" reader = results.ResultsReader(query_results)\n"
]
}
],
"source": [
"import splunklib.results as results\n",
"#Query: \n",
"query = \"search index=windows sourcetype=Security EventCode=5156 Destination_Port=88 host!=*DC* earliest=-1hr\"\n",
"query_results = service.jobs.oneshot(query, count=0)\n",
"reader = results.ResultsReader(query_results)\n",
"\n",
"results = []\n",
"\n",
"for result in reader:\n",
" results.append(result)\n",
" \n",
"df_EID=pd.DataFrame(results)\n",
"df2_EID = df_EID.Message\n",
"df3_EID = df2_EID.str.split('\\n')\n",
"df4_EID = [{a.split(\":\")[0].strip():\":\".join(a.split(\":\")[1:]).strip() for a in b if \":\".join(a.split(\":\")[1:]).strip() != ''} for b in df3_EID]\n",
"df5_EID_5156_Client = pd.DataFrame(df4_EID)\n",
"\n",
"\n",
"AccountName = df5_EID_4768_asktgt['Account Name'].str.split('@').str[-2]\n",
"df5_EID_4768_asktgt.update(AccountName)\n",
"ServiceID = df5_EID_4768_asktgt['Service ID'].str.split('\\\\').str[-1]\n",
"df5_EID_4768_asktgt.update(ServiceID)\n",
"ClientAddress = df5_EID_4768_asktgt['Client Address'].str.split(':').str[-1]\n",
"df5_EID_4768_asktgt.update(ClientAddress)\n",
"#df5_EID_5156_Client['Process ID'] = pd.to_numeric(df5_EID_5156_Client['Process ID']).apply(hex)\n",
"df5_EID_5156_Client['Process ID'] = pd.to_numeric(df5_EID_5156_Client['Process ID'])"
]
},
{
"cell_type": "code",
"execution_count": 65,
"id": "3bd17173-6842-4952-9a75-271ba1213178",
"metadata": {},
"outputs": [
{
"data": {
"text/html": [
"<div>\n",
"<style scoped>\n",
" .dataframe tbody tr th:only-of-type {\n",
" vertical-align: middle;\n",
" }\n",
"\n",
" .dataframe tbody tr th {\n",
" vertical-align: top;\n",
" }\n",
"\n",
" .dataframe thead th {\n",
" text-align: right;\n",
" }\n",
"</style>\n",
"<table border=\"1\" class=\"dataframe\">\n",
" <thead>\n",
" <tr style=\"text-align: right;\">\n",
" <th></th>\n",
" <th>Process ID</th>\n",
" <th>Application Name</th>\n",
" <th>Direction</th>\n",
" <th>Source Address</th>\n",
" <th>Source Port</th>\n",
" <th>Destination Address</th>\n",
" <th>Destination Port</th>\n",
" <th>Protocol</th>\n",
" <th>Filter Run-Time ID</th>\n",
" <th>Layer Name</th>\n",
" <th>Layer Run-Time ID</th>\n",
" </tr>\n",
" </thead>\n",
" <tbody>\n",
" <tr>\n",
" <th>0</th>\n",
" <td>5552</td>\n",
" <td>\\device\\harddiskvolume2\\users\\thor\\desktop\\rubeus.exe</td>\n",
" <td>Outbound</td>\n",
" <td>192.168.2.10</td>\n",
" <td>52411</td>\n",
" <td>192.168.2.11</td>\n",
" <td>88</td>\n",
" <td>6</td>\n",
" <td>0</td>\n",
" <td>Connect</td>\n",
" <td>48</td>\n",
" </tr>\n",
" <tr>\n",
" <th>1</th>\n",
" <td>3548</td>\n",
" <td>\\device\\harddiskvolume2\\users\\thor\\desktop\\rubeus.exe</td>\n",
" <td>Outbound</td>\n",
" <td>192.168.2.10</td>\n",
" <td>52394</td>\n",
" <td>192.168.2.11</td>\n",
" <td>88</td>\n",
" <td>6</td>\n",
" <td>0</td>\n",
" <td>Connect</td>\n",
" <td>48</td>\n",
" </tr>\n",
" <tr>\n",
" <th>2</th>\n",
" <td>3548</td>\n",
" <td>\\device\\harddiskvolume2\\users\\thor\\desktop\\rubeus.exe</td>\n",
" <td>Outbound</td>\n",
" <td>192.168.2.10</td>\n",
" <td>52393</td>\n",
" <td>192.168.2.11</td>\n",
" <td>88</td>\n",
" <td>6</td>\n",
" <td>0</td>\n",
" <td>Connect</td>\n",
" <td>48</td>\n",
" </tr>\n",
" <tr>\n",
" <th>3</th>\n",
" <td>3548</td>\n",
" <td>\\device\\harddiskvolume2\\users\\thor\\desktop\\rubeus.exe</td>\n",
" <td>Outbound</td>\n",
" <td>192.168.2.10</td>\n",
" <td>52391</td>\n",
" <td>192.168.2.11</td>\n",
" <td>88</td>\n",
" <td>6</td>\n",
" <td>0</td>\n",
" <td>Connect</td>\n",
" <td>48</td>\n",
" </tr>\n",
" <tr>\n",
" <th>4</th>\n",
" <td>728</td>\n",
" <td>\\device\\harddiskvolume2\\windows\\system32\\lsass.exe</td>\n",
" <td>Outbound</td>\n",
" <td>192.168.2.10</td>\n",
" <td>52390</td>\n",
" <td>192.168.2.11</td>\n",
" <td>88</td>\n",
" <td>6</td>\n",
" <td>0</td>\n",
" <td>Connect</td>\n",
" <td>48</td>\n",
" </tr>\n",
" <tr>\n",
" <th>5</th>\n",
" <td>728</td>\n",
" <td>\\device\\harddiskvolume2\\windows\\system32\\lsass.exe</td>\n",
" <td>Outbound</td>\n",
" <td>192.168.2.10</td>\n",
" <td>52389</td>\n",
" <td>192.168.2.11</td>\n",
" <td>88</td>\n",
" <td>6</td>\n",
" <td>0</td>\n",
" <td>Connect</td>\n",
" <td>48</td>\n",
" </tr>\n",
" <tr>\n",
" <th>6</th>\n",
" <td>728</td>\n",
" <td>\\device\\harddiskvolume2\\windows\\system32\\lsass.exe</td>\n",
" <td>Outbound</td>\n",
" <td>192.168.2.10</td>\n",
" <td>52388</td>\n",
" <td>192.168.2.11</td>\n",
" <td>88</td>\n",
" <td>6</td>\n",
" <td>0</td>\n",
" <td>Connect</td>\n",
" <td>48</td>\n",
" </tr>\n",
" <tr>\n",
" <th>7</th>\n",
" <td>728</td>\n",
" <td>\\device\\harddiskvolume2\\windows\\system32\\lsass.exe</td>\n",
" <td>Outbound</td>\n",
" <td>192.168.2.10</td>\n",
" <td>52387</td>\n",
" <td>192.168.2.11</td>\n",
" <td>88</td>\n",
" <td>6</td>\n",
" <td>0</td>\n",
" <td>Connect</td>\n",
" <td>48</td>\n",
" </tr>\n",
" <tr>\n",
" <th>8</th>\n",
" <td>728</td>\n",
" <td>\\device\\harddiskvolume2\\windows\\system32\\lsass.exe</td>\n",
" <td>Outbound</td>\n",
" <td>192.168.2.10</td>\n",
" <td>52386</td>\n",
" <td>192.168.2.11</td>\n",
" <td>88</td>\n",
" <td>6</td>\n",
" <td>0</td>\n",
" <td>Connect</td>\n",
" <td>48</td>\n",
" </tr>\n",
" <tr>\n",
" <th>9</th>\n",
" <td>7204</td>\n",
" <td>\\device\\harddiskvolume2\\users\\thor\\desktop\\rubeus.exe</td>\n",
" <td>Outbound</td>\n",
" <td>192.168.2.10</td>\n",
" <td>52263</td>\n",
" <td>192.168.2.11</td>\n",
" <td>88</td>\n",
" <td>6</td>\n",
" <td>0</td>\n",
" <td>Connect</td>\n",
" <td>48</td>\n",
" </tr>\n",
" <tr>\n",
" <th>10</th>\n",
" <td>7204</td>\n",
" <td>\\device\\harddiskvolume2\\users\\thor\\desktop\\rubeus.exe</td>\n",
" <td>Outbound</td>\n",
" <td>192.168.2.10</td>\n",
" <td>52262</td>\n",
" <td>192.168.2.11</td>\n",
" <td>88</td>\n",
" <td>6</td>\n",
" <td>0</td>\n",
" <td>Connect</td>\n",
" <td>48</td>\n",
" </tr>\n",
" <tr>\n",
" <th>11</th>\n",
" <td>7204</td>\n",
" <td>\\device\\harddiskvolume2\\users\\thor\\desktop\\rubeus.exe</td>\n",
" <td>Outbound</td>\n",
" <td>192.168.2.10</td>\n",
" <td>52260</td>\n",
" <td>192.168.2.11</td>\n",
" <td>88</td>\n",
" <td>6</td>\n",
" <td>0</td>\n",
" <td>Connect</td>\n",
" <td>48</td>\n",
" </tr>\n",
" <tr>\n",
" <th>12</th>\n",
" <td>728</td>\n",
" <td>\\device\\harddiskvolume2\\windows\\system32\\lsass.exe</td>\n",
" <td>Outbound</td>\n",
" <td>192.168.2.10</td>\n",
" <td>52259</td>\n",
" <td>192.168.2.11</td>\n",
" <td>88</td>\n",
" <td>6</td>\n",
" <td>0</td>\n",
" <td>Connect</td>\n",
" <td>48</td>\n",
" </tr>\n",
" <tr>\n",
" <th>13</th>\n",
" <td>728</td>\n",
" <td>\\device\\harddiskvolume2\\windows\\system32\\lsass.exe</td>\n",
" <td>Outbound</td>\n",
" <td>192.168.2.10</td>\n",
" <td>52258</td>\n",
" <td>192.168.2.11</td>\n",
" <td>88</td>\n",
" <td>6</td>\n",
" <td>0</td>\n",
" <td>Connect</td>\n",
" <td>48</td>\n",
" </tr>\n",
" <tr>\n",
" <th>14</th>\n",
" <td>728</td>\n",
" <td>\\device\\harddiskvolume2\\windows\\system32\\lsass.exe</td>\n",
" <td>Outbound</td>\n",
" <td>192.168.2.10</td>\n",
" <td>52232</td>\n",
" <td>192.168.2.11</td>\n",
" <td>88</td>\n",
" <td>6</td>\n",
" <td>0</td>\n",
" <td>Connect</td>\n",
" <td>48</td>\n",
" </tr>\n",
" <tr>\n",
" <th>15</th>\n",
" <td>728</td>\n",
" <td>\\device\\harddiskvolume2\\windows\\system32\\lsass.exe</td>\n",
" <td>Outbound</td>\n",
" <td>192.168.2.10</td>\n",
" <td>52231</td>\n",
" <td>192.168.2.11</td>\n",
" <td>88</td>\n",
" <td>6</td>\n",
" <td>0</td>\n",
" <td>Connect</td>\n",
" <td>48</td>\n",
" </tr>\n",
" <tr>\n",
" <th>16</th>\n",
" <td>728</td>\n",
" <td>\\device\\harddiskvolume2\\windows\\system32\\lsass.exe</td>\n",
" <td>Outbound</td>\n",
" <td>192.168.2.10</td>\n",
" <td>52230</td>\n",
" <td>192.168.2.11</td>\n",
" <td>88</td>\n",
" <td>6</td>\n",
" <td>0</td>\n",
" <td>Connect</td>\n",
" <td>48</td>\n",
" </tr>\n",
" <tr>\n",
" <th>17</th>\n",
" <td>200</td>\n",
" <td>\\device\\harddiskvolume2\\users\\thor\\desktop\\rubeus.exe</td>\n",
" <td>Outbound</td>\n",
" <td>192.168.2.10</td>\n",
" <td>52209</td>\n",
" <td>192.168.2.11</td>\n",
" <td>88</td>\n",
" <td>6</td>\n",
" <td>0</td>\n",
" <td>Connect</td>\n",
" <td>48</td>\n",
" </tr>\n",
" <tr>\n",
" <th>18</th>\n",
" <td>728</td>\n",
" <td>\\device\\harddiskvolume2\\windows\\system32\\lsass.exe</td>\n",
" <td>Outbound</td>\n",
" <td>192.168.2.10</td>\n",
" <td>52208</td>\n",
" <td>192.168.2.11</td>\n",
" <td>88</td>\n",
" <td>6</td>\n",
" <td>0</td>\n",
" <td>Connect</td>\n",
" <td>48</td>\n",
" </tr>\n",
" <tr>\n",
" <th>19</th>\n",
" <td>728</td>\n",
" <td>\\device\\harddiskvolume2\\windows\\system32\\lsass.exe</td>\n",
" <td>Outbound</td>\n",
" <td>192.168.2.10</td>\n",
" <td>52207</td>\n",
" <td>192.168.2.11</td>\n",
" <td>88</td>\n",
" <td>6</td>\n",
" <td>0</td>\n",
" <td>Connect</td>\n",
" <td>48</td>\n",
" </tr>\n",
" <tr>\n",
" <th>20</th>\n",
" <td>728</td>\n",
" <td>\\device\\harddiskvolume2\\windows\\system32\\lsass.exe</td>\n",
" <td>Outbound</td>\n",
" <td>192.168.2.10</td>\n",
" <td>52206</td>\n",
" <td>192.168.2.11</td>\n",
" <td>88</td>\n",
" <td>6</td>\n",
" <td>0</td>\n",
" <td>Connect</td>\n",
" <td>48</td>\n",
" </tr>\n",
" </tbody>\n",
"</table>\n",
"</div>"
],
"text/plain": [
" Process ID Application Name Direction Source Address Source Port Destination Address Destination Port Protocol Filter Run-Time ID Layer Name Layer Run-Time ID\n",
"0 5552 \\device\\harddiskvolume2\\users\\thor\\desktop\\rubeus.exe Outbound 192.168.2.10 52411 192.168.2.11 88 6 0 Connect 48 \n",
"1 3548 \\device\\harddiskvolume2\\users\\thor\\desktop\\rubeus.exe Outbound 192.168.2.10 52394 192.168.2.11 88 6 0 Connect 48 \n",
"2 3548 \\device\\harddiskvolume2\\users\\thor\\desktop\\rubeus.exe Outbound 192.168.2.10 52393 192.168.2.11 88 6 0 Connect 48 \n",
"3 3548 \\device\\harddiskvolume2\\users\\thor\\desktop\\rubeus.exe Outbound 192.168.2.10 52391 192.168.2.11 88 6 0 Connect 48 \n",
"4 728 \\device\\harddiskvolume2\\windows\\system32\\lsass.exe Outbound 192.168.2.10 52390 192.168.2.11 88 6 0 Connect 48 \n",
"5 728 \\device\\harddiskvolume2\\windows\\system32\\lsass.exe Outbound 192.168.2.10 52389 192.168.2.11 88 6 0 Connect 48 \n",
"6 728 \\device\\harddiskvolume2\\windows\\system32\\lsass.exe Outbound 192.168.2.10 52388 192.168.2.11 88 6 0 Connect 48 \n",
"7 728 \\device\\harddiskvolume2\\windows\\system32\\lsass.exe Outbound 192.168.2.10 52387 192.168.2.11 88 6 0 Connect 48 \n",
"8 728 \\device\\harddiskvolume2\\windows\\system32\\lsass.exe Outbound 192.168.2.10 52386 192.168.2.11 88 6 0 Connect 48 \n",
"9 7204 \\device\\harddiskvolume2\\users\\thor\\desktop\\rubeus.exe Outbound 192.168.2.10 52263 192.168.2.11 88 6 0 Connect 48 \n",
"10 7204 \\device\\harddiskvolume2\\users\\thor\\desktop\\rubeus.exe Outbound 192.168.2.10 52262 192.168.2.11 88 6 0 Connect 48 \n",
"11 7204 \\device\\harddiskvolume2\\users\\thor\\desktop\\rubeus.exe Outbound 192.168.2.10 52260 192.168.2.11 88 6 0 Connect 48 \n",
"12 728 \\device\\harddiskvolume2\\windows\\system32\\lsass.exe Outbound 192.168.2.10 52259 192.168.2.11 88 6 0 Connect 48 \n",
"13 728 \\device\\harddiskvolume2\\windows\\system32\\lsass.exe Outbound 192.168.2.10 52258 192.168.2.11 88 6 0 Connect 48 \n",
"14 728 \\device\\harddiskvolume2\\windows\\system32\\lsass.exe Outbound 192.168.2.10 52232 192.168.2.11 88 6 0 Connect 48 \n",
"15 728 \\device\\harddiskvolume2\\windows\\system32\\lsass.exe Outbound 192.168.2.10 52231 192.168.2.11 88 6 0 Connect 48 \n",
"16 728 \\device\\harddiskvolume2\\windows\\system32\\lsass.exe Outbound 192.168.2.10 52230 192.168.2.11 88 6 0 Connect 48 \n",
"17 200 \\device\\harddiskvolume2\\users\\thor\\desktop\\rubeus.exe Outbound 192.168.2.10 52209 192.168.2.11 88 6 0 Connect 48 \n",
"18 728 \\device\\harddiskvolume2\\windows\\system32\\lsass.exe Outbound 192.168.2.10 52208 192.168.2.11 88 6 0 Connect 48 \n",
"19 728 \\device\\harddiskvolume2\\windows\\system32\\lsass.exe Outbound 192.168.2.10 52207 192.168.2.11 88 6 0 Connect 48 \n",
"20 728 \\device\\harddiskvolume2\\windows\\system32\\lsass.exe Outbound 192.168.2.10 52206 192.168.2.11 88 6 0 Connect 48 "
]
},
"execution_count": 65,
"metadata": {},
"output_type": "execute_result"
}
],
"source": [
"df5_EID_5156_Client"
]
},
{
"cell_type": "code",
"execution_count": 66,
"id": "ac0bd7f0-91ab-4411-a6c2-25c77a3f1d9f",
"metadata": {},
"outputs": [],
"source": [
"from pandasql import sqldf\n",
"ClientSide_AskTGT_Kerberoasting = pandasql.sqldf(\n",
"\"\"\"\n",
"SELECT *\n",
"FROM df5_EID_4768_asktgt a\n",
"JOIN df5_EID_5156_Client b \n",
"ON a.'Client Port' == b.'Source Port'\n",
"AND a.'Client Address' == b.'Source Address'\n",
"\"\"\"\n",
"\n",
").drop_duplicates().reset_index().drop(\"index\", axis=1)"
]
},
{
"cell_type": "code",
"execution_count": null,
"id": "0fc540f5-7b3d-4058-bbb6-481b3e34d25f",
"metadata": {},
"outputs": [],
"source": [
"from pandasql import sqldf\n",
"ClientSide_S4U2Self = pandasql.sqldf(\n",
"\"\"\"\n",
"SELECT *\n",
"FROM df5_EID_4769_s4u2self a\n",
"JOIN df5_EID_5156_Client b \n",
"ON a.'Client Port' == b.'Source Port'\n",
"AND a.'Client Address' == b.'Source Address'\n",
"WHERE a.'Ticket Options' == \"0x40800018\" AND a.'Failure Code' == \"0x0\"\n",
"\"\"\"\n",
"\n",
").drop_duplicates().reset_index().drop(\"index\", axis=1)"
]
},
{
"cell_type": "code",
"execution_count": 67,
"id": "7504e827-63cd-499e-b55b-044af4a6ca8d",
"metadata": {},
"outputs": [
{
"data": {
"text/html": [
"<div>\n",
"<style scoped>\n",
" .dataframe tbody tr th:only-of-type {\n",
" vertical-align: middle;\n",
" }\n",
"\n",
" .dataframe tbody tr th {\n",
" vertical-align: top;\n",
" }\n",
"\n",
" .dataframe thead th {\n",
" text-align: right;\n",
" }\n",
"</style>\n",
"<table border=\"1\" class=\"dataframe\">\n",
" <thead>\n",
" <tr style=\"text-align: right;\">\n",
" <th></th>\n",
" <th>Account Name</th>\n",
" <th>Supplied Realm Name</th>\n",
" <th>User ID</th>\n",
" <th>Service Name</th>\n",
" <th>Service ID</th>\n",
" <th>Client Address</th>\n",
" <th>Client Port</th>\n",
" <th>Ticket Options</th>\n",
" <th>Result Code</th>\n",
" <th>Ticket Encryption Type</th>\n",
" <th>Pre-Authentication Type</th>\n",
" <th>Process ID</th>\n",
" <th>Application Name</th>\n",
" <th>Direction</th>\n",
" <th>Source Address</th>\n",
" <th>Source Port</th>\n",
" <th>Destination Address</th>\n",
" <th>Destination Port</th>\n",
" <th>Protocol</th>\n",
" <th>Filter Run-Time ID</th>\n",
" <th>Layer Name</th>\n",
" <th>Layer Run-Time ID</th>\n",
" </tr>\n",
" </thead>\n",
" <tbody>\n",
" <tr>\n",
" <th>0</th>\n",
" <td>panther</td>\n",
" <td>marvel.local</td>\n",
" <td>MARVEL\\panther</td>\n",
" <td>krbtgt</td>\n",
" <td>krbtgt</td>\n",
" <td>192.168.2.10</td>\n",
" <td>52411</td>\n",
" <td>0x40800010</td>\n",
" <td>0x0</td>\n",
" <td>0x17</td>\n",
" <td>2</td>\n",
" <td>5552</td>\n",
" <td>\\device\\harddiskvolume2\\users\\thor\\desktop\\rubeus.exe</td>\n",
" <td>Outbound</td>\n",
" <td>192.168.2.10</td>\n",
" <td>52411</td>\n",
" <td>192.168.2.11</td>\n",
" <td>88</td>\n",
" <td>6</td>\n",
" <td>0</td>\n",
" <td>Connect</td>\n",
" <td>48</td>\n",
" </tr>\n",
" <tr>\n",
" <th>1</th>\n",
" <td>panther</td>\n",
" <td>marvel.local</td>\n",
" <td>MARVEL\\panther</td>\n",
" <td>krbtgt</td>\n",
" <td>krbtgt</td>\n",
" <td>192.168.2.10</td>\n",
" <td>52209</td>\n",
" <td>0x40800010</td>\n",
" <td>0x0</td>\n",
" <td>0x17</td>\n",
" <td>2</td>\n",
" <td>200</td>\n",
" <td>\\device\\harddiskvolume2\\users\\thor\\desktop\\rubeus.exe</td>\n",
" <td>Outbound</td>\n",
" <td>192.168.2.10</td>\n",
" <td>52209</td>\n",
" <td>192.168.2.11</td>\n",
" <td>88</td>\n",
" <td>6</td>\n",
" <td>0</td>\n",
" <td>Connect</td>\n",
" <td>48</td>\n",
" </tr>\n",
" </tbody>\n",
"</table>\n",
"</div>"
],
"text/plain": [
" Account Name Supplied Realm Name User ID Service Name Service ID Client Address Client Port Ticket Options Result Code Ticket Encryption Type Pre-Authentication Type Process ID Application Name Direction Source Address Source Port Destination Address Destination Port Protocol Filter Run-Time ID Layer Name Layer Run-Time ID\n",
"0 panther marvel.local MARVEL\\panther krbtgt krbtgt 192.168.2.10 52411 0x40800010 0x0 0x17 2 5552 \\device\\harddiskvolume2\\users\\thor\\desktop\\rubeus.exe Outbound 192.168.2.10 52411 192.168.2.11 88 6 0 Connect 48 \n",
"1 panther marvel.local MARVEL\\panther krbtgt krbtgt 192.168.2.10 52209 0x40800010 0x0 0x17 2 200 \\device\\harddiskvolume2\\users\\thor\\desktop\\rubeus.exe Outbound 192.168.2.10 52209 192.168.2.11 88 6 0 Connect 48 "
]
},
"execution_count": 67,
"metadata": {},
"output_type": "execute_result"
}
],
"source": [
"ClientSide_AskTGT_Kerberoasting"
]
},
{
"cell_type": "code",
"execution_count": 68,
"id": "b9d760a8-a5f9-4150-8c4f-12232f51ebbd",
"metadata": {},
"outputs": [
{
"name": "stderr",
"output_type": "stream",
"text": [
"/tmp/ipykernel_447/3290488740.py:7: DeprecationWarning: ResultsReader is a deprecated function. Use the JSONResultsReader function instead in conjuction with the 'output_mode' query param set to 'json'\n",
" reader = results.ResultsReader(query_results)\n"
]
}
],
"source": [
"Query_4688 = []\n",
"for a in ClientSide_AskTGT_Kerberoasting['Process ID']:\n",
" import splunklib.results as results\n",
" #Query: \n",
" query = \"search index=windows sourcetype=Sysmon EventCode=1 ProcessId={} earliest=-4hr\".format(a)\n",
" query_results = service.jobs.oneshot(query, count=0)\n",
" reader = results.ResultsReader(query_results)\n",
"\n",
" results = []\n",
"\n",
" for result in reader:\n",
" results.append(result)\n",
"\n",
" df_EID=pd.DataFrame(results)\n",
" df2_EID = df_EID.Message\n",
" df3_EID = df2_EID.str.split('\\n')\n",
" df4_EID = [{a.split(\":\")[0].strip():\":\".join(a.split(\":\")[1:]).strip() for a in b if \":\".join(a.split(\":\")[1:]).strip() != ''} for b in df3_EID]\n",
" Query_4688.append(pd.DataFrame(df4_EID))\n",
" break\n",
"df = pd.concat(Query_4688)"
]
},
{
"cell_type": "code",
"execution_count": 69,
"id": "02363626-4e96-46fb-b7b3-548f6d860461",
"metadata": {},
"outputs": [
{
"data": {
"text/html": [
"<div>\n",
"<style scoped>\n",
" .dataframe tbody tr th:only-of-type {\n",
" vertical-align: middle;\n",
" }\n",
"\n",
" .dataframe tbody tr th {\n",
" vertical-align: top;\n",
" }\n",
"\n",
" .dataframe thead th {\n",
" text-align: right;\n",
" }\n",
"</style>\n",
"<table border=\"1\" class=\"dataframe\">\n",
" <thead>\n",
" <tr style=\"text-align: right;\">\n",
" <th></th>\n",
" <th>RuleName</th>\n",
" <th>UtcTime</th>\n",
" <th>ProcessGuid</th>\n",
" <th>ProcessId</th>\n",
" <th>Image</th>\n",
" <th>FileVersion</th>\n",
" <th>Description</th>\n",
" <th>Product</th>\n",
" <th>Company</th>\n",
" <th>OriginalFileName</th>\n",
" <th>CommandLine</th>\n",
" <th>CurrentDirectory</th>\n",
" <th>User</th>\n",
" <th>LogonGuid</th>\n",
" <th>LogonId</th>\n",
" <th>TerminalSessionId</th>\n",
" <th>IntegrityLevel</th>\n",
" <th>Hashes</th>\n",
" <th>ParentProcessGuid</th>\n",
" <th>ParentProcessId</th>\n",
" <th>ParentImage</th>\n",
" <th>ParentCommandLine</th>\n",
" <th>ParentUser</th>\n",
" </tr>\n",
" </thead>\n",
" <tbody>\n",
" <tr>\n",
" <th>0</th>\n",
" <td>-</td>\n",
" <td>2022-07-13 15:36:14.649</td>\n",
" <td>{56d91ad3-e66e-62ce-5e2f-000000002f00}</td>\n",
" <td>5552</td>\n",
" <td>C:\\Users\\thor\\Desktop\\Rubeus.exe</td>\n",
" <td>1.0.0.0</td>\n",
" <td>Rubeus</td>\n",
" <td>Rubeus</td>\n",
" <td>-</td>\n",
" <td>Rubeus.exe</td>\n",
" <td>\"C:\\Users\\thor\\Desktop\\Rubeus.exe\" asktgt /user:panther /password:WakandaForever!</td>\n",
" <td>C:\\Users\\thor\\Desktop\\</td>\n",
" <td>MARVEL\\thor</td>\n",
" <td>{56d91ad3-c9cc-62cd-3f60-0b0000000000}</td>\n",
" <td>0xB603F</td>\n",
" <td>2</td>\n",
" <td>High</td>\n",
" <td>SHA1=5C8540D53ECD89542515C479D765D0B2E6481F35,MD5=A097BADFC8B38B5387B7B28AF6486C47,SHA256=AA29640B9A094E0A0A38AFCBE31C3C467852B5795991FACEE10628D62458D769,IMPHASH=F34D5F2D4577ED6D9CEEC516C1F5A744</td>\n",
" <td>{56d91ad3-ca5e-62cd-5501-000000002f00}</td>\n",
" <td>7968</td>\n",
" <td>C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe</td>\n",
" <td>\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"</td>\n",
" <td>MARVEL\\thor</td>\n",
" </tr>\n",
" <tr>\n",
" <th>1</th>\n",
" <td>-</td>\n",
" <td>2022-07-13 15:06:17.648</td>\n",
" <td>{56d91ad3-df69-62ce-452e-000000002f00}</td>\n",
" <td>5552</td>\n",
" <td>C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe</td>\n",
" <td>103.0.5060.114</td>\n",
" <td>Google Chrome</td>\n",
" <td>Google Chrome</td>\n",
" <td>Google LLC</td>\n",
" <td>chrome.exe</td>\n",
" <td>\"C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe\" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=47 --launch-time-ticks=71269923481 --mojo-platform-channel-handle=6468 --field-trial-handle=1700,i,7950739293659264102,16766236593476826016,131072 /prefetch:1</td>\n",
" <td>C:\\Program Files\\Google\\Chrome\\Application\\103.0.5060.114\\</td>\n",
" <td>MARVEL\\thor</td>\n",
" <td>{56d91ad3-c9cc-62cd-c160-0b0000000000}</td>\n",
" <td>0xB60C1</td>\n",
" <td>2</td>\n",
" <td>Low</td>\n",
" <td>SHA1=AF8A6E7216F67CA5D220084D07E1ED922AC72817,MD5=D3E37D1F3304AB7EDAA2E4D3AC183980,SHA256=AA395EE3B33142BD96382709C515F321D122E2499F773A457868C8666C9177A2,IMPHASH=6B4443349D1BF3B7F64F196B03E28222</td>\n",
" <td>{56d91ad3-ca26-62cd-2801-000000002f00}</td>\n",
" <td>4240</td>\n",
" <td>C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe</td>\n",
" <td>\"C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe\"</td>\n",
" <td>MARVEL\\thor</td>\n",
" </tr>\n",
" <tr>\n",
" <th>2</th>\n",
" <td>-</td>\n",
" <td>2022-07-13 14:58:55.922</td>\n",
" <td>{56d91ad3-ddaf-62ce-f92d-000000002f00}</td>\n",
" <td>5552</td>\n",
" <td>C:\\Windows\\System32\\smartscreen.exe</td>\n",
" <td>10.0.19041.1052 (WinBuild.160101.0800)</td>\n",
" <td>Windows Defender SmartScreen</td>\n",
" <td>Microsoft® Windows® Operating System</td>\n",
" <td>Microsoft Corporation</td>\n",
" <td>smartscreen.exe</td>\n",
" <td>C:\\Windows\\System32\\smartscreen.exe -Embedding</td>\n",
" <td>C:\\Windows\\system32\\</td>\n",
" <td>MARVEL\\thor</td>\n",
" <td>{56d91ad3-c9cc-62cd-c160-0b0000000000}</td>\n",
" <td>0xB60C1</td>\n",
" <td>2</td>\n",
" <td>Medium</td>\n",
" <td>SHA1=183E877F488F2DF9F304F60A42514A334720399F,MD5=521ED922765BCA8F79BD76188F879311,SHA256=9605680FC164ACB985C031ECA2C8BC4909CF8B749C571DB6DE2B0B2C204C2163,IMPHASH=6DFBF12753AF176E3C203C407493A5B9</td>\n",
" <td>{56d91ad3-c9b2-62cd-0f00-000000002f00}</td>\n",
" <td>844</td>\n",
" <td>C:\\Windows\\System32\\svchost.exe</td>\n",
" <td>C:\\Windows\\system32\\svchost.exe -k DcomLaunch -p</td>\n",
" <td>NT AUTHORITY\\SYSTEM</td>\n",
" </tr>\n",
" <tr>\n",
" <th>3</th>\n",
" <td>-</td>\n",
" <td>2022-07-13 14:56:00.159</td>\n",
" <td>{56d91ad3-dd00-62ce-e12d-000000002f00}</td>\n",
" <td>5552</td>\n",
" <td>C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe</td>\n",
" <td>-</td>\n",
" <td>-</td>\n",
" <td>-</td>\n",
" <td>-</td>\n",
" <td>-</td>\n",
" <td>\"c:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe\" --ps2</td>\n",
" <td>C:\\Windows\\system32\\</td>\n",
" <td>NT AUTHORITY\\SYSTEM</td>\n",
" <td>{56d91ad3-c9b1-62cd-e703-000000000000}</td>\n",
" <td>0x3E7</td>\n",
" <td>0</td>\n",
" <td>System</td>\n",
" <td>SHA1=E73E8A345775B9E136D131758073B194CC629086,MD5=16D726D7FB24044AA736D7E3A0C6C307,SHA256=417219BE9BC27BF2906BE8BF3C253094B7A3B79A134CEDAEF9366E88A48D5E24,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9</td>\n",
" <td>{56d91ad3-c9b8-62cd-5500-000000002f00}</td>\n",
" <td>3452</td>\n",
" <td>C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunkd.exe</td>\n",
" <td>\"c:\\Program Files\\SplunkUniversalForwarder\\bin\\splunkd.exe\" service</td>\n",
" <td>NT AUTHORITY\\SYSTEM</td>\n",
" </tr>\n",
" </tbody>\n",
"</table>\n",
"</div>"
],
"text/plain": [
" RuleName UtcTime ProcessGuid ProcessId Image FileVersion Description Product Company OriginalFileName CommandLine CurrentDirectory User LogonGuid LogonId TerminalSessionId IntegrityLevel Hashes ParentProcessGuid ParentProcessId ParentImage ParentCommandLine ParentUser\n",
"0 - 2022-07-13 15:36:14.649 {56d91ad3-e66e-62ce-5e2f-000000002f00} 5552 C:\\Users\\thor\\Desktop\\Rubeus.exe 1.0.0.0 Rubeus Rubeus - Rubeus.exe \"C:\\Users\\thor\\Desktop\\Rubeus.exe\" asktgt /user:panther /password:WakandaForever! C:\\Users\\thor\\Desktop\\ MARVEL\\thor {56d91ad3-c9cc-62cd-3f60-0b0000000000} 0xB603F 2 High SHA1=5C8540D53ECD89542515C479D765D0B2E6481F35,MD5=A097BADFC8B38B5387B7B28AF6486C47,SHA256=AA29640B9A094E0A0A38AFCBE31C3C467852B5795991FACEE10628D62458D769,IMPHASH=F34D5F2D4577ED6D9CEEC516C1F5A744 {56d91ad3-ca5e-62cd-5501-000000002f00} 7968 C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe \"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" MARVEL\\thor \n",
"1 - 2022-07-13 15:06:17.648 {56d91ad3-df69-62ce-452e-000000002f00} 5552 C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe 103.0.5060.114 Google Chrome Google Chrome Google LLC chrome.exe \"C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe\" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=47 --launch-time-ticks=71269923481 --mojo-platform-channel-handle=6468 --field-trial-handle=1700,i,7950739293659264102,16766236593476826016,131072 /prefetch:1 C:\\Program Files\\Google\\Chrome\\Application\\103.0.5060.114\\ MARVEL\\thor {56d91ad3-c9cc-62cd-c160-0b0000000000} 0xB60C1 2 Low SHA1=AF8A6E7216F67CA5D220084D07E1ED922AC72817,MD5=D3E37D1F3304AB7EDAA2E4D3AC183980,SHA256=AA395EE3B33142BD96382709C515F321D122E2499F773A457868C8666C9177A2,IMPHASH=6B4443349D1BF3B7F64F196B03E28222 {56d91ad3-ca26-62cd-2801-000000002f00} 4240 C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe \"C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe\" MARVEL\\thor \n",
"2 - 2022-07-13 14:58:55.922 {56d91ad3-ddaf-62ce-f92d-000000002f00} 5552 C:\\Windows\\System32\\smartscreen.exe 10.0.19041.1052 (WinBuild.160101.0800) Windows Defender SmartScreen Microsoft® Windows® Operating System Microsoft Corporation smartscreen.exe C:\\Windows\\System32\\smartscreen.exe -Embedding C:\\Windows\\system32\\ MARVEL\\thor {56d91ad3-c9cc-62cd-c160-0b0000000000} 0xB60C1 2 Medium SHA1=183E877F488F2DF9F304F60A42514A334720399F,MD5=521ED922765BCA8F79BD76188F879311,SHA256=9605680FC164ACB985C031ECA2C8BC4909CF8B749C571DB6DE2B0B2C204C2163,IMPHASH=6DFBF12753AF176E3C203C407493A5B9 {56d91ad3-c9b2-62cd-0f00-000000002f00} 844 C:\\Windows\\System32\\svchost.exe C:\\Windows\\system32\\svchost.exe -k DcomLaunch -p NT AUTHORITY\\SYSTEM\n",
"3 - 2022-07-13 14:56:00.159 {56d91ad3-dd00-62ce-e12d-000000002f00} 5552 C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe - - - - - \"c:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe\" --ps2 C:\\Windows\\system32\\ NT AUTHORITY\\SYSTEM {56d91ad3-c9b1-62cd-e703-000000000000} 0x3E7 0 System SHA1=E73E8A345775B9E136D131758073B194CC629086,MD5=16D726D7FB24044AA736D7E3A0C6C307,SHA256=417219BE9BC27BF2906BE8BF3C253094B7A3B79A134CEDAEF9366E88A48D5E24,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9 {56d91ad3-c9b8-62cd-5500-000000002f00} 3452 C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunkd.exe \"c:\\Program Files\\SplunkUniversalForwarder\\bin\\splunkd.exe\" service NT AUTHORITY\\SYSTEM"
]
},
"execution_count": 69,
"metadata": {},
"output_type": "execute_result"
}
],
"source": [
"df"
]
},
{
"cell_type": "code",
"execution_count": 70,
"id": "9fc420f1-8f0b-4f19-9d6c-ad988a10f92a",
"metadata": {},
"outputs": [
{
"name": "stderr",
"output_type": "stream",
"text": [
"/tmp/ipykernel_447/23119429.py:8: DeprecationWarning: ResultsReader is a deprecated function. Use the JSONResultsReader function instead in conjuction with the 'output_mode' query param set to 'json'\n",
" reader = results.ResultsReader(query_results)\n"
]
}
],
"source": [
"LogonData = []\n",
"for a in df['LogonId']:\n",
" if a != \"0x3E7\":\n",
" import splunklib.results as results\n",
" #Query: \n",
" query = \"search index=windows sourcetype=Sysmon EventCode=1 LogonId={}\".format(a)\n",
" query_results = service.jobs.oneshot(query, count=0)\n",
" reader = results.ResultsReader(query_results)\n",
"\n",
" results = []\n",
"\n",
" for result in reader:\n",
" results.append(result)\n",
"\n",
" df_EID=pd.DataFrame(results)\n",
" df2_EID = df_EID.Message\n",
" df3_EID = df2_EID.str.split('\\n')\n",
" df4_EID = [{a.split(\":\")[0].strip():\":\".join(a.split(\":\")[1:]).strip() for a in b if \":\".join(a.split(\":\")[1:]).strip() != ''} for b in df3_EID]\n",
" LogonData.append(pd.DataFrame(df4_EID))\n",
" break\n",
"Logondf = pd.concat(LogonData)"
]
},
{
"cell_type": "code",
"execution_count": 71,
"id": "fcd72a97-b331-46e9-a7bb-16398a4c2287",
"metadata": {},
"outputs": [
{
"data": {
"text/html": [
"<div>\n",
"<style scoped>\n",
" .dataframe tbody tr th:only-of-type {\n",
" vertical-align: middle;\n",
" }\n",
"\n",
" .dataframe tbody tr th {\n",
" vertical-align: top;\n",
" }\n",
"\n",
" .dataframe thead th {\n",
" text-align: right;\n",
" }\n",
"</style>\n",
"<table border=\"1\" class=\"dataframe\">\n",
" <thead>\n",
" <tr style=\"text-align: right;\">\n",
" <th></th>\n",
" <th>RuleName</th>\n",
" <th>UtcTime</th>\n",
" <th>ProcessGuid</th>\n",
" <th>ProcessId</th>\n",
" <th>Image</th>\n",
" <th>FileVersion</th>\n",
" <th>Description</th>\n",
" <th>Product</th>\n",
" <th>Company</th>\n",
" <th>OriginalFileName</th>\n",
" <th>CommandLine</th>\n",
" <th>CurrentDirectory</th>\n",
" <th>User</th>\n",
" <th>LogonGuid</th>\n",
" <th>LogonId</th>\n",
" <th>TerminalSessionId</th>\n",
" <th>IntegrityLevel</th>\n",
" <th>Hashes</th>\n",
" <th>ParentProcessGuid</th>\n",
" <th>ParentProcessId</th>\n",
" <th>ParentImage</th>\n",
" <th>ParentCommandLine</th>\n",
" <th>ParentUser</th>\n",
" </tr>\n",
" </thead>\n",
" <tbody>\n",
" <tr>\n",
" <th>0</th>\n",
" <td>-</td>\n",
" <td>2022-07-13 15:36:14.649</td>\n",
" <td>{56d91ad3-e66e-62ce-5e2f-000000002f00}</td>\n",
" <td>5552</td>\n",
" <td>C:\\Users\\thor\\Desktop\\Rubeus.exe</td>\n",
" <td>1.0.0.0</td>\n",
" <td>Rubeus</td>\n",
" <td>Rubeus</td>\n",
" <td>-</td>\n",
" <td>Rubeus.exe</td>\n",
" <td>\"C:\\Users\\thor\\Desktop\\Rubeus.exe\" asktgt /user:panther /password:WakandaForever!</td>\n",
" <td>C:\\Users\\thor\\Desktop\\</td>\n",
" <td>MARVEL\\thor</td>\n",
" <td>{56d91ad3-c9cc-62cd-3f60-0b0000000000}</td>\n",
" <td>0xB603F</td>\n",
" <td>2</td>\n",
" <td>High</td>\n",
" <td>SHA1=5C8540D53ECD89542515C479D765D0B2E6481F35,MD5=A097BADFC8B38B5387B7B28AF6486C47,SHA256=AA29640B9A094E0A0A38AFCBE31C3C467852B5795991FACEE10628D62458D769,IMPHASH=F34D5F2D4577ED6D9CEEC516C1F5A744</td>\n",
" <td>{56d91ad3-ca5e-62cd-5501-000000002f00}</td>\n",
" <td>7968</td>\n",
" <td>C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe</td>\n",
" <td>\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"</td>\n",
" <td>MARVEL\\thor</td>\n",
" </tr>\n",
" <tr>\n",
" <th>1</th>\n",
" <td>-</td>\n",
" <td>2022-07-13 15:32:19.853</td>\n",
" <td>{56d91ad3-e583-62ce-382f-000000002f00}</td>\n",
" <td>3548</td>\n",
" <td>C:\\Users\\thor\\Desktop\\Rubeus.exe</td>\n",
" <td>1.0.0.0</td>\n",
" <td>Rubeus</td>\n",
" <td>Rubeus</td>\n",
" <td>-</td>\n",
" <td>Rubeus.exe</td>\n",
" <td>\"C:\\Users\\thor\\Desktop\\Rubeus.exe\" kerberoast /tgtdeleg</td>\n",
" <td>C:\\Users\\thor\\Desktop\\</td>\n",
" <td>MARVEL\\thor</td>\n",
" <td>{56d91ad3-c9cc-62cd-3f60-0b0000000000}</td>\n",
" <td>0xB603F</td>\n",
" <td>2</td>\n",
" <td>High</td>\n",
" <td>SHA1=5C8540D53ECD89542515C479D765D0B2E6481F35,MD5=A097BADFC8B38B5387B7B28AF6486C47,SHA256=AA29640B9A094E0A0A38AFCBE31C3C467852B5795991FACEE10628D62458D769,IMPHASH=F34D5F2D4577ED6D9CEEC516C1F5A744</td>\n",
" <td>{56d91ad3-ca5e-62cd-5501-000000002f00}</td>\n",
" <td>7968</td>\n",
" <td>C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe</td>\n",
" <td>\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"</td>\n",
" <td>MARVEL\\thor</td>\n",
" </tr>\n",
" <tr>\n",
" <th>2</th>\n",
" <td>-</td>\n",
" <td>2022-07-13 15:32:18.204</td>\n",
" <td>{56d91ad3-e582-62ce-372f-000000002f00}</td>\n",
" <td>2476</td>\n",
" <td>C:\\Windows\\System32\\klist.exe</td>\n",
" <td>10.0.19041.1387 (WinBuild.160101.0800)</td>\n",
" <td>Tool for managing the Kerberos ticket cache</td>\n",
" <td>Microsoft® Windows® Operating System</td>\n",
" <td>Microsoft Corporation</td>\n",
" <td>klist.exe</td>\n",
" <td>\"C:\\Windows\\system32\\klist.exe\" purge</td>\n",
" <td>C:\\Users\\thor\\Desktop\\</td>\n",
" <td>MARVEL\\thor</td>\n",
" <td>{56d91ad3-c9cc-62cd-3f60-0b0000000000}</td>\n",
" <td>0xB603F</td>\n",
" <td>2</td>\n",
" <td>High</td>\n",
" <td>SHA1=12F183A0F99F35026E7BAFF0D26A5548A361BECB,MD5=0ED88604DAA88979CE5B96D03FEBCFE4,SHA256=26E63196C5739A2D5CAFAAFE77842C7D48193B74D3416243D6A155B19B63A524,IMPHASH=D235A5641DE014C6EFBCA43F72899449</td>\n",
" <td>{56d91ad3-ca5e-62cd-5501-000000002f00}</td>\n",
" <td>7968</td>\n",
" <td>C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe</td>\n",
" <td>\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"</td>\n",
" <td>MARVEL\\thor</td>\n",
" </tr>\n",
" <tr>\n",
" <th>3</th>\n",
" <td>-</td>\n",
" <td>2022-07-13 15:01:18.712</td>\n",
" <td>{56d91ad3-de3e-62ce-152e-000000002f00}</td>\n",
" <td>7204</td>\n",
" <td>C:\\Users\\thor\\Desktop\\Rubeus.exe</td>\n",
" <td>1.0.0.0</td>\n",
" <td>Rubeus</td>\n",
" <td>Rubeus</td>\n",
" <td>-</td>\n",
" <td>Rubeus.exe</td>\n",
" <td>\"C:\\Users\\thor\\Desktop\\Rubeus.exe\" kerberoast /tgtdeleg</td>\n",
" <td>C:\\Users\\thor\\Desktop\\</td>\n",
" <td>MARVEL\\thor</td>\n",
" <td>{56d91ad3-c9cc-62cd-3f60-0b0000000000}</td>\n",
" <td>0xB603F</td>\n",
" <td>2</td>\n",
" <td>High</td>\n",
" <td>SHA1=5C8540D53ECD89542515C479D765D0B2E6481F35,MD5=A097BADFC8B38B5387B7B28AF6486C47,SHA256=AA29640B9A094E0A0A38AFCBE31C3C467852B5795991FACEE10628D62458D769,IMPHASH=F34D5F2D4577ED6D9CEEC516C1F5A744</td>\n",
" <td>{56d91ad3-ca5e-62cd-5501-000000002f00}</td>\n",
" <td>7968</td>\n",
" <td>C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe</td>\n",
" <td>\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"</td>\n",
" <td>MARVEL\\thor</td>\n",
" </tr>\n",
" <tr>\n",
" <th>4</th>\n",
" <td>-</td>\n",
" <td>2022-07-13 14:59:38.424</td>\n",
" <td>{56d91ad3-ddda-62ce-012e-000000002f00}</td>\n",
" <td>9228</td>\n",
" <td>C:\\Users\\thor\\Desktop\\Rubeus.exe</td>\n",
" <td>1.0.0.0</td>\n",
" <td>Rubeus</td>\n",
" <td>Rubeus</td>\n",
" <td>-</td>\n",
" <td>Rubeus.exe</td>\n",
" <td>\"C:\\Users\\thor\\Desktop\\Rubeus.exe\" kerberoast</td>\n",
" <td>C:\\Users\\thor\\Desktop\\</td>\n",
" <td>MARVEL\\thor</td>\n",
" <td>{56d91ad3-c9cc-62cd-3f60-0b0000000000}</td>\n",
" <td>0xB603F</td>\n",
" <td>2</td>\n",
" <td>High</td>\n",
" <td>SHA1=5C8540D53ECD89542515C479D765D0B2E6481F35,MD5=A097BADFC8B38B5387B7B28AF6486C47,SHA256=AA29640B9A094E0A0A38AFCBE31C3C467852B5795991FACEE10628D62458D769,IMPHASH=F34D5F2D4577ED6D9CEEC516C1F5A744</td>\n",
" <td>{56d91ad3-ca5e-62cd-5501-000000002f00}</td>\n",
" <td>7968</td>\n",
" <td>C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe</td>\n",
" <td>\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"</td>\n",
" <td>MARVEL\\thor</td>\n",
" </tr>\n",
" <tr>\n",
" <th>5</th>\n",
" <td>-</td>\n",
" <td>2022-07-13 14:58:33.255</td>\n",
" <td>{56d91ad3-dd99-62ce-f52d-000000002f00}</td>\n",
" <td>3100</td>\n",
" <td>C:\\Users\\thor\\Desktop\\Rubeus.exe</td>\n",
" <td>1.0.0.0</td>\n",
" <td>Rubeus</td>\n",
" <td>Rubeus</td>\n",
" <td>-</td>\n",
" <td>Rubeus.exe</td>\n",
" <td>\"C:\\Users\\thor\\Desktop\\Rubeus.exe\" asktgt kerberoast</td>\n",
" <td>C:\\Users\\thor\\Desktop\\</td>\n",
" <td>MARVEL\\thor</td>\n",
" <td>{56d91ad3-c9cc-62cd-3f60-0b0000000000}</td>\n",
" <td>0xB603F</td>\n",
" <td>2</td>\n",
" <td>High</td>\n",
" <td>SHA1=5C8540D53ECD89542515C479D765D0B2E6481F35,MD5=A097BADFC8B38B5387B7B28AF6486C47,SHA256=AA29640B9A094E0A0A38AFCBE31C3C467852B5795991FACEE10628D62458D769,IMPHASH=F34D5F2D4577ED6D9CEEC516C1F5A744</td>\n",
" <td>{56d91ad3-ca5e-62cd-5501-000000002f00}</td>\n",
" <td>7968</td>\n",
" <td>C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe</td>\n",
" <td>\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"</td>\n",
" <td>MARVEL\\thor</td>\n",
" </tr>\n",
" <tr>\n",
" <th>6</th>\n",
" <td>-</td>\n",
" <td>2022-07-13 14:53:51.822</td>\n",
" <td>{56d91ad3-dc7f-62ce-cc2d-000000002f00}</td>\n",
" <td>200</td>\n",
" <td>C:\\Users\\thor\\Desktop\\Rubeus.exe</td>\n",
" <td>1.0.0.0</td>\n",
" <td>Rubeus</td>\n",
" <td>Rubeus</td>\n",
" <td>-</td>\n",
" <td>Rubeus.exe</td>\n",
" <td>\"C:\\Users\\thor\\Desktop\\Rubeus.exe\" asktgt /user:panther /password:WakandaForever!</td>\n",
" <td>C:\\Users\\thor\\Desktop\\</td>\n",
" <td>MARVEL\\thor</td>\n",
" <td>{56d91ad3-c9cc-62cd-3f60-0b0000000000}</td>\n",
" <td>0xB603F</td>\n",
" <td>2</td>\n",
" <td>High</td>\n",
" <td>SHA1=5C8540D53ECD89542515C479D765D0B2E6481F35,MD5=A097BADFC8B38B5387B7B28AF6486C47,SHA256=AA29640B9A094E0A0A38AFCBE31C3C467852B5795991FACEE10628D62458D769,IMPHASH=F34D5F2D4577ED6D9CEEC516C1F5A744</td>\n",
" <td>{56d91ad3-ca5e-62cd-5501-000000002f00}</td>\n",
" <td>7968</td>\n",
" <td>C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe</td>\n",
" <td>\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"</td>\n",
" <td>MARVEL\\thor</td>\n",
" </tr>\n",
" <tr>\n",
" <th>7</th>\n",
" <td>-</td>\n",
" <td>2022-07-13 14:53:48.482</td>\n",
" <td>{56d91ad3-dc7c-62ce-cb2d-000000002f00}</td>\n",
" <td>8680</td>\n",
" <td>C:\\Windows\\System32\\klist.exe</td>\n",
" <td>10.0.19041.1387 (WinBuild.160101.0800)</td>\n",
" <td>Tool for managing the Kerberos ticket cache</td>\n",
" <td>Microsoft® Windows® Operating System</td>\n",
" <td>Microsoft Corporation</td>\n",
" <td>klist.exe</td>\n",
" <td>\"C:\\Windows\\system32\\klist.exe\" purge</td>\n",
" <td>C:\\Users\\thor\\Desktop\\</td>\n",
" <td>MARVEL\\thor</td>\n",
" <td>{56d91ad3-c9cc-62cd-3f60-0b0000000000}</td>\n",
" <td>0xB603F</td>\n",
" <td>2</td>\n",
" <td>High</td>\n",
" <td>SHA1=12F183A0F99F35026E7BAFF0D26A5548A361BECB,MD5=0ED88604DAA88979CE5B96D03FEBCFE4,SHA256=26E63196C5739A2D5CAFAAFE77842C7D48193B74D3416243D6A155B19B63A524,IMPHASH=D235A5641DE014C6EFBCA43F72899449</td>\n",
" <td>{56d91ad3-ca5e-62cd-5501-000000002f00}</td>\n",
" <td>7968</td>\n",
" <td>C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe</td>\n",
" <td>\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"</td>\n",
" <td>MARVEL\\thor</td>\n",
" </tr>\n",
" <tr>\n",
" <th>8</th>\n",
" <td>-</td>\n",
" <td>2022-07-13 14:53:38.250</td>\n",
" <td>{56d91ad3-dc72-62ce-ca2d-000000002f00}</td>\n",
" <td>8012</td>\n",
" <td>C:\\Windows\\System32\\auditpol.exe</td>\n",
" <td>10.0.19041.546 (WinBuild.160101.0800)</td>\n",
" <td>Audit Policy Program</td>\n",
" <td>Microsoft® Windows® Operating System</td>\n",
" <td>Microsoft Corporation</td>\n",
" <td>AUDITPOL.EXE</td>\n",
" <td>\"C:\\Windows\\system32\\auditpol.exe\" /set /category:* /success:enable</td>\n",
" <td>C:\\Users\\thor\\Desktop\\</td>\n",
" <td>MARVEL\\thor</td>\n",
" <td>{56d91ad3-c9cc-62cd-3f60-0b0000000000}</td>\n",
" <td>0xB603F</td>\n",
" <td>2</td>\n",
" <td>High</td>\n",
" <td>SHA1=E6A50645A361D5C763802FFA6E3C749FB81E96D7,MD5=0CBBB1FFE1AF93272D498FB8FBBFFCC6,SHA256=D1C6EC7F394B59D067DFD47A6A65978E4C2CC73437457A4B78209E5F516471CC,IMPHASH=90AC86A122E388FC7E7952289389E5B0</td>\n",
" <td>{56d91ad3-ca5e-62cd-5501-000000002f00}</td>\n",
" <td>7968</td>\n",
" <td>C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe</td>\n",
" <td>\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"</td>\n",
" <td>MARVEL\\thor</td>\n",
" </tr>\n",
" <tr>\n",
" <th>9</th>\n",
" <td>-</td>\n",
" <td>2022-07-13 14:51:28.865</td>\n",
" <td>{56d91ad3-dbf0-62ce-b02d-000000002f00}</td>\n",
" <td>7088</td>\n",
" <td>C:\\Users\\thor\\Desktop\\Rubeus.exe</td>\n",
" <td>1.0.0.0</td>\n",
" <td>Rubeus</td>\n",
" <td>Rubeus</td>\n",
" <td>-</td>\n",
" <td>Rubeus.exe</td>\n",
" <td>\"C:\\Users\\thor\\Desktop\\Rubeus.exe\" asktgt /user:panther /password:WakandaForever!</td>\n",
" <td>C:\\Users\\thor\\Desktop\\</td>\n",
" <td>MARVEL\\thor</td>\n",
" <td>{56d91ad3-c9cc-62cd-3f60-0b0000000000}</td>\n",
" <td>0xB603F</td>\n",
" <td>2</td>\n",
" <td>High</td>\n",
" <td>SHA1=5C8540D53ECD89542515C479D765D0B2E6481F35,MD5=A097BADFC8B38B5387B7B28AF6486C47,SHA256=AA29640B9A094E0A0A38AFCBE31C3C467852B5795991FACEE10628D62458D769,IMPHASH=F34D5F2D4577ED6D9CEEC516C1F5A744</td>\n",
" <td>{56d91ad3-ca5e-62cd-5501-000000002f00}</td>\n",
" <td>7968</td>\n",
" <td>C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe</td>\n",
" <td>\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"</td>\n",
" <td>MARVEL\\thor</td>\n",
" </tr>\n",
" <tr>\n",
" <th>10</th>\n",
" <td>-</td>\n",
" <td>2022-07-13 14:45:35.253</td>\n",
" <td>{56d91ad3-da8f-62ce-6c2d-000000002f00}</td>\n",
" <td>7056</td>\n",
" <td>C:\\Windows\\System32\\klist.exe</td>\n",
" <td>10.0.19041.1387 (WinBuild.160101.0800)</td>\n",
" <td>Tool for managing the Kerberos ticket cache</td>\n",
" <td>Microsoft® Windows® Operating System</td>\n",
" <td>Microsoft Corporation</td>\n",
" <td>klist.exe</td>\n",
" <td>\"C:\\Windows\\system32\\klist.exe\" purge</td>\n",
" <td>C:\\Users\\thor\\Desktop\\</td>\n",
" <td>MARVEL\\thor</td>\n",
" <td>{56d91ad3-c9cc-62cd-3f60-0b0000000000}</td>\n",
" <td>0xB603F</td>\n",
" <td>2</td>\n",
" <td>High</td>\n",
" <td>SHA1=12F183A0F99F35026E7BAFF0D26A5548A361BECB,MD5=0ED88604DAA88979CE5B96D03FEBCFE4,SHA256=26E63196C5739A2D5CAFAAFE77842C7D48193B74D3416243D6A155B19B63A524,IMPHASH=D235A5641DE014C6EFBCA43F72899449</td>\n",
" <td>{56d91ad3-ca5e-62cd-5501-000000002f00}</td>\n",
" <td>7968</td>\n",
" <td>C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe</td>\n",
" <td>\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"</td>\n",
" <td>MARVEL\\thor</td>\n",
" </tr>\n",
" <tr>\n",
" <th>11</th>\n",
" <td>-</td>\n",
" <td>2022-07-13 00:33:37.653</td>\n",
" <td>{56d91ad3-12e1-62ce-8f0d-000000002f00}</td>\n",
" <td>4736</td>\n",
" <td>C:\\Windows\\System32\\taskhostw.exe</td>\n",
" <td>10.0.19041.906 (WinBuild.160101.0800)</td>\n",
" <td>Host Process for Windows Tasks</td>\n",
" <td>Microsoft® Windows® Operating System</td>\n",
" <td>Microsoft Corporation</td>\n",
" <td>taskhostw.exe</td>\n",
" <td>taskhostw.exe</td>\n",
" <td>C:\\Windows\\system32\\</td>\n",
" <td>MARVEL\\thor</td>\n",
" <td>{56d91ad3-c9cc-62cd-3f60-0b0000000000}</td>\n",
" <td>0xB603F</td>\n",
" <td>2</td>\n",
" <td>High</td>\n",
" <td>SHA1=FED4B4A753A9541389AA670C69E624BE07569CCD,MD5=564E4806AB18F93B93D551CD10C1598E,SHA256=0322728DBCE3A577C4A13B907AD7375D27E74880B63F7371384F67D19197A0AD,IMPHASH=3A0C6863CDE566AF997DB2DEFFF9D924</td>\n",
" <td>{56d91ad3-c9b4-62cd-1f00-000000002f00}</td>\n",
" <td>1296</td>\n",
" <td>C:\\Windows\\System32\\svchost.exe</td>\n",
" <td>C:\\Windows\\system32\\svchost.exe -k netsvcs -p -s Schedule</td>\n",
" <td>NT AUTHORITY\\SYSTEM</td>\n",
" </tr>\n",
" <tr>\n",
" <th>12</th>\n",
" <td>-</td>\n",
" <td>2022-07-13 00:32:57.679</td>\n",
" <td>{56d91ad3-12b9-62ce-6d0d-000000002f00}</td>\n",
" <td>1320</td>\n",
" <td>C:\\Users\\thor\\AppData\\Local\\Temp\\844F0763-DCD0-4FAD-B804-60032786B303\\DismHost.exe</td>\n",
" <td>10.0.19041.746 (WinBuild.160101.0800)</td>\n",
" <td>Dism Host Servicing Process</td>\n",
" <td>Microsoft® Windows® Operating System</td>\n",
" <td>Microsoft Corporation</td>\n",
" <td>DismHost.exe</td>\n",
" <td>C:\\Users\\thor\\AppData\\Local\\Temp\\844F0763-DCD0-4FAD-B804-60032786B303\\dismhost.exe {432304F9-73D7-4EEE-B662-354362A6C263}</td>\n",
" <td>C:\\Windows\\system32\\</td>\n",
" <td>MARVEL\\thor</td>\n",
" <td>{56d91ad3-c9cc-62cd-3f60-0b0000000000}</td>\n",
" <td>0xB603F</td>\n",
" <td>2</td>\n",
" <td>High</td>\n",
" <td>SHA1=DBB14DCDA6502AB1D23A7C77D405DAFBCBEB439E,MD5=E5D5E9C1F65B8EC7AA5B7F1B1ACDD731,SHA256=E30508E2088BC16B2A84233CED64995F738DEAEF2366AC6C86B35C93BBCD9D80,IMPHASH=D204EB506D6ABBEB4C51A54E8F6C1789</td>\n",
" <td>{56d91ad3-12a7-62ce-5b0d-000000002f00}</td>\n",
" <td>6904</td>\n",
" <td>C:\\Windows\\System32\\cleanmgr.exe</td>\n",
" <td>C:\\Windows\\system32\\cleanmgr.exe /autoclean /d C:</td>\n",
" <td>MARVEL\\thor</td>\n",
" </tr>\n",
" <tr>\n",
" <th>13</th>\n",
" <td>-</td>\n",
" <td>2022-07-13 00:32:41.271</td>\n",
" <td>{56d91ad3-12a9-62ce-5f0d-000000002f00}</td>\n",
" <td>1096</td>\n",
" <td>C:\\Windows\\System32\\conhost.exe</td>\n",
" <td>10.0.19041.1320 (WinBuild.160101.0800)</td>\n",
" <td>Console Window Host</td>\n",
" <td>Microsoft® Windows® Operating System</td>\n",
" <td>Microsoft Corporation</td>\n",
" <td>CONHOST.EXE</td>\n",
" <td>\\??\\C:\\Windows\\system32\\conhost.exe 0xffffffff -ForceV1</td>\n",
" <td>C:\\Windows</td>\n",
" <td>MARVEL\\thor</td>\n",
" <td>{56d91ad3-c9cc-62cd-3f60-0b0000000000}</td>\n",
" <td>0xB603F</td>\n",
" <td>2</td>\n",
" <td>High</td>\n",
" <td>SHA1=BA93B6F897778B91DB9D179E14C352AF82210061,MD5=D837FA4DEE7D84C19FF6F71FC48A6625,SHA256=22117361C2C34CB18BEEE2CA9770B3AA6C8D032A0941991454DD222BEC6D9295,IMPHASH=5E04B84014354D11014564789EE9BDA7</td>\n",
" <td>{56d91ad3-12a9-62ce-5e0d-000000002f00}</td>\n",
" <td>1964</td>\n",
" <td>C:\\Windows\\System32\\sdiagnhost.exe</td>\n",
" <td>C:\\Windows\\System32\\sdiagnhost.exe -Embedding</td>\n",
" <td>MARVEL\\thor</td>\n",
" </tr>\n",
" <tr>\n",
" <th>14</th>\n",
" <td>-</td>\n",
" <td>2022-07-13 00:32:41.223</td>\n",
" <td>{56d91ad3-12a9-62ce-5e0d-000000002f00}</td>\n",
" <td>1964</td>\n",
" <td>C:\\Windows\\System32\\sdiagnhost.exe</td>\n",
" <td>10.0.19041.1 (WinBuild.160101.0800)</td>\n",
" <td>Scripted Diagnostics Native Host</td>\n",
" <td>Microsoft® Windows® Operating System</td>\n",
" <td>Microsoft Corporation</td>\n",
" <td>sdiagnhost.exe</td>\n",
" <td>C:\\Windows\\System32\\sdiagnhost.exe -Embedding</td>\n",
" <td>C:\\Windows\\system32\\</td>\n",
" <td>MARVEL\\thor</td>\n",
" <td>{56d91ad3-c9cc-62cd-3f60-0b0000000000}</td>\n",
" <td>0xB603F</td>\n",
" <td>2</td>\n",
" <td>High</td>\n",
" <td>SHA1=540745F1CE67423A156069218680B9DA873B4778,MD5=6A21B1893DDE94CB87BA56111375888A,SHA256=761815301A00D0B3A7BB4959A5004B623C55009CE701C6E867C96F468DC1323A,IMPHASH=88C840A970A1633DCA61E1CD2D926E21</td>\n",
" <td>{56d91ad3-c9b2-62cd-0f00-000000002f00}</td>\n",
" <td>844</td>\n",
" <td>C:\\Windows\\System32\\svchost.exe</td>\n",
" <td>C:\\Windows\\system32\\svchost.exe -k DcomLaunch -p</td>\n",
" <td>NT AUTHORITY\\SYSTEM</td>\n",
" </tr>\n",
" <tr>\n",
" <th>15</th>\n",
" <td>-</td>\n",
" <td>2022-07-13 00:32:39.738</td>\n",
" <td>{56d91ad3-12a7-62ce-5b0d-000000002f00}</td>\n",
" <td>6904</td>\n",
" <td>C:\\Windows\\System32\\cleanmgr.exe</td>\n",
" <td>10.0.19041.1266 (WinBuild.160101.0800)</td>\n",
" <td>Disk Space Cleanup Manager for Windows</td>\n",
" <td>Microsoft® Windows® Operating System</td>\n",
" <td>Microsoft Corporation</td>\n",
" <td>CLEANMGR.DLL</td>\n",
" <td>C:\\Windows\\system32\\cleanmgr.exe /autoclean /d C:</td>\n",
" <td>C:\\Windows\\system32\\</td>\n",
" <td>MARVEL\\thor</td>\n",
" <td>{56d91ad3-c9cc-62cd-3f60-0b0000000000}</td>\n",
" <td>0xB603F</td>\n",
" <td>2</td>\n",
" <td>High</td>\n",
" <td>SHA1=D0782098CBF41490EA1E54DB5D21A679F332A113,MD5=CD0D99EBE88D11F55136EAE39CCF8F6E,SHA256=ACD2CBFB4C9FB8FE20C21A7EC99445D1426CEE90FF3091115EB4C9484B69EA9D,IMPHASH=98FFD535813DA56E7646C88F49DBE567</td>\n",
" <td>{56d91ad3-c9b4-62cd-1f00-000000002f00}</td>\n",
" <td>1296</td>\n",
" <td>C:\\Windows\\System32\\svchost.exe</td>\n",
" <td>C:\\Windows\\system32\\svchost.exe -k netsvcs -p -s Schedule</td>\n",
" <td>NT AUTHORITY\\SYSTEM</td>\n",
" </tr>\n",
" <tr>\n",
" <th>16</th>\n",
" <td>-</td>\n",
" <td>2022-07-13 00:32:38.954</td>\n",
" <td>{56d91ad3-12a6-62ce-4f0d-000000002f00}</td>\n",
" <td>4808</td>\n",
" <td>C:\\Windows\\System32\\taskhostw.exe</td>\n",
" <td>10.0.19041.906 (WinBuild.160101.0800)</td>\n",
" <td>Host Process for Windows Tasks</td>\n",
" <td>Microsoft® Windows® Operating System</td>\n",
" <td>Microsoft Corporation</td>\n",
" <td>taskhostw.exe</td>\n",
" <td>taskhostw.exe</td>\n",
" <td>C:\\Windows\\system32\\</td>\n",
" <td>MARVEL\\thor</td>\n",
" <td>{56d91ad3-c9cc-62cd-3f60-0b0000000000}</td>\n",
" <td>0xB603F</td>\n",
" <td>2</td>\n",
" <td>High</td>\n",
" <td>SHA1=FED4B4A753A9541389AA670C69E624BE07569CCD,MD5=564E4806AB18F93B93D551CD10C1598E,SHA256=0322728DBCE3A577C4A13B907AD7375D27E74880B63F7371384F67D19197A0AD,IMPHASH=3A0C6863CDE566AF997DB2DEFFF9D924</td>\n",
" <td>{56d91ad3-c9b4-62cd-1f00-000000002f00}</td>\n",
" <td>1296</td>\n",
" <td>C:\\Windows\\System32\\svchost.exe</td>\n",
" <td>C:\\Windows\\system32\\svchost.exe -k netsvcs -p -s Schedule</td>\n",
" <td>NT AUTHORITY\\SYSTEM</td>\n",
" </tr>\n",
" <tr>\n",
" <th>17</th>\n",
" <td>-</td>\n",
" <td>2022-07-12 19:27:35.194</td>\n",
" <td>{56d91ad3-cb27-62cd-9201-000000002f00}</td>\n",
" <td>2312</td>\n",
" <td>C:\\Users\\thor\\Desktop\\Rubeus.exe</td>\n",
" <td>1.0.0.0</td>\n",
" <td>Rubeus</td>\n",
" <td>Rubeus</td>\n",
" <td>-</td>\n",
" <td>Rubeus.exe</td>\n",
" <td>\"C:\\Users\\thor\\Desktop\\Rubeus.exe\" asktgt /user:panther /password:WakandaForever!</td>\n",
" <td>C:\\Users\\thor\\Desktop\\</td>\n",
" <td>MARVEL\\thor</td>\n",
" <td>{56d91ad3-c9cc-62cd-3f60-0b0000000000}</td>\n",
" <td>0xB603F</td>\n",
" <td>2</td>\n",
" <td>High</td>\n",
" <td>SHA1=5C8540D53ECD89542515C479D765D0B2E6481F35,MD5=A097BADFC8B38B5387B7B28AF6486C47,SHA256=AA29640B9A094E0A0A38AFCBE31C3C467852B5795991FACEE10628D62458D769,IMPHASH=F34D5F2D4577ED6D9CEEC516C1F5A744</td>\n",
" <td>{56d91ad3-ca5e-62cd-5501-000000002f00}</td>\n",
" <td>7968</td>\n",
" <td>C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe</td>\n",
" <td>\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"</td>\n",
" <td>MARVEL\\thor</td>\n",
" </tr>\n",
" <tr>\n",
" <th>18</th>\n",
" <td>-</td>\n",
" <td>2022-07-12 19:26:43.102</td>\n",
" <td>{56d91ad3-caf3-62cd-7401-000000002f00}</td>\n",
" <td>2608</td>\n",
" <td>C:\\Users\\thor\\Desktop\\Rubeus.exe</td>\n",
" <td>1.0.0.0</td>\n",
" <td>Rubeus</td>\n",
" <td>Rubeus</td>\n",
" <td>-</td>\n",
" <td>Rubeus.exe</td>\n",
" <td>\"C:\\Users\\thor\\Desktop\\Rubeus.exe\" asktgt /user:panther /password:WakandaForever1!</td>\n",
" <td>C:\\Users\\thor\\Desktop\\</td>\n",
" <td>MARVEL\\thor</td>\n",
" <td>{56d91ad3-c9cc-62cd-3f60-0b0000000000}</td>\n",
" <td>0xB603F</td>\n",
" <td>2</td>\n",
" <td>High</td>\n",
" <td>SHA1=5C8540D53ECD89542515C479D765D0B2E6481F35,MD5=A097BADFC8B38B5387B7B28AF6486C47,SHA256=AA29640B9A094E0A0A38AFCBE31C3C467852B5795991FACEE10628D62458D769,IMPHASH=F34D5F2D4577ED6D9CEEC516C1F5A744</td>\n",
" <td>{56d91ad3-ca5e-62cd-5501-000000002f00}</td>\n",
" <td>7968</td>\n",
" <td>C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe</td>\n",
" <td>\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"</td>\n",
" <td>MARVEL\\thor</td>\n",
" </tr>\n",
" <tr>\n",
" <th>19</th>\n",
" <td>-</td>\n",
" <td>2022-07-12 19:26:33.398</td>\n",
" <td>{56d91ad3-cae9-62cd-6f01-000000002f00}</td>\n",
" <td>1176</td>\n",
" <td>C:\\Windows\\System32\\auditpol.exe</td>\n",
" <td>10.0.19041.546 (WinBuild.160101.0800)</td>\n",
" <td>Audit Policy Program</td>\n",
" <td>Microsoft® Windows® Operating System</td>\n",
" <td>Microsoft Corporation</td>\n",
" <td>AUDITPOL.EXE</td>\n",
" <td>\"C:\\Windows\\system32\\auditpol.exe\" /set /category:* /success:enable</td>\n",
" <td>C:\\Users\\thor\\Desktop\\</td>\n",
" <td>MARVEL\\thor</td>\n",
" <td>{56d91ad3-c9cc-62cd-3f60-0b0000000000}</td>\n",
" <td>0xB603F</td>\n",
" <td>2</td>\n",
" <td>High</td>\n",
" <td>SHA1=E6A50645A361D5C763802FFA6E3C749FB81E96D7,MD5=0CBBB1FFE1AF93272D498FB8FBBFFCC6,SHA256=D1C6EC7F394B59D067DFD47A6A65978E4C2CC73437457A4B78209E5F516471CC,IMPHASH=90AC86A122E388FC7E7952289389E5B0</td>\n",
" <td>{56d91ad3-ca5e-62cd-5501-000000002f00}</td>\n",
" <td>7968</td>\n",
" <td>C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe</td>\n",
" <td>\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"</td>\n",
" <td>MARVEL\\thor</td>\n",
" </tr>\n",
" <tr>\n",
" <th>20</th>\n",
" <td>-</td>\n",
" <td>2022-07-12 19:25:27.022</td>\n",
" <td>{56d91ad3-caa7-62cd-6501-000000002f00}</td>\n",
" <td>7304</td>\n",
" <td>C:\\Windows\\System32\\mmc.exe</td>\n",
" <td>10.0.19041.746 (WinBuild.160101.0800)</td>\n",
" <td>Microsoft Management Console</td>\n",
" <td>Microsoft® Windows® Operating System</td>\n",
" <td>Microsoft Corporation</td>\n",
" <td>mmc.exe</td>\n",
" <td>\"C:\\Windows\\system32\\mmc.exe\" \"C:\\Windows\\system32\\eventvwr.msc\" /s</td>\n",
" <td>C:\\Windows\\system32\\</td>\n",
" <td>MARVEL\\thor</td>\n",
" <td>{56d91ad3-c9cc-62cd-3f60-0b0000000000}</td>\n",
" <td>0xB603F</td>\n",
" <td>2</td>\n",
" <td>High</td>\n",
" <td>SHA1=9269F1FBCF65FEFBC88A2E239519C21EFE0F6BA5,MD5=8C86B80518406F14A4952D67185032D6,SHA256=895EEF1EDA5700A425934AE3782D4741DFEFB7DEAFA53891BDE490150187B98A,IMPHASH=6D8477830CFE8D50B7224D91F4DD7CB9</td>\n",
" <td>{56d91ad3-c9d8-62cd-d500-000000002f00}</td>\n",
" <td>7196</td>\n",
" <td>C:\\Windows\\explorer.exe</td>\n",
" <td>C:\\Windows\\Explorer.EXE</td>\n",
" <td>MARVEL\\thor</td>\n",
" </tr>\n",
" <tr>\n",
" <th>21</th>\n",
" <td>-</td>\n",
" <td>2022-07-12 19:24:14.820</td>\n",
" <td>{56d91ad3-ca5e-62cd-5601-000000002f00}</td>\n",
" <td>5084</td>\n",
" <td>C:\\Windows\\System32\\conhost.exe</td>\n",
" <td>10.0.19041.1320 (WinBuild.160101.0800)</td>\n",
" <td>Console Window Host</td>\n",
" <td>Microsoft® Windows® Operating System</td>\n",
" <td>Microsoft Corporation</td>\n",
" <td>CONHOST.EXE</td>\n",
" <td>\\??\\C:\\Windows\\system32\\conhost.exe 0xffffffff -ForceV1</td>\n",
" <td>C:\\Windows</td>\n",
" <td>MARVEL\\thor</td>\n",
" <td>{56d91ad3-c9cc-62cd-3f60-0b0000000000}</td>\n",
" <td>0xB603F</td>\n",
" <td>2</td>\n",
" <td>High</td>\n",
" <td>SHA1=BA93B6F897778B91DB9D179E14C352AF82210061,MD5=D837FA4DEE7D84C19FF6F71FC48A6625,SHA256=22117361C2C34CB18BEEE2CA9770B3AA6C8D032A0941991454DD222BEC6D9295,IMPHASH=5E04B84014354D11014564789EE9BDA7</td>\n",
" <td>{56d91ad3-ca5e-62cd-5501-000000002f00}</td>\n",
" <td>7968</td>\n",
" <td>C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe</td>\n",
" <td>\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"</td>\n",
" <td>MARVEL\\thor</td>\n",
" </tr>\n",
" <tr>\n",
" <th>22</th>\n",
" <td>-</td>\n",
" <td>2022-07-12 19:24:14.498</td>\n",
" <td>{56d91ad3-ca5e-62cd-5501-000000002f00}</td>\n",
" <td>7968</td>\n",
" <td>C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe</td>\n",
" <td>10.0.19041.546 (WinBuild.160101.0800)</td>\n",
" <td>Windows PowerShell</td>\n",
" <td>Microsoft® Windows® Operating System</td>\n",
" <td>Microsoft Corporation</td>\n",
" <td>PowerShell.EXE</td>\n",
" <td>\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"</td>\n",
" <td>C:\\Windows\\system32\\</td>\n",
" <td>MARVEL\\thor</td>\n",
" <td>{56d91ad3-c9cc-62cd-3f60-0b0000000000}</td>\n",
" <td>0xB603F</td>\n",
" <td>2</td>\n",
" <td>High</td>\n",
" <td>SHA1=F43D9BB316E30AE1A3494AC5B0624F6BEA1BF054,MD5=04029E121A0CFA5991749937DD22A1D9,SHA256=9F914D42706FE215501044ACD85A32D58AAEF1419D404FDDFA5D3B48F66CCD9F,IMPHASH=7C955A0ABC747F57CCC4324480737EF7</td>\n",
" <td>{56d91ad3-c9d8-62cd-d500-000000002f00}</td>\n",
" <td>7196</td>\n",
" <td>C:\\Windows\\explorer.exe</td>\n",
" <td>C:\\Windows\\Explorer.EXE</td>\n",
" <td>MARVEL\\thor</td>\n",
" </tr>\n",
" <tr>\n",
" <th>23</th>\n",
" <td>-</td>\n",
" <td>2022-07-12 19:23:06.122</td>\n",
" <td>{56d91ad3-ca1a-62cd-1e01-000000002f00}</td>\n",
" <td>9940</td>\n",
" <td>C:\\Windows\\System32\\taskhostw.exe</td>\n",
" <td>10.0.19041.906 (WinBuild.160101.0800)</td>\n",
" <td>Host Process for Windows Tasks</td>\n",
" <td>Microsoft® Windows® Operating System</td>\n",
" <td>Microsoft Corporation</td>\n",
" <td>taskhostw.exe</td>\n",
" <td>taskhostw.exe $(Arg0)</td>\n",
" <td>C:\\Windows\\system32\\</td>\n",
" <td>MARVEL\\thor</td>\n",
" <td>{56d91ad3-c9cc-62cd-3f60-0b0000000000}</td>\n",
" <td>0xB603F</td>\n",
" <td>2</td>\n",
" <td>High</td>\n",
" <td>SHA1=FED4B4A753A9541389AA670C69E624BE07569CCD,MD5=564E4806AB18F93B93D551CD10C1598E,SHA256=0322728DBCE3A577C4A13B907AD7375D27E74880B63F7371384F67D19197A0AD,IMPHASH=3A0C6863CDE566AF997DB2DEFFF9D924</td>\n",
" <td>{56d91ad3-c9b4-62cd-1f00-000000002f00}</td>\n",
" <td>1296</td>\n",
" <td>C:\\Windows\\System32\\svchost.exe</td>\n",
" <td>C:\\Windows\\system32\\svchost.exe -k netsvcs -p -s Schedule</td>\n",
" <td>NT AUTHORITY\\SYSTEM</td>\n",
" </tr>\n",
" <tr>\n",
" <th>24</th>\n",
" <td>-</td>\n",
" <td>2022-07-12 19:21:56.825</td>\n",
" <td>{56d91ad3-c9d4-62cd-cb00-000000002f00}</td>\n",
" <td>6308</td>\n",
" <td>C:\\Windows\\System32\\taskhostw.exe</td>\n",
" <td>10.0.19041.906 (WinBuild.160101.0800)</td>\n",
" <td>Host Process for Windows Tasks</td>\n",
" <td>Microsoft® Windows® Operating System</td>\n",
" <td>Microsoft Corporation</td>\n",
" <td>taskhostw.exe</td>\n",
" <td>taskhostw.exe</td>\n",
" <td>C:\\Windows\\system32\\</td>\n",
" <td>MARVEL\\thor</td>\n",
" <td>{56d91ad3-c9cc-62cd-3f60-0b0000000000}</td>\n",
" <td>0xB603F</td>\n",
" <td>2</td>\n",
" <td>High</td>\n",
" <td>SHA1=FED4B4A753A9541389AA670C69E624BE07569CCD,MD5=564E4806AB18F93B93D551CD10C1598E,SHA256=0322728DBCE3A577C4A13B907AD7375D27E74880B63F7371384F67D19197A0AD,IMPHASH=3A0C6863CDE566AF997DB2DEFFF9D924</td>\n",
" <td>{56d91ad3-c9b4-62cd-1f00-000000002f00}</td>\n",
" <td>1296</td>\n",
" <td>C:\\Windows\\System32\\svchost.exe</td>\n",
" <td>C:\\Windows\\system32\\svchost.exe -k netsvcs -p -s Schedule</td>\n",
" <td>NT AUTHORITY\\SYSTEM</td>\n",
" </tr>\n",
" </tbody>\n",
"</table>\n",
"</div>"
],
"text/plain": [
" RuleName UtcTime ProcessGuid ProcessId Image FileVersion Description Product Company OriginalFileName CommandLine CurrentDirectory User LogonGuid LogonId TerminalSessionId IntegrityLevel Hashes ParentProcessGuid ParentProcessId ParentImage ParentCommandLine ParentUser\n",
"0 - 2022-07-13 15:36:14.649 {56d91ad3-e66e-62ce-5e2f-000000002f00} 5552 C:\\Users\\thor\\Desktop\\Rubeus.exe 1.0.0.0 Rubeus Rubeus - Rubeus.exe \"C:\\Users\\thor\\Desktop\\Rubeus.exe\" asktgt /user:panther /password:WakandaForever! C:\\Users\\thor\\Desktop\\ MARVEL\\thor {56d91ad3-c9cc-62cd-3f60-0b0000000000} 0xB603F 2 High SHA1=5C8540D53ECD89542515C479D765D0B2E6481F35,MD5=A097BADFC8B38B5387B7B28AF6486C47,SHA256=AA29640B9A094E0A0A38AFCBE31C3C467852B5795991FACEE10628D62458D769,IMPHASH=F34D5F2D4577ED6D9CEEC516C1F5A744 {56d91ad3-ca5e-62cd-5501-000000002f00} 7968 C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe \"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" MARVEL\\thor \n",
"1 - 2022-07-13 15:32:19.853 {56d91ad3-e583-62ce-382f-000000002f00} 3548 C:\\Users\\thor\\Desktop\\Rubeus.exe 1.0.0.0 Rubeus Rubeus - Rubeus.exe \"C:\\Users\\thor\\Desktop\\Rubeus.exe\" kerberoast /tgtdeleg C:\\Users\\thor\\Desktop\\ MARVEL\\thor {56d91ad3-c9cc-62cd-3f60-0b0000000000} 0xB603F 2 High SHA1=5C8540D53ECD89542515C479D765D0B2E6481F35,MD5=A097BADFC8B38B5387B7B28AF6486C47,SHA256=AA29640B9A094E0A0A38AFCBE31C3C467852B5795991FACEE10628D62458D769,IMPHASH=F34D5F2D4577ED6D9CEEC516C1F5A744 {56d91ad3-ca5e-62cd-5501-000000002f00} 7968 C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe \"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" MARVEL\\thor \n",
"2 - 2022-07-13 15:32:18.204 {56d91ad3-e582-62ce-372f-000000002f00} 2476 C:\\Windows\\System32\\klist.exe 10.0.19041.1387 (WinBuild.160101.0800) Tool for managing the Kerberos ticket cache Microsoft® Windows® Operating System Microsoft Corporation klist.exe \"C:\\Windows\\system32\\klist.exe\" purge C:\\Users\\thor\\Desktop\\ MARVEL\\thor {56d91ad3-c9cc-62cd-3f60-0b0000000000} 0xB603F 2 High SHA1=12F183A0F99F35026E7BAFF0D26A5548A361BECB,MD5=0ED88604DAA88979CE5B96D03FEBCFE4,SHA256=26E63196C5739A2D5CAFAAFE77842C7D48193B74D3416243D6A155B19B63A524,IMPHASH=D235A5641DE014C6EFBCA43F72899449 {56d91ad3-ca5e-62cd-5501-000000002f00} 7968 C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe \"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" MARVEL\\thor \n",
"3 - 2022-07-13 15:01:18.712 {56d91ad3-de3e-62ce-152e-000000002f00} 7204 C:\\Users\\thor\\Desktop\\Rubeus.exe 1.0.0.0 Rubeus Rubeus - Rubeus.exe \"C:\\Users\\thor\\Desktop\\Rubeus.exe\" kerberoast /tgtdeleg C:\\Users\\thor\\Desktop\\ MARVEL\\thor {56d91ad3-c9cc-62cd-3f60-0b0000000000} 0xB603F 2 High SHA1=5C8540D53ECD89542515C479D765D0B2E6481F35,MD5=A097BADFC8B38B5387B7B28AF6486C47,SHA256=AA29640B9A094E0A0A38AFCBE31C3C467852B5795991FACEE10628D62458D769,IMPHASH=F34D5F2D4577ED6D9CEEC516C1F5A744 {56d91ad3-ca5e-62cd-5501-000000002f00} 7968 C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe \"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" MARVEL\\thor \n",
"4 - 2022-07-13 14:59:38.424 {56d91ad3-ddda-62ce-012e-000000002f00} 9228 C:\\Users\\thor\\Desktop\\Rubeus.exe 1.0.0.0 Rubeus Rubeus - Rubeus.exe \"C:\\Users\\thor\\Desktop\\Rubeus.exe\" kerberoast C:\\Users\\thor\\Desktop\\ MARVEL\\thor {56d91ad3-c9cc-62cd-3f60-0b0000000000} 0xB603F 2 High SHA1=5C8540D53ECD89542515C479D765D0B2E6481F35,MD5=A097BADFC8B38B5387B7B28AF6486C47,SHA256=AA29640B9A094E0A0A38AFCBE31C3C467852B5795991FACEE10628D62458D769,IMPHASH=F34D5F2D4577ED6D9CEEC516C1F5A744 {56d91ad3-ca5e-62cd-5501-000000002f00} 7968 C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe \"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" MARVEL\\thor \n",
"5 - 2022-07-13 14:58:33.255 {56d91ad3-dd99-62ce-f52d-000000002f00} 3100 C:\\Users\\thor\\Desktop\\Rubeus.exe 1.0.0.0 Rubeus Rubeus - Rubeus.exe \"C:\\Users\\thor\\Desktop\\Rubeus.exe\" asktgt kerberoast C:\\Users\\thor\\Desktop\\ MARVEL\\thor {56d91ad3-c9cc-62cd-3f60-0b0000000000} 0xB603F 2 High SHA1=5C8540D53ECD89542515C479D765D0B2E6481F35,MD5=A097BADFC8B38B5387B7B28AF6486C47,SHA256=AA29640B9A094E0A0A38AFCBE31C3C467852B5795991FACEE10628D62458D769,IMPHASH=F34D5F2D4577ED6D9CEEC516C1F5A744 {56d91ad3-ca5e-62cd-5501-000000002f00} 7968 C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe \"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" MARVEL\\thor \n",
"6 - 2022-07-13 14:53:51.822 {56d91ad3-dc7f-62ce-cc2d-000000002f00} 200 C:\\Users\\thor\\Desktop\\Rubeus.exe 1.0.0.0 Rubeus Rubeus - Rubeus.exe \"C:\\Users\\thor\\Desktop\\Rubeus.exe\" asktgt /user:panther /password:WakandaForever! C:\\Users\\thor\\Desktop\\ MARVEL\\thor {56d91ad3-c9cc-62cd-3f60-0b0000000000} 0xB603F 2 High SHA1=5C8540D53ECD89542515C479D765D0B2E6481F35,MD5=A097BADFC8B38B5387B7B28AF6486C47,SHA256=AA29640B9A094E0A0A38AFCBE31C3C467852B5795991FACEE10628D62458D769,IMPHASH=F34D5F2D4577ED6D9CEEC516C1F5A744 {56d91ad3-ca5e-62cd-5501-000000002f00} 7968 C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe \"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" MARVEL\\thor \n",
"7 - 2022-07-13 14:53:48.482 {56d91ad3-dc7c-62ce-cb2d-000000002f00} 8680 C:\\Windows\\System32\\klist.exe 10.0.19041.1387 (WinBuild.160101.0800) Tool for managing the Kerberos ticket cache Microsoft® Windows® Operating System Microsoft Corporation klist.exe \"C:\\Windows\\system32\\klist.exe\" purge C:\\Users\\thor\\Desktop\\ MARVEL\\thor {56d91ad3-c9cc-62cd-3f60-0b0000000000} 0xB603F 2 High SHA1=12F183A0F99F35026E7BAFF0D26A5548A361BECB,MD5=0ED88604DAA88979CE5B96D03FEBCFE4,SHA256=26E63196C5739A2D5CAFAAFE77842C7D48193B74D3416243D6A155B19B63A524,IMPHASH=D235A5641DE014C6EFBCA43F72899449 {56d91ad3-ca5e-62cd-5501-000000002f00} 7968 C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe \"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" MARVEL\\thor \n",
"8 - 2022-07-13 14:53:38.250 {56d91ad3-dc72-62ce-ca2d-000000002f00} 8012 C:\\Windows\\System32\\auditpol.exe 10.0.19041.546 (WinBuild.160101.0800) Audit Policy Program Microsoft® Windows® Operating System Microsoft Corporation AUDITPOL.EXE \"C:\\Windows\\system32\\auditpol.exe\" /set /category:* /success:enable C:\\Users\\thor\\Desktop\\ MARVEL\\thor {56d91ad3-c9cc-62cd-3f60-0b0000000000} 0xB603F 2 High SHA1=E6A50645A361D5C763802FFA6E3C749FB81E96D7,MD5=0CBBB1FFE1AF93272D498FB8FBBFFCC6,SHA256=D1C6EC7F394B59D067DFD47A6A65978E4C2CC73437457A4B78209E5F516471CC,IMPHASH=90AC86A122E388FC7E7952289389E5B0 {56d91ad3-ca5e-62cd-5501-000000002f00} 7968 C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe \"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" MARVEL\\thor \n",
"9 - 2022-07-13 14:51:28.865 {56d91ad3-dbf0-62ce-b02d-000000002f00} 7088 C:\\Users\\thor\\Desktop\\Rubeus.exe 1.0.0.0 Rubeus Rubeus - Rubeus.exe \"C:\\Users\\thor\\Desktop\\Rubeus.exe\" asktgt /user:panther /password:WakandaForever! C:\\Users\\thor\\Desktop\\ MARVEL\\thor {56d91ad3-c9cc-62cd-3f60-0b0000000000} 0xB603F 2 High SHA1=5C8540D53ECD89542515C479D765D0B2E6481F35,MD5=A097BADFC8B38B5387B7B28AF6486C47,SHA256=AA29640B9A094E0A0A38AFCBE31C3C467852B5795991FACEE10628D62458D769,IMPHASH=F34D5F2D4577ED6D9CEEC516C1F5A744 {56d91ad3-ca5e-62cd-5501-000000002f00} 7968 C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe \"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" MARVEL\\thor \n",
"10 - 2022-07-13 14:45:35.253 {56d91ad3-da8f-62ce-6c2d-000000002f00} 7056 C:\\Windows\\System32\\klist.exe 10.0.19041.1387 (WinBuild.160101.0800) Tool for managing the Kerberos ticket cache Microsoft® Windows® Operating System Microsoft Corporation klist.exe \"C:\\Windows\\system32\\klist.exe\" purge C:\\Users\\thor\\Desktop\\ MARVEL\\thor {56d91ad3-c9cc-62cd-3f60-0b0000000000} 0xB603F 2 High SHA1=12F183A0F99F35026E7BAFF0D26A5548A361BECB,MD5=0ED88604DAA88979CE5B96D03FEBCFE4,SHA256=26E63196C5739A2D5CAFAAFE77842C7D48193B74D3416243D6A155B19B63A524,IMPHASH=D235A5641DE014C6EFBCA43F72899449 {56d91ad3-ca5e-62cd-5501-000000002f00} 7968 C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe \"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" MARVEL\\thor \n",
"11 - 2022-07-13 00:33:37.653 {56d91ad3-12e1-62ce-8f0d-000000002f00} 4736 C:\\Windows\\System32\\taskhostw.exe 10.0.19041.906 (WinBuild.160101.0800) Host Process for Windows Tasks Microsoft® Windows® Operating System Microsoft Corporation taskhostw.exe taskhostw.exe C:\\Windows\\system32\\ MARVEL\\thor {56d91ad3-c9cc-62cd-3f60-0b0000000000} 0xB603F 2 High SHA1=FED4B4A753A9541389AA670C69E624BE07569CCD,MD5=564E4806AB18F93B93D551CD10C1598E,SHA256=0322728DBCE3A577C4A13B907AD7375D27E74880B63F7371384F67D19197A0AD,IMPHASH=3A0C6863CDE566AF997DB2DEFFF9D924 {56d91ad3-c9b4-62cd-1f00-000000002f00} 1296 C:\\Windows\\System32\\svchost.exe C:\\Windows\\system32\\svchost.exe -k netsvcs -p -s Schedule NT AUTHORITY\\SYSTEM\n",
"12 - 2022-07-13 00:32:57.679 {56d91ad3-12b9-62ce-6d0d-000000002f00} 1320 C:\\Users\\thor\\AppData\\Local\\Temp\\844F0763-DCD0-4FAD-B804-60032786B303\\DismHost.exe 10.0.19041.746 (WinBuild.160101.0800) Dism Host Servicing Process Microsoft® Windows® Operating System Microsoft Corporation DismHost.exe C:\\Users\\thor\\AppData\\Local\\Temp\\844F0763-DCD0-4FAD-B804-60032786B303\\dismhost.exe {432304F9-73D7-4EEE-B662-354362A6C263} C:\\Windows\\system32\\ MARVEL\\thor {56d91ad3-c9cc-62cd-3f60-0b0000000000} 0xB603F 2 High SHA1=DBB14DCDA6502AB1D23A7C77D405DAFBCBEB439E,MD5=E5D5E9C1F65B8EC7AA5B7F1B1ACDD731,SHA256=E30508E2088BC16B2A84233CED64995F738DEAEF2366AC6C86B35C93BBCD9D80,IMPHASH=D204EB506D6ABBEB4C51A54E8F6C1789 {56d91ad3-12a7-62ce-5b0d-000000002f00} 6904 C:\\Windows\\System32\\cleanmgr.exe C:\\Windows\\system32\\cleanmgr.exe /autoclean /d C: MARVEL\\thor \n",
"13 - 2022-07-13 00:32:41.271 {56d91ad3-12a9-62ce-5f0d-000000002f00} 1096 C:\\Windows\\System32\\conhost.exe 10.0.19041.1320 (WinBuild.160101.0800) Console Window Host Microsoft® Windows® Operating System Microsoft Corporation CONHOST.EXE \\??\\C:\\Windows\\system32\\conhost.exe 0xffffffff -ForceV1 C:\\Windows MARVEL\\thor {56d91ad3-c9cc-62cd-3f60-0b0000000000} 0xB603F 2 High SHA1=BA93B6F897778B91DB9D179E14C352AF82210061,MD5=D837FA4DEE7D84C19FF6F71FC48A6625,SHA256=22117361C2C34CB18BEEE2CA9770B3AA6C8D032A0941991454DD222BEC6D9295,IMPHASH=5E04B84014354D11014564789EE9BDA7 {56d91ad3-12a9-62ce-5e0d-000000002f00} 1964 C:\\Windows\\System32\\sdiagnhost.exe C:\\Windows\\System32\\sdiagnhost.exe -Embedding MARVEL\\thor \n",
"14 - 2022-07-13 00:32:41.223 {56d91ad3-12a9-62ce-5e0d-000000002f00} 1964 C:\\Windows\\System32\\sdiagnhost.exe 10.0.19041.1 (WinBuild.160101.0800) Scripted Diagnostics Native Host Microsoft® Windows® Operating System Microsoft Corporation sdiagnhost.exe C:\\Windows\\System32\\sdiagnhost.exe -Embedding C:\\Windows\\system32\\ MARVEL\\thor {56d91ad3-c9cc-62cd-3f60-0b0000000000} 0xB603F 2 High SHA1=540745F1CE67423A156069218680B9DA873B4778,MD5=6A21B1893DDE94CB87BA56111375888A,SHA256=761815301A00D0B3A7BB4959A5004B623C55009CE701C6E867C96F468DC1323A,IMPHASH=88C840A970A1633DCA61E1CD2D926E21 {56d91ad3-c9b2-62cd-0f00-000000002f00} 844 C:\\Windows\\System32\\svchost.exe C:\\Windows\\system32\\svchost.exe -k DcomLaunch -p NT AUTHORITY\\SYSTEM\n",
"15 - 2022-07-13 00:32:39.738 {56d91ad3-12a7-62ce-5b0d-000000002f00} 6904 C:\\Windows\\System32\\cleanmgr.exe 10.0.19041.1266 (WinBuild.160101.0800) Disk Space Cleanup Manager for Windows Microsoft® Windows® Operating System Microsoft Corporation CLEANMGR.DLL C:\\Windows\\system32\\cleanmgr.exe /autoclean /d C: C:\\Windows\\system32\\ MARVEL\\thor {56d91ad3-c9cc-62cd-3f60-0b0000000000} 0xB603F 2 High SHA1=D0782098CBF41490EA1E54DB5D21A679F332A113,MD5=CD0D99EBE88D11F55136EAE39CCF8F6E,SHA256=ACD2CBFB4C9FB8FE20C21A7EC99445D1426CEE90FF3091115EB4C9484B69EA9D,IMPHASH=98FFD535813DA56E7646C88F49DBE567 {56d91ad3-c9b4-62cd-1f00-000000002f00} 1296 C:\\Windows\\System32\\svchost.exe C:\\Windows\\system32\\svchost.exe -k netsvcs -p -s Schedule NT AUTHORITY\\SYSTEM\n",
"16 - 2022-07-13 00:32:38.954 {56d91ad3-12a6-62ce-4f0d-000000002f00} 4808 C:\\Windows\\System32\\taskhostw.exe 10.0.19041.906 (WinBuild.160101.0800) Host Process for Windows Tasks Microsoft® Windows® Operating System Microsoft Corporation taskhostw.exe taskhostw.exe C:\\Windows\\system32\\ MARVEL\\thor {56d91ad3-c9cc-62cd-3f60-0b0000000000} 0xB603F 2 High SHA1=FED4B4A753A9541389AA670C69E624BE07569CCD,MD5=564E4806AB18F93B93D551CD10C1598E,SHA256=0322728DBCE3A577C4A13B907AD7375D27E74880B63F7371384F67D19197A0AD,IMPHASH=3A0C6863CDE566AF997DB2DEFFF9D924 {56d91ad3-c9b4-62cd-1f00-000000002f00} 1296 C:\\Windows\\System32\\svchost.exe C:\\Windows\\system32\\svchost.exe -k netsvcs -p -s Schedule NT AUTHORITY\\SYSTEM\n",
"17 - 2022-07-12 19:27:35.194 {56d91ad3-cb27-62cd-9201-000000002f00} 2312 C:\\Users\\thor\\Desktop\\Rubeus.exe 1.0.0.0 Rubeus Rubeus - Rubeus.exe \"C:\\Users\\thor\\Desktop\\Rubeus.exe\" asktgt /user:panther /password:WakandaForever! C:\\Users\\thor\\Desktop\\ MARVEL\\thor {56d91ad3-c9cc-62cd-3f60-0b0000000000} 0xB603F 2 High SHA1=5C8540D53ECD89542515C479D765D0B2E6481F35,MD5=A097BADFC8B38B5387B7B28AF6486C47,SHA256=AA29640B9A094E0A0A38AFCBE31C3C467852B5795991FACEE10628D62458D769,IMPHASH=F34D5F2D4577ED6D9CEEC516C1F5A744 {56d91ad3-ca5e-62cd-5501-000000002f00} 7968 C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe \"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" MARVEL\\thor \n",
"18 - 2022-07-12 19:26:43.102 {56d91ad3-caf3-62cd-7401-000000002f00} 2608 C:\\Users\\thor\\Desktop\\Rubeus.exe 1.0.0.0 Rubeus Rubeus - Rubeus.exe \"C:\\Users\\thor\\Desktop\\Rubeus.exe\" asktgt /user:panther /password:WakandaForever1! C:\\Users\\thor\\Desktop\\ MARVEL\\thor {56d91ad3-c9cc-62cd-3f60-0b0000000000} 0xB603F 2 High SHA1=5C8540D53ECD89542515C479D765D0B2E6481F35,MD5=A097BADFC8B38B5387B7B28AF6486C47,SHA256=AA29640B9A094E0A0A38AFCBE31C3C467852B5795991FACEE10628D62458D769,IMPHASH=F34D5F2D4577ED6D9CEEC516C1F5A744 {56d91ad3-ca5e-62cd-5501-000000002f00} 7968 C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe \"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" MARVEL\\thor \n",
"19 - 2022-07-12 19:26:33.398 {56d91ad3-cae9-62cd-6f01-000000002f00} 1176 C:\\Windows\\System32\\auditpol.exe 10.0.19041.546 (WinBuild.160101.0800) Audit Policy Program Microsoft® Windows® Operating System Microsoft Corporation AUDITPOL.EXE \"C:\\Windows\\system32\\auditpol.exe\" /set /category:* /success:enable C:\\Users\\thor\\Desktop\\ MARVEL\\thor {56d91ad3-c9cc-62cd-3f60-0b0000000000} 0xB603F 2 High SHA1=E6A50645A361D5C763802FFA6E3C749FB81E96D7,MD5=0CBBB1FFE1AF93272D498FB8FBBFFCC6,SHA256=D1C6EC7F394B59D067DFD47A6A65978E4C2CC73437457A4B78209E5F516471CC,IMPHASH=90AC86A122E388FC7E7952289389E5B0 {56d91ad3-ca5e-62cd-5501-000000002f00} 7968 C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe \"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" MARVEL\\thor \n",
"20 - 2022-07-12 19:25:27.022 {56d91ad3-caa7-62cd-6501-000000002f00} 7304 C:\\Windows\\System32\\mmc.exe 10.0.19041.746 (WinBuild.160101.0800) Microsoft Management Console Microsoft® Windows® Operating System Microsoft Corporation mmc.exe \"C:\\Windows\\system32\\mmc.exe\" \"C:\\Windows\\system32\\eventvwr.msc\" /s C:\\Windows\\system32\\ MARVEL\\thor {56d91ad3-c9cc-62cd-3f60-0b0000000000} 0xB603F 2 High SHA1=9269F1FBCF65FEFBC88A2E239519C21EFE0F6BA5,MD5=8C86B80518406F14A4952D67185032D6,SHA256=895EEF1EDA5700A425934AE3782D4741DFEFB7DEAFA53891BDE490150187B98A,IMPHASH=6D8477830CFE8D50B7224D91F4DD7CB9 {56d91ad3-c9d8-62cd-d500-000000002f00} 7196 C:\\Windows\\explorer.exe C:\\Windows\\Explorer.EXE MARVEL\\thor \n",
"21 - 2022-07-12 19:24:14.820 {56d91ad3-ca5e-62cd-5601-000000002f00} 5084 C:\\Windows\\System32\\conhost.exe 10.0.19041.1320 (WinBuild.160101.0800) Console Window Host Microsoft® Windows® Operating System Microsoft Corporation CONHOST.EXE \\??\\C:\\Windows\\system32\\conhost.exe 0xffffffff -ForceV1 C:\\Windows MARVEL\\thor {56d91ad3-c9cc-62cd-3f60-0b0000000000} 0xB603F 2 High SHA1=BA93B6F897778B91DB9D179E14C352AF82210061,MD5=D837FA4DEE7D84C19FF6F71FC48A6625,SHA256=22117361C2C34CB18BEEE2CA9770B3AA6C8D032A0941991454DD222BEC6D9295,IMPHASH=5E04B84014354D11014564789EE9BDA7 {56d91ad3-ca5e-62cd-5501-000000002f00} 7968 C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe \"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" MARVEL\\thor \n",
"22 - 2022-07-12 19:24:14.498 {56d91ad3-ca5e-62cd-5501-000000002f00} 7968 C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe 10.0.19041.546 (WinBuild.160101.0800) Windows PowerShell Microsoft® Windows® Operating System Microsoft Corporation PowerShell.EXE \"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" C:\\Windows\\system32\\ MARVEL\\thor {56d91ad3-c9cc-62cd-3f60-0b0000000000} 0xB603F 2 High SHA1=F43D9BB316E30AE1A3494AC5B0624F6BEA1BF054,MD5=04029E121A0CFA5991749937DD22A1D9,SHA256=9F914D42706FE215501044ACD85A32D58AAEF1419D404FDDFA5D3B48F66CCD9F,IMPHASH=7C955A0ABC747F57CCC4324480737EF7 {56d91ad3-c9d8-62cd-d500-000000002f00} 7196 C:\\Windows\\explorer.exe C:\\Windows\\Explorer.EXE MARVEL\\thor \n",
"23 - 2022-07-12 19:23:06.122 {56d91ad3-ca1a-62cd-1e01-000000002f00} 9940 C:\\Windows\\System32\\taskhostw.exe 10.0.19041.906 (WinBuild.160101.0800) Host Process for Windows Tasks Microsoft® Windows® Operating System Microsoft Corporation taskhostw.exe taskhostw.exe $(Arg0) C:\\Windows\\system32\\ MARVEL\\thor {56d91ad3-c9cc-62cd-3f60-0b0000000000} 0xB603F 2 High SHA1=FED4B4A753A9541389AA670C69E624BE07569CCD,MD5=564E4806AB18F93B93D551CD10C1598E,SHA256=0322728DBCE3A577C4A13B907AD7375D27E74880B63F7371384F67D19197A0AD,IMPHASH=3A0C6863CDE566AF997DB2DEFFF9D924 {56d91ad3-c9b4-62cd-1f00-000000002f00} 1296 C:\\Windows\\System32\\svchost.exe C:\\Windows\\system32\\svchost.exe -k netsvcs -p -s Schedule NT AUTHORITY\\SYSTEM\n",
"24 - 2022-07-12 19:21:56.825 {56d91ad3-c9d4-62cd-cb00-000000002f00} 6308 C:\\Windows\\System32\\taskhostw.exe 10.0.19041.906 (WinBuild.160101.0800) Host Process for Windows Tasks Microsoft® Windows® Operating System Microsoft Corporation taskhostw.exe taskhostw.exe C:\\Windows\\system32\\ MARVEL\\thor {56d91ad3-c9cc-62cd-3f60-0b0000000000} 0xB603F 2 High SHA1=FED4B4A753A9541389AA670C69E624BE07569CCD,MD5=564E4806AB18F93B93D551CD10C1598E,SHA256=0322728DBCE3A577C4A13B907AD7375D27E74880B63F7371384F67D19197A0AD,IMPHASH=3A0C6863CDE566AF997DB2DEFFF9D924 {56d91ad3-c9b4-62cd-1f00-000000002f00} 1296 C:\\Windows\\System32\\svchost.exe C:\\Windows\\system32\\svchost.exe -k netsvcs -p -s Schedule NT AUTHORITY\\SYSTEM"
]
},
"execution_count": 71,
"metadata": {},
"output_type": "execute_result"
}
],
"source": [
"Logondf"
]
},
{
"cell_type": "code",
"execution_count": null,
"id": "92422cca-fb2a-47c8-a769-55fcefa103b1",
"metadata": {},
"outputs": [],
"source": []
}
],
"metadata": {
"kernelspec": {
"display_name": "Python 3 (ipykernel)",
"language": "python",
"name": "python3"
},
"language_info": {
"codemirror_mode": {
"name": "ipython",
"version": 3
},
"file_extension": ".py",
"mimetype": "text/x-python",
"name": "python",
"nbconvert_exporter": "python",
"pygments_lexer": "ipython3",
"version": "3.9.7"
}
},
"nbformat": 4,
"nbformat_minor": 5
}
Raw
SplunkQuery.md

Query 1 - S4U2Self:

index=windows EventCode=4769 Ticket_Options=0x40800018 AND Failure_Code=0x0
| eval temp=split(Client_Address, ":")
| eval Client_Address=mvindex(temp,-1)
| eval alt_account_name=upper(mvindex(split(Account_Name,"@"),0)) 
| eval alt_service_name=upper(mvindex(Service_Name,0))
| where alt_account_name == alt_service_name
| rename Client_Port AS SourcePort, Client_Address AS SourceAddress
| join SourcePort, SourceAddress
[
search index=windows EventCode=5156 Direction=Outbound Destination_Port=88 host!=*DC*
| rename Source_Port AS SourcePort, Source_Address AS SourceAddress, Application_Name AS ApplicationName
]
| table SourceAddress, SourcePort, ApplicationName, Ticket_Encryption_Type, Service_Name, Account_Name

Query 2 - Kerberoasting:

index=windows EventCode=4769 Service_Name!="*$" Service_Name!="krbtgt" Failure_Code ="0x0" Account_Name!="*$*"  AND ((Ticket_Encryption_Type=0x17 AND (Ticket_Options=0x40800018) OR (Ticket_Options=0x40800000)) OR (Ticket_Encryption_Type=0x12 AND Ticket_Options=0x40800000))
| eval temp=split(Client_Address, ":")
| eval Client_Address=mvindex(temp,-1)
| rename Client_Port AS SourcePort, Client_Address AS SourceAddress
| join SourcePort, SourceAddress
[
search index=windows EventCode=5156 Direction=Outbound Destination_Port=88 host!=*DC*
| rename Source_Port AS SourcePort, Source_Address AS SourceAddress, Application_Name AS ApplicationName
]
| table SourceAddress, SourcePort, ApplicationName, Ticket_Encryption_Type, Service_Name, Account_Name

Query 3 - AskTGT:

index=windows EventCode=4768 Ticket_Encryption_Type=0x17 ```Attacker can change encryption type```
| eval temp=split(Client_Address, ":")
| eval Client_Address=mvindex(temp,-1)
| rename Client_Port AS SourcePort, Client_Address AS SourceAddress
| join SourcePort, SourceAddress
[
search index=windows EventCode=5156 Direction=Outbound Destination_Port=88 host!=*DC*
| rename Source_Port AS SourcePort, Source_Address AS SourceAddress
]
| table SourceAddress, SourcePort, ApplicationName, Ticket_Encryption_Type, Service_Name, Account_Name, Application_Name
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment