|
{ |
|
"cells": [ |
|
{ |
|
"cell_type": "code", |
|
"execution_count": 33, |
|
"id": "31e98d20-b644-4be7-a9c4-2c7259074ee3", |
|
"metadata": {}, |
|
"outputs": [], |
|
"source": [ |
|
"%%capture\n", |
|
"!pip install splunk-sdk\n", |
|
"!pip install pandas\n", |
|
"!pip install pandasql\n", |
|
"import matplotlib.pyplot as plt\n", |
|
"import pandas as pd\n", |
|
"import pandasql\n", |
|
"pd.set_option('display.max_columns', None) \n", |
|
"pd.set_option('display.expand_frame_repr', False)\n", |
|
"pd.set_option('max_colwidth', 0)\n", |
|
"\n", |
|
"import splunklib.client as client\n", |
|
"# Create a Service instance and log in \n", |
|
"service = client.connect(\n", |
|
" host='', #Input your Splunk's IP here\n", |
|
" port='8089',\n", |
|
" username=\"admin\",\n", |
|
" password=\"\",\n", |
|
" scheme='https')" |
|
] |
|
}, |
|
{ |
|
"cell_type": "code", |
|
"execution_count": 34, |
|
"id": "5c31741f-49da-40ae-9ec3-4baa9d6abee5", |
|
"metadata": {}, |
|
"outputs": [ |
|
{ |
|
"name": "stderr", |
|
"output_type": "stream", |
|
"text": [ |
|
"/tmp/ipykernel_447/1547866794.py:5: DeprecationWarning: ResultsReader is a deprecated function. Use the JSONResultsReader function instead in conjuction with the 'output_mode' query param set to 'json'\n", |
|
" reader = results.ResultsReader(query_results)\n" |
|
] |
|
} |
|
], |
|
"source": [ |
|
"import splunklib.results as results\n", |
|
"#Query: \n", |
|
"query = \"search index=windows sourcetype=Security EventCode=4769 Service_Name!=*$ Service_Name!=krbtgt Failure_Code =0x0 Account_Name!=*$* AND ((Ticket_Encryption_Type=0x17 AND (Ticket_Options=0x40800018) OR (Ticket_Options=0x40800000)) OR (Ticket_Encryption_Type=0x12 AND Ticket_Options=0x40800000)) earliest=-1hr\"\n", |
|
"query_results = service.jobs.oneshot(query, count=0)\n", |
|
"reader = results.ResultsReader(query_results)\n", |
|
"\n", |
|
"results = []\n", |
|
"\n", |
|
"for result in reader:\n", |
|
" results.append(result)\n", |
|
" \n", |
|
"df_EID =pd.DataFrame(results)\n", |
|
"df2_EID = df_EID.Message\n", |
|
"df3_EID = df2_EID.str.split('\\n')\n", |
|
"df4_EID = [{a.split(\":\")[0].strip():\":\".join(a.split(\":\")[1:]).strip() for a in b if \":\".join(a.split(\":\")[1:]).strip() != ''} for b in df3_EID]\n", |
|
"df5_EID_4769_kerberoasting = pd.DataFrame(df4_EID)" |
|
] |
|
}, |
|
{ |
|
"cell_type": "code", |
|
"execution_count": null, |
|
"id": "b6eba2c8-0c2b-462b-a8c3-3254aa051352", |
|
"metadata": {}, |
|
"outputs": [], |
|
"source": [ |
|
"import splunklib.results as results\n", |
|
"#Query: \n", |
|
"query = \"search index=windows sourcetype=Security EventCode=4769 earliest=-1hr\"\n", |
|
"query_results = service.jobs.oneshot(query, count=0)\n", |
|
"reader = results.ResultsReader(query_results)\n", |
|
"\n", |
|
"results = []\n", |
|
"\n", |
|
"for result in reader:\n", |
|
" results.append(result)\n", |
|
" \n", |
|
"df_EID=pd.DataFrame(results)\n", |
|
"df2_EID = df_EID.Message\n", |
|
"df3_EID = df2_EID.str.split('\\n')\n", |
|
"df4_EID = [{a.split(\":\")[0].strip():\":\".join(a.split(\":\")[1:]).strip() for a in b if \":\".join(a.split(\":\")[1:]).strip() != ''} for b in df3_EID]\n", |
|
"df5_EID_4769_s4u2self = pd.DataFrame(df4_EID)" |
|
] |
|
}, |
|
{ |
|
"cell_type": "code", |
|
"execution_count": 52, |
|
"id": "35ef8ecb-646b-4c02-b377-83fe591bcc6a", |
|
"metadata": {}, |
|
"outputs": [ |
|
{ |
|
"name": "stderr", |
|
"output_type": "stream", |
|
"text": [ |
|
"/tmp/ipykernel_447/3561581670.py:5: DeprecationWarning: ResultsReader is a deprecated function. Use the JSONResultsReader function instead in conjuction with the 'output_mode' query param set to 'json'\n", |
|
" reader = results.ResultsReader(query_results)\n" |
|
] |
|
} |
|
], |
|
"source": [ |
|
"import splunklib.results as results\n", |
|
"#Query: \n", |
|
"query = \"search index=windows sourcetype=Security EventCode=4768 Ticket_Encryption_Type=0x17 earliest=-1hr\"\n", |
|
"query_results = service.jobs.oneshot(query, count=0)\n", |
|
"reader = results.ResultsReader(query_results)\n", |
|
"\n", |
|
"results = []\n", |
|
"\n", |
|
"for result in reader:\n", |
|
" results.append(result)\n", |
|
" \n", |
|
"df_EID=pd.DataFrame(results)\n", |
|
"df2_EID = df_EID.Message\n", |
|
"df3_EID = df2_EID.str.split('\\n')\n", |
|
"df4_EID = [{a.split(\":\")[0].strip():\":\".join(a.split(\":\")[1:]).strip() for a in b if \":\".join(a.split(\":\")[1:]).strip() != ''} for b in df3_EID]\n", |
|
"df5_EID_4768_asktgt = pd.DataFrame(df4_EID)" |
|
] |
|
}, |
|
{ |
|
"cell_type": "code", |
|
"execution_count": 64, |
|
"id": "f8c60fef-093a-42a7-8c57-7da1e4d3f74b", |
|
"metadata": {}, |
|
"outputs": [ |
|
{ |
|
"name": "stderr", |
|
"output_type": "stream", |
|
"text": [ |
|
"/tmp/ipykernel_447/2979222138.py:5: DeprecationWarning: ResultsReader is a deprecated function. Use the JSONResultsReader function instead in conjuction with the 'output_mode' query param set to 'json'\n", |
|
" reader = results.ResultsReader(query_results)\n" |
|
] |
|
} |
|
], |
|
"source": [ |
|
"import splunklib.results as results\n", |
|
"#Query: \n", |
|
"query = \"search index=windows sourcetype=Security EventCode=5156 Destination_Port=88 host!=*DC* earliest=-1hr\"\n", |
|
"query_results = service.jobs.oneshot(query, count=0)\n", |
|
"reader = results.ResultsReader(query_results)\n", |
|
"\n", |
|
"results = []\n", |
|
"\n", |
|
"for result in reader:\n", |
|
" results.append(result)\n", |
|
" \n", |
|
"df_EID=pd.DataFrame(results)\n", |
|
"df2_EID = df_EID.Message\n", |
|
"df3_EID = df2_EID.str.split('\\n')\n", |
|
"df4_EID = [{a.split(\":\")[0].strip():\":\".join(a.split(\":\")[1:]).strip() for a in b if \":\".join(a.split(\":\")[1:]).strip() != ''} for b in df3_EID]\n", |
|
"df5_EID_5156_Client = pd.DataFrame(df4_EID)\n", |
|
"\n", |
|
"\n", |
|
"AccountName = df5_EID_4768_asktgt['Account Name'].str.split('@').str[-2]\n", |
|
"df5_EID_4768_asktgt.update(AccountName)\n", |
|
"ServiceID = df5_EID_4768_asktgt['Service ID'].str.split('\\\\').str[-1]\n", |
|
"df5_EID_4768_asktgt.update(ServiceID)\n", |
|
"ClientAddress = df5_EID_4768_asktgt['Client Address'].str.split(':').str[-1]\n", |
|
"df5_EID_4768_asktgt.update(ClientAddress)\n", |
|
"#df5_EID_5156_Client['Process ID'] = pd.to_numeric(df5_EID_5156_Client['Process ID']).apply(hex)\n", |
|
"df5_EID_5156_Client['Process ID'] = pd.to_numeric(df5_EID_5156_Client['Process ID'])" |
|
] |
|
}, |
|
{ |
|
"cell_type": "code", |
|
"execution_count": 65, |
|
"id": "3bd17173-6842-4952-9a75-271ba1213178", |
|
"metadata": {}, |
|
"outputs": [ |
|
{ |
|
"data": { |
|
"text/html": [ |
|
"<div>\n", |
|
"<style scoped>\n", |
|
" .dataframe tbody tr th:only-of-type {\n", |
|
" vertical-align: middle;\n", |
|
" }\n", |
|
"\n", |
|
" .dataframe tbody tr th {\n", |
|
" vertical-align: top;\n", |
|
" }\n", |
|
"\n", |
|
" .dataframe thead th {\n", |
|
" text-align: right;\n", |
|
" }\n", |
|
"</style>\n", |
|
"<table border=\"1\" class=\"dataframe\">\n", |
|
" <thead>\n", |
|
" <tr style=\"text-align: right;\">\n", |
|
" <th></th>\n", |
|
" <th>Process ID</th>\n", |
|
" <th>Application Name</th>\n", |
|
" <th>Direction</th>\n", |
|
" <th>Source Address</th>\n", |
|
" <th>Source Port</th>\n", |
|
" <th>Destination Address</th>\n", |
|
" <th>Destination Port</th>\n", |
|
" <th>Protocol</th>\n", |
|
" <th>Filter Run-Time ID</th>\n", |
|
" <th>Layer Name</th>\n", |
|
" <th>Layer Run-Time ID</th>\n", |
|
" </tr>\n", |
|
" </thead>\n", |
|
" <tbody>\n", |
|
" <tr>\n", |
|
" <th>0</th>\n", |
|
" <td>5552</td>\n", |
|
" <td>\\device\\harddiskvolume2\\users\\thor\\desktop\\rubeus.exe</td>\n", |
|
" <td>Outbound</td>\n", |
|
" <td>192.168.2.10</td>\n", |
|
" <td>52411</td>\n", |
|
" <td>192.168.2.11</td>\n", |
|
" <td>88</td>\n", |
|
" <td>6</td>\n", |
|
" <td>0</td>\n", |
|
" <td>Connect</td>\n", |
|
" <td>48</td>\n", |
|
" </tr>\n", |
|
" <tr>\n", |
|
" <th>1</th>\n", |
|
" <td>3548</td>\n", |
|
" <td>\\device\\harddiskvolume2\\users\\thor\\desktop\\rubeus.exe</td>\n", |
|
" <td>Outbound</td>\n", |
|
" <td>192.168.2.10</td>\n", |
|
" <td>52394</td>\n", |
|
" <td>192.168.2.11</td>\n", |
|
" <td>88</td>\n", |
|
" <td>6</td>\n", |
|
" <td>0</td>\n", |
|
" <td>Connect</td>\n", |
|
" <td>48</td>\n", |
|
" </tr>\n", |
|
" <tr>\n", |
|
" <th>2</th>\n", |
|
" <td>3548</td>\n", |
|
" <td>\\device\\harddiskvolume2\\users\\thor\\desktop\\rubeus.exe</td>\n", |
|
" <td>Outbound</td>\n", |
|
" <td>192.168.2.10</td>\n", |
|
" <td>52393</td>\n", |
|
" <td>192.168.2.11</td>\n", |
|
" <td>88</td>\n", |
|
" <td>6</td>\n", |
|
" <td>0</td>\n", |
|
" <td>Connect</td>\n", |
|
" <td>48</td>\n", |
|
" </tr>\n", |
|
" <tr>\n", |
|
" <th>3</th>\n", |
|
" <td>3548</td>\n", |
|
" <td>\\device\\harddiskvolume2\\users\\thor\\desktop\\rubeus.exe</td>\n", |
|
" <td>Outbound</td>\n", |
|
" <td>192.168.2.10</td>\n", |
|
" <td>52391</td>\n", |
|
" <td>192.168.2.11</td>\n", |
|
" <td>88</td>\n", |
|
" <td>6</td>\n", |
|
" <td>0</td>\n", |
|
" <td>Connect</td>\n", |
|
" <td>48</td>\n", |
|
" </tr>\n", |
|
" <tr>\n", |
|
" <th>4</th>\n", |
|
" <td>728</td>\n", |
|
" <td>\\device\\harddiskvolume2\\windows\\system32\\lsass.exe</td>\n", |
|
" <td>Outbound</td>\n", |
|
" <td>192.168.2.10</td>\n", |
|
" <td>52390</td>\n", |
|
" <td>192.168.2.11</td>\n", |
|
" <td>88</td>\n", |
|
" <td>6</td>\n", |
|
" <td>0</td>\n", |
|
" <td>Connect</td>\n", |
|
" <td>48</td>\n", |
|
" </tr>\n", |
|
" <tr>\n", |
|
" <th>5</th>\n", |
|
" <td>728</td>\n", |
|
" <td>\\device\\harddiskvolume2\\windows\\system32\\lsass.exe</td>\n", |
|
" <td>Outbound</td>\n", |
|
" <td>192.168.2.10</td>\n", |
|
" <td>52389</td>\n", |
|
" <td>192.168.2.11</td>\n", |
|
" <td>88</td>\n", |
|
" <td>6</td>\n", |
|
" <td>0</td>\n", |
|
" <td>Connect</td>\n", |
|
" <td>48</td>\n", |
|
" </tr>\n", |
|
" <tr>\n", |
|
" <th>6</th>\n", |
|
" <td>728</td>\n", |
|
" <td>\\device\\harddiskvolume2\\windows\\system32\\lsass.exe</td>\n", |
|
" <td>Outbound</td>\n", |
|
" <td>192.168.2.10</td>\n", |
|
" <td>52388</td>\n", |
|
" <td>192.168.2.11</td>\n", |
|
" <td>88</td>\n", |
|
" <td>6</td>\n", |
|
" <td>0</td>\n", |
|
" <td>Connect</td>\n", |
|
" <td>48</td>\n", |
|
" </tr>\n", |
|
" <tr>\n", |
|
" <th>7</th>\n", |
|
" <td>728</td>\n", |
|
" <td>\\device\\harddiskvolume2\\windows\\system32\\lsass.exe</td>\n", |
|
" <td>Outbound</td>\n", |
|
" <td>192.168.2.10</td>\n", |
|
" <td>52387</td>\n", |
|
" <td>192.168.2.11</td>\n", |
|
" <td>88</td>\n", |
|
" <td>6</td>\n", |
|
" <td>0</td>\n", |
|
" <td>Connect</td>\n", |
|
" <td>48</td>\n", |
|
" </tr>\n", |
|
" <tr>\n", |
|
" <th>8</th>\n", |
|
" <td>728</td>\n", |
|
" <td>\\device\\harddiskvolume2\\windows\\system32\\lsass.exe</td>\n", |
|
" <td>Outbound</td>\n", |
|
" <td>192.168.2.10</td>\n", |
|
" <td>52386</td>\n", |
|
" <td>192.168.2.11</td>\n", |
|
" <td>88</td>\n", |
|
" <td>6</td>\n", |
|
" <td>0</td>\n", |
|
" <td>Connect</td>\n", |
|
" <td>48</td>\n", |
|
" </tr>\n", |
|
" <tr>\n", |
|
" <th>9</th>\n", |
|
" <td>7204</td>\n", |
|
" <td>\\device\\harddiskvolume2\\users\\thor\\desktop\\rubeus.exe</td>\n", |
|
" <td>Outbound</td>\n", |
|
" <td>192.168.2.10</td>\n", |
|
" <td>52263</td>\n", |
|
" <td>192.168.2.11</td>\n", |
|
" <td>88</td>\n", |
|
" <td>6</td>\n", |
|
" <td>0</td>\n", |
|
" <td>Connect</td>\n", |
|
" <td>48</td>\n", |
|
" </tr>\n", |
|
" <tr>\n", |
|
" <th>10</th>\n", |
|
" <td>7204</td>\n", |
|
" <td>\\device\\harddiskvolume2\\users\\thor\\desktop\\rubeus.exe</td>\n", |
|
" <td>Outbound</td>\n", |
|
" <td>192.168.2.10</td>\n", |
|
" <td>52262</td>\n", |
|
" <td>192.168.2.11</td>\n", |
|
" <td>88</td>\n", |
|
" <td>6</td>\n", |
|
" <td>0</td>\n", |
|
" <td>Connect</td>\n", |
|
" <td>48</td>\n", |
|
" </tr>\n", |
|
" <tr>\n", |
|
" <th>11</th>\n", |
|
" <td>7204</td>\n", |
|
" <td>\\device\\harddiskvolume2\\users\\thor\\desktop\\rubeus.exe</td>\n", |
|
" <td>Outbound</td>\n", |
|
" <td>192.168.2.10</td>\n", |
|
" <td>52260</td>\n", |
|
" <td>192.168.2.11</td>\n", |
|
" <td>88</td>\n", |
|
" <td>6</td>\n", |
|
" <td>0</td>\n", |
|
" <td>Connect</td>\n", |
|
" <td>48</td>\n", |
|
" </tr>\n", |
|
" <tr>\n", |
|
" <th>12</th>\n", |
|
" <td>728</td>\n", |
|
" <td>\\device\\harddiskvolume2\\windows\\system32\\lsass.exe</td>\n", |
|
" <td>Outbound</td>\n", |
|
" <td>192.168.2.10</td>\n", |
|
" <td>52259</td>\n", |
|
" <td>192.168.2.11</td>\n", |
|
" <td>88</td>\n", |
|
" <td>6</td>\n", |
|
" <td>0</td>\n", |
|
" <td>Connect</td>\n", |
|
" <td>48</td>\n", |
|
" </tr>\n", |
|
" <tr>\n", |
|
" <th>13</th>\n", |
|
" <td>728</td>\n", |
|
" <td>\\device\\harddiskvolume2\\windows\\system32\\lsass.exe</td>\n", |
|
" <td>Outbound</td>\n", |
|
" <td>192.168.2.10</td>\n", |
|
" <td>52258</td>\n", |
|
" <td>192.168.2.11</td>\n", |
|
" <td>88</td>\n", |
|
" <td>6</td>\n", |
|
" <td>0</td>\n", |
|
" <td>Connect</td>\n", |
|
" <td>48</td>\n", |
|
" </tr>\n", |
|
" <tr>\n", |
|
" <th>14</th>\n", |
|
" <td>728</td>\n", |
|
" <td>\\device\\harddiskvolume2\\windows\\system32\\lsass.exe</td>\n", |
|
" <td>Outbound</td>\n", |
|
" <td>192.168.2.10</td>\n", |
|
" <td>52232</td>\n", |
|
" <td>192.168.2.11</td>\n", |
|
" <td>88</td>\n", |
|
" <td>6</td>\n", |
|
" <td>0</td>\n", |
|
" <td>Connect</td>\n", |
|
" <td>48</td>\n", |
|
" </tr>\n", |
|
" <tr>\n", |
|
" <th>15</th>\n", |
|
" <td>728</td>\n", |
|
" <td>\\device\\harddiskvolume2\\windows\\system32\\lsass.exe</td>\n", |
|
" <td>Outbound</td>\n", |
|
" <td>192.168.2.10</td>\n", |
|
" <td>52231</td>\n", |
|
" <td>192.168.2.11</td>\n", |
|
" <td>88</td>\n", |
|
" <td>6</td>\n", |
|
" <td>0</td>\n", |
|
" <td>Connect</td>\n", |
|
" <td>48</td>\n", |
|
" </tr>\n", |
|
" <tr>\n", |
|
" <th>16</th>\n", |
|
" <td>728</td>\n", |
|
" <td>\\device\\harddiskvolume2\\windows\\system32\\lsass.exe</td>\n", |
|
" <td>Outbound</td>\n", |
|
" <td>192.168.2.10</td>\n", |
|
" <td>52230</td>\n", |
|
" <td>192.168.2.11</td>\n", |
|
" <td>88</td>\n", |
|
" <td>6</td>\n", |
|
" <td>0</td>\n", |
|
" <td>Connect</td>\n", |
|
" <td>48</td>\n", |
|
" </tr>\n", |
|
" <tr>\n", |
|
" <th>17</th>\n", |
|
" <td>200</td>\n", |
|
" <td>\\device\\harddiskvolume2\\users\\thor\\desktop\\rubeus.exe</td>\n", |
|
" <td>Outbound</td>\n", |
|
" <td>192.168.2.10</td>\n", |
|
" <td>52209</td>\n", |
|
" <td>192.168.2.11</td>\n", |
|
" <td>88</td>\n", |
|
" <td>6</td>\n", |
|
" <td>0</td>\n", |
|
" <td>Connect</td>\n", |
|
" <td>48</td>\n", |
|
" </tr>\n", |
|
" <tr>\n", |
|
" <th>18</th>\n", |
|
" <td>728</td>\n", |
|
" <td>\\device\\harddiskvolume2\\windows\\system32\\lsass.exe</td>\n", |
|
" <td>Outbound</td>\n", |
|
" <td>192.168.2.10</td>\n", |
|
" <td>52208</td>\n", |
|
" <td>192.168.2.11</td>\n", |
|
" <td>88</td>\n", |
|
" <td>6</td>\n", |
|
" <td>0</td>\n", |
|
" <td>Connect</td>\n", |
|
" <td>48</td>\n", |
|
" </tr>\n", |
|
" <tr>\n", |
|
" <th>19</th>\n", |
|
" <td>728</td>\n", |
|
" <td>\\device\\harddiskvolume2\\windows\\system32\\lsass.exe</td>\n", |
|
" <td>Outbound</td>\n", |
|
" <td>192.168.2.10</td>\n", |
|
" <td>52207</td>\n", |
|
" <td>192.168.2.11</td>\n", |
|
" <td>88</td>\n", |
|
" <td>6</td>\n", |
|
" <td>0</td>\n", |
|
" <td>Connect</td>\n", |
|
" <td>48</td>\n", |
|
" </tr>\n", |
|
" <tr>\n", |
|
" <th>20</th>\n", |
|
" <td>728</td>\n", |
|
" <td>\\device\\harddiskvolume2\\windows\\system32\\lsass.exe</td>\n", |
|
" <td>Outbound</td>\n", |
|
" <td>192.168.2.10</td>\n", |
|
" <td>52206</td>\n", |
|
" <td>192.168.2.11</td>\n", |
|
" <td>88</td>\n", |
|
" <td>6</td>\n", |
|
" <td>0</td>\n", |
|
" <td>Connect</td>\n", |
|
" <td>48</td>\n", |
|
" </tr>\n", |
|
" </tbody>\n", |
|
"</table>\n", |
|
"</div>" |
|
], |
|
"text/plain": [ |
|
" Process ID Application Name Direction Source Address Source Port Destination Address Destination Port Protocol Filter Run-Time ID Layer Name Layer Run-Time ID\n", |
|
"0 5552 \\device\\harddiskvolume2\\users\\thor\\desktop\\rubeus.exe Outbound 192.168.2.10 52411 192.168.2.11 88 6 0 Connect 48 \n", |
|
"1 3548 \\device\\harddiskvolume2\\users\\thor\\desktop\\rubeus.exe Outbound 192.168.2.10 52394 192.168.2.11 88 6 0 Connect 48 \n", |
|
"2 3548 \\device\\harddiskvolume2\\users\\thor\\desktop\\rubeus.exe Outbound 192.168.2.10 52393 192.168.2.11 88 6 0 Connect 48 \n", |
|
"3 3548 \\device\\harddiskvolume2\\users\\thor\\desktop\\rubeus.exe Outbound 192.168.2.10 52391 192.168.2.11 88 6 0 Connect 48 \n", |
|
"4 728 \\device\\harddiskvolume2\\windows\\system32\\lsass.exe Outbound 192.168.2.10 52390 192.168.2.11 88 6 0 Connect 48 \n", |
|
"5 728 \\device\\harddiskvolume2\\windows\\system32\\lsass.exe Outbound 192.168.2.10 52389 192.168.2.11 88 6 0 Connect 48 \n", |
|
"6 728 \\device\\harddiskvolume2\\windows\\system32\\lsass.exe Outbound 192.168.2.10 52388 192.168.2.11 88 6 0 Connect 48 \n", |
|
"7 728 \\device\\harddiskvolume2\\windows\\system32\\lsass.exe Outbound 192.168.2.10 52387 192.168.2.11 88 6 0 Connect 48 \n", |
|
"8 728 \\device\\harddiskvolume2\\windows\\system32\\lsass.exe Outbound 192.168.2.10 52386 192.168.2.11 88 6 0 Connect 48 \n", |
|
"9 7204 \\device\\harddiskvolume2\\users\\thor\\desktop\\rubeus.exe Outbound 192.168.2.10 52263 192.168.2.11 88 6 0 Connect 48 \n", |
|
"10 7204 \\device\\harddiskvolume2\\users\\thor\\desktop\\rubeus.exe Outbound 192.168.2.10 52262 192.168.2.11 88 6 0 Connect 48 \n", |
|
"11 7204 \\device\\harddiskvolume2\\users\\thor\\desktop\\rubeus.exe Outbound 192.168.2.10 52260 192.168.2.11 88 6 0 Connect 48 \n", |
|
"12 728 \\device\\harddiskvolume2\\windows\\system32\\lsass.exe Outbound 192.168.2.10 52259 192.168.2.11 88 6 0 Connect 48 \n", |
|
"13 728 \\device\\harddiskvolume2\\windows\\system32\\lsass.exe Outbound 192.168.2.10 52258 192.168.2.11 88 6 0 Connect 48 \n", |
|
"14 728 \\device\\harddiskvolume2\\windows\\system32\\lsass.exe Outbound 192.168.2.10 52232 192.168.2.11 88 6 0 Connect 48 \n", |
|
"15 728 \\device\\harddiskvolume2\\windows\\system32\\lsass.exe Outbound 192.168.2.10 52231 192.168.2.11 88 6 0 Connect 48 \n", |
|
"16 728 \\device\\harddiskvolume2\\windows\\system32\\lsass.exe Outbound 192.168.2.10 52230 192.168.2.11 88 6 0 Connect 48 \n", |
|
"17 200 \\device\\harddiskvolume2\\users\\thor\\desktop\\rubeus.exe Outbound 192.168.2.10 52209 192.168.2.11 88 6 0 Connect 48 \n", |
|
"18 728 \\device\\harddiskvolume2\\windows\\system32\\lsass.exe Outbound 192.168.2.10 52208 192.168.2.11 88 6 0 Connect 48 \n", |
|
"19 728 \\device\\harddiskvolume2\\windows\\system32\\lsass.exe Outbound 192.168.2.10 52207 192.168.2.11 88 6 0 Connect 48 \n", |
|
"20 728 \\device\\harddiskvolume2\\windows\\system32\\lsass.exe Outbound 192.168.2.10 52206 192.168.2.11 88 6 0 Connect 48 " |
|
] |
|
}, |
|
"execution_count": 65, |
|
"metadata": {}, |
|
"output_type": "execute_result" |
|
} |
|
], |
|
"source": [ |
|
"df5_EID_5156_Client" |
|
] |
|
}, |
|
{ |
|
"cell_type": "code", |
|
"execution_count": 66, |
|
"id": "ac0bd7f0-91ab-4411-a6c2-25c77a3f1d9f", |
|
"metadata": {}, |
|
"outputs": [], |
|
"source": [ |
|
"from pandasql import sqldf\n", |
|
"ClientSide_AskTGT_Kerberoasting = pandasql.sqldf(\n", |
|
"\"\"\"\n", |
|
"SELECT *\n", |
|
"FROM df5_EID_4768_asktgt a\n", |
|
"JOIN df5_EID_5156_Client b \n", |
|
"ON a.'Client Port' == b.'Source Port'\n", |
|
"AND a.'Client Address' == b.'Source Address'\n", |
|
"\"\"\"\n", |
|
"\n", |
|
").drop_duplicates().reset_index().drop(\"index\", axis=1)" |
|
] |
|
}, |
|
{ |
|
"cell_type": "code", |
|
"execution_count": null, |
|
"id": "0fc540f5-7b3d-4058-bbb6-481b3e34d25f", |
|
"metadata": {}, |
|
"outputs": [], |
|
"source": [ |
|
"from pandasql import sqldf\n", |
|
"ClientSide_S4U2Self = pandasql.sqldf(\n", |
|
"\"\"\"\n", |
|
"SELECT *\n", |
|
"FROM df5_EID_4769_s4u2self a\n", |
|
"JOIN df5_EID_5156_Client b \n", |
|
"ON a.'Client Port' == b.'Source Port'\n", |
|
"AND a.'Client Address' == b.'Source Address'\n", |
|
"WHERE a.'Ticket Options' == \"0x40800018\" AND a.'Failure Code' == \"0x0\"\n", |
|
"\"\"\"\n", |
|
"\n", |
|
").drop_duplicates().reset_index().drop(\"index\", axis=1)" |
|
] |
|
}, |
|
{ |
|
"cell_type": "code", |
|
"execution_count": 67, |
|
"id": "7504e827-63cd-499e-b55b-044af4a6ca8d", |
|
"metadata": {}, |
|
"outputs": [ |
|
{ |
|
"data": { |
|
"text/html": [ |
|
"<div>\n", |
|
"<style scoped>\n", |
|
" .dataframe tbody tr th:only-of-type {\n", |
|
" vertical-align: middle;\n", |
|
" }\n", |
|
"\n", |
|
" .dataframe tbody tr th {\n", |
|
" vertical-align: top;\n", |
|
" }\n", |
|
"\n", |
|
" .dataframe thead th {\n", |
|
" text-align: right;\n", |
|
" }\n", |
|
"</style>\n", |
|
"<table border=\"1\" class=\"dataframe\">\n", |
|
" <thead>\n", |
|
" <tr style=\"text-align: right;\">\n", |
|
" <th></th>\n", |
|
" <th>Account Name</th>\n", |
|
" <th>Supplied Realm Name</th>\n", |
|
" <th>User ID</th>\n", |
|
" <th>Service Name</th>\n", |
|
" <th>Service ID</th>\n", |
|
" <th>Client Address</th>\n", |
|
" <th>Client Port</th>\n", |
|
" <th>Ticket Options</th>\n", |
|
" <th>Result Code</th>\n", |
|
" <th>Ticket Encryption Type</th>\n", |
|
" <th>Pre-Authentication Type</th>\n", |
|
" <th>Process ID</th>\n", |
|
" <th>Application Name</th>\n", |
|
" <th>Direction</th>\n", |
|
" <th>Source Address</th>\n", |
|
" <th>Source Port</th>\n", |
|
" <th>Destination Address</th>\n", |
|
" <th>Destination Port</th>\n", |
|
" <th>Protocol</th>\n", |
|
" <th>Filter Run-Time ID</th>\n", |
|
" <th>Layer Name</th>\n", |
|
" <th>Layer Run-Time ID</th>\n", |
|
" </tr>\n", |
|
" </thead>\n", |
|
" <tbody>\n", |
|
" <tr>\n", |
|
" <th>0</th>\n", |
|
" <td>panther</td>\n", |
|
" <td>marvel.local</td>\n", |
|
" <td>MARVEL\\panther</td>\n", |
|
" <td>krbtgt</td>\n", |
|
" <td>krbtgt</td>\n", |
|
" <td>192.168.2.10</td>\n", |
|
" <td>52411</td>\n", |
|
" <td>0x40800010</td>\n", |
|
" <td>0x0</td>\n", |
|
" <td>0x17</td>\n", |
|
" <td>2</td>\n", |
|
" <td>5552</td>\n", |
|
" <td>\\device\\harddiskvolume2\\users\\thor\\desktop\\rubeus.exe</td>\n", |
|
" <td>Outbound</td>\n", |
|
" <td>192.168.2.10</td>\n", |
|
" <td>52411</td>\n", |
|
" <td>192.168.2.11</td>\n", |
|
" <td>88</td>\n", |
|
" <td>6</td>\n", |
|
" <td>0</td>\n", |
|
" <td>Connect</td>\n", |
|
" <td>48</td>\n", |
|
" </tr>\n", |
|
" <tr>\n", |
|
" <th>1</th>\n", |
|
" <td>panther</td>\n", |
|
" <td>marvel.local</td>\n", |
|
" <td>MARVEL\\panther</td>\n", |
|
" <td>krbtgt</td>\n", |
|
" <td>krbtgt</td>\n", |
|
" <td>192.168.2.10</td>\n", |
|
" <td>52209</td>\n", |
|
" <td>0x40800010</td>\n", |
|
" <td>0x0</td>\n", |
|
" <td>0x17</td>\n", |
|
" <td>2</td>\n", |
|
" <td>200</td>\n", |
|
" <td>\\device\\harddiskvolume2\\users\\thor\\desktop\\rubeus.exe</td>\n", |
|
" <td>Outbound</td>\n", |
|
" <td>192.168.2.10</td>\n", |
|
" <td>52209</td>\n", |
|
" <td>192.168.2.11</td>\n", |
|
" <td>88</td>\n", |
|
" <td>6</td>\n", |
|
" <td>0</td>\n", |
|
" <td>Connect</td>\n", |
|
" <td>48</td>\n", |
|
" </tr>\n", |
|
" </tbody>\n", |
|
"</table>\n", |
|
"</div>" |
|
], |
|
"text/plain": [ |
|
" Account Name Supplied Realm Name User ID Service Name Service ID Client Address Client Port Ticket Options Result Code Ticket Encryption Type Pre-Authentication Type Process ID Application Name Direction Source Address Source Port Destination Address Destination Port Protocol Filter Run-Time ID Layer Name Layer Run-Time ID\n", |
|
"0 panther marvel.local MARVEL\\panther krbtgt krbtgt 192.168.2.10 52411 0x40800010 0x0 0x17 2 5552 \\device\\harddiskvolume2\\users\\thor\\desktop\\rubeus.exe Outbound 192.168.2.10 52411 192.168.2.11 88 6 0 Connect 48 \n", |
|
"1 panther marvel.local MARVEL\\panther krbtgt krbtgt 192.168.2.10 52209 0x40800010 0x0 0x17 2 200 \\device\\harddiskvolume2\\users\\thor\\desktop\\rubeus.exe Outbound 192.168.2.10 52209 192.168.2.11 88 6 0 Connect 48 " |
|
] |
|
}, |
|
"execution_count": 67, |
|
"metadata": {}, |
|
"output_type": "execute_result" |
|
} |
|
], |
|
"source": [ |
|
"ClientSide_AskTGT_Kerberoasting" |
|
] |
|
}, |
|
{ |
|
"cell_type": "code", |
|
"execution_count": 68, |
|
"id": "b9d760a8-a5f9-4150-8c4f-12232f51ebbd", |
|
"metadata": {}, |
|
"outputs": [ |
|
{ |
|
"name": "stderr", |
|
"output_type": "stream", |
|
"text": [ |
|
"/tmp/ipykernel_447/3290488740.py:7: DeprecationWarning: ResultsReader is a deprecated function. Use the JSONResultsReader function instead in conjuction with the 'output_mode' query param set to 'json'\n", |
|
" reader = results.ResultsReader(query_results)\n" |
|
] |
|
} |
|
], |
|
"source": [ |
|
"Query_4688 = []\n", |
|
"for a in ClientSide_AskTGT_Kerberoasting['Process ID']:\n", |
|
" import splunklib.results as results\n", |
|
" #Query: \n", |
|
" query = \"search index=windows sourcetype=Sysmon EventCode=1 ProcessId={} earliest=-4hr\".format(a)\n", |
|
" query_results = service.jobs.oneshot(query, count=0)\n", |
|
" reader = results.ResultsReader(query_results)\n", |
|
"\n", |
|
" results = []\n", |
|
"\n", |
|
" for result in reader:\n", |
|
" results.append(result)\n", |
|
"\n", |
|
" df_EID=pd.DataFrame(results)\n", |
|
" df2_EID = df_EID.Message\n", |
|
" df3_EID = df2_EID.str.split('\\n')\n", |
|
" df4_EID = [{a.split(\":\")[0].strip():\":\".join(a.split(\":\")[1:]).strip() for a in b if \":\".join(a.split(\":\")[1:]).strip() != ''} for b in df3_EID]\n", |
|
" Query_4688.append(pd.DataFrame(df4_EID))\n", |
|
" break\n", |
|
"df = pd.concat(Query_4688)" |
|
] |
|
}, |
|
{ |
|
"cell_type": "code", |
|
"execution_count": 69, |
|
"id": "02363626-4e96-46fb-b7b3-548f6d860461", |
|
"metadata": {}, |
|
"outputs": [ |
|
{ |
|
"data": { |
|
"text/html": [ |
|
"<div>\n", |
|
"<style scoped>\n", |
|
" .dataframe tbody tr th:only-of-type {\n", |
|
" vertical-align: middle;\n", |
|
" }\n", |
|
"\n", |
|
" .dataframe tbody tr th {\n", |
|
" vertical-align: top;\n", |
|
" }\n", |
|
"\n", |
|
" .dataframe thead th {\n", |
|
" text-align: right;\n", |
|
" }\n", |
|
"</style>\n", |
|
"<table border=\"1\" class=\"dataframe\">\n", |
|
" <thead>\n", |
|
" <tr style=\"text-align: right;\">\n", |
|
" <th></th>\n", |
|
" <th>RuleName</th>\n", |
|
" <th>UtcTime</th>\n", |
|
" <th>ProcessGuid</th>\n", |
|
" <th>ProcessId</th>\n", |
|
" <th>Image</th>\n", |
|
" <th>FileVersion</th>\n", |
|
" <th>Description</th>\n", |
|
" <th>Product</th>\n", |
|
" <th>Company</th>\n", |
|
" <th>OriginalFileName</th>\n", |
|
" <th>CommandLine</th>\n", |
|
" <th>CurrentDirectory</th>\n", |
|
" <th>User</th>\n", |
|
" <th>LogonGuid</th>\n", |
|
" <th>LogonId</th>\n", |
|
" <th>TerminalSessionId</th>\n", |
|
" <th>IntegrityLevel</th>\n", |
|
" <th>Hashes</th>\n", |
|
" <th>ParentProcessGuid</th>\n", |
|
" <th>ParentProcessId</th>\n", |
|
" <th>ParentImage</th>\n", |
|
" <th>ParentCommandLine</th>\n", |
|
" <th>ParentUser</th>\n", |
|
" </tr>\n", |
|
" </thead>\n", |
|
" <tbody>\n", |
|
" <tr>\n", |
|
" <th>0</th>\n", |
|
" <td>-</td>\n", |
|
" <td>2022-07-13 15:36:14.649</td>\n", |
|
" <td>{56d91ad3-e66e-62ce-5e2f-000000002f00}</td>\n", |
|
" <td>5552</td>\n", |
|
" <td>C:\\Users\\thor\\Desktop\\Rubeus.exe</td>\n", |
|
" <td>1.0.0.0</td>\n", |
|
" <td>Rubeus</td>\n", |
|
" <td>Rubeus</td>\n", |
|
" <td>-</td>\n", |
|
" <td>Rubeus.exe</td>\n", |
|
" <td>\"C:\\Users\\thor\\Desktop\\Rubeus.exe\" asktgt /user:panther /password:WakandaForever!</td>\n", |
|
" <td>C:\\Users\\thor\\Desktop\\</td>\n", |
|
" <td>MARVEL\\thor</td>\n", |
|
" <td>{56d91ad3-c9cc-62cd-3f60-0b0000000000}</td>\n", |
|
" <td>0xB603F</td>\n", |
|
" <td>2</td>\n", |
|
" <td>High</td>\n", |
|
" <td>SHA1=5C8540D53ECD89542515C479D765D0B2E6481F35,MD5=A097BADFC8B38B5387B7B28AF6486C47,SHA256=AA29640B9A094E0A0A38AFCBE31C3C467852B5795991FACEE10628D62458D769,IMPHASH=F34D5F2D4577ED6D9CEEC516C1F5A744</td>\n", |
|
" <td>{56d91ad3-ca5e-62cd-5501-000000002f00}</td>\n", |
|
" <td>7968</td>\n", |
|
" <td>C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe</td>\n", |
|
" <td>\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"</td>\n", |
|
" <td>MARVEL\\thor</td>\n", |
|
" </tr>\n", |
|
" <tr>\n", |
|
" <th>1</th>\n", |
|
" <td>-</td>\n", |
|
" <td>2022-07-13 15:06:17.648</td>\n", |
|
" <td>{56d91ad3-df69-62ce-452e-000000002f00}</td>\n", |
|
" <td>5552</td>\n", |
|
" <td>C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe</td>\n", |
|
" <td>103.0.5060.114</td>\n", |
|
" <td>Google Chrome</td>\n", |
|
" <td>Google Chrome</td>\n", |
|
" <td>Google LLC</td>\n", |
|
" <td>chrome.exe</td>\n", |
|
" <td>\"C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe\" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=47 --launch-time-ticks=71269923481 --mojo-platform-channel-handle=6468 --field-trial-handle=1700,i,7950739293659264102,16766236593476826016,131072 /prefetch:1</td>\n", |
|
" <td>C:\\Program Files\\Google\\Chrome\\Application\\103.0.5060.114\\</td>\n", |
|
" <td>MARVEL\\thor</td>\n", |
|
" <td>{56d91ad3-c9cc-62cd-c160-0b0000000000}</td>\n", |
|
" <td>0xB60C1</td>\n", |
|
" <td>2</td>\n", |
|
" <td>Low</td>\n", |
|
" <td>SHA1=AF8A6E7216F67CA5D220084D07E1ED922AC72817,MD5=D3E37D1F3304AB7EDAA2E4D3AC183980,SHA256=AA395EE3B33142BD96382709C515F321D122E2499F773A457868C8666C9177A2,IMPHASH=6B4443349D1BF3B7F64F196B03E28222</td>\n", |
|
" <td>{56d91ad3-ca26-62cd-2801-000000002f00}</td>\n", |
|
" <td>4240</td>\n", |
|
" <td>C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe</td>\n", |
|
" <td>\"C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe\"</td>\n", |
|
" <td>MARVEL\\thor</td>\n", |
|
" </tr>\n", |
|
" <tr>\n", |
|
" <th>2</th>\n", |
|
" <td>-</td>\n", |
|
" <td>2022-07-13 14:58:55.922</td>\n", |
|
" <td>{56d91ad3-ddaf-62ce-f92d-000000002f00}</td>\n", |
|
" <td>5552</td>\n", |
|
" <td>C:\\Windows\\System32\\smartscreen.exe</td>\n", |
|
" <td>10.0.19041.1052 (WinBuild.160101.0800)</td>\n", |
|
" <td>Windows Defender SmartScreen</td>\n", |
|
" <td>Microsoft® Windows® Operating System</td>\n", |
|
" <td>Microsoft Corporation</td>\n", |
|
" <td>smartscreen.exe</td>\n", |
|
" <td>C:\\Windows\\System32\\smartscreen.exe -Embedding</td>\n", |
|
" <td>C:\\Windows\\system32\\</td>\n", |
|
" <td>MARVEL\\thor</td>\n", |
|
" <td>{56d91ad3-c9cc-62cd-c160-0b0000000000}</td>\n", |
|
" <td>0xB60C1</td>\n", |
|
" <td>2</td>\n", |
|
" <td>Medium</td>\n", |
|
" <td>SHA1=183E877F488F2DF9F304F60A42514A334720399F,MD5=521ED922765BCA8F79BD76188F879311,SHA256=9605680FC164ACB985C031ECA2C8BC4909CF8B749C571DB6DE2B0B2C204C2163,IMPHASH=6DFBF12753AF176E3C203C407493A5B9</td>\n", |
|
" <td>{56d91ad3-c9b2-62cd-0f00-000000002f00}</td>\n", |
|
" <td>844</td>\n", |
|
" <td>C:\\Windows\\System32\\svchost.exe</td>\n", |
|
" <td>C:\\Windows\\system32\\svchost.exe -k DcomLaunch -p</td>\n", |
|
" <td>NT AUTHORITY\\SYSTEM</td>\n", |
|
" </tr>\n", |
|
" <tr>\n", |
|
" <th>3</th>\n", |
|
" <td>-</td>\n", |
|
" <td>2022-07-13 14:56:00.159</td>\n", |
|
" <td>{56d91ad3-dd00-62ce-e12d-000000002f00}</td>\n", |
|
" <td>5552</td>\n", |
|
" <td>C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe</td>\n", |
|
" <td>-</td>\n", |
|
" <td>-</td>\n", |
|
" <td>-</td>\n", |
|
" <td>-</td>\n", |
|
" <td>-</td>\n", |
|
" <td>\"c:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe\" --ps2</td>\n", |
|
" <td>C:\\Windows\\system32\\</td>\n", |
|
" <td>NT AUTHORITY\\SYSTEM</td>\n", |
|
" <td>{56d91ad3-c9b1-62cd-e703-000000000000}</td>\n", |
|
" <td>0x3E7</td>\n", |
|
" <td>0</td>\n", |
|
" <td>System</td>\n", |
|
" <td>SHA1=E73E8A345775B9E136D131758073B194CC629086,MD5=16D726D7FB24044AA736D7E3A0C6C307,SHA256=417219BE9BC27BF2906BE8BF3C253094B7A3B79A134CEDAEF9366E88A48D5E24,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9</td>\n", |
|
" <td>{56d91ad3-c9b8-62cd-5500-000000002f00}</td>\n", |
|
" <td>3452</td>\n", |
|
" <td>C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunkd.exe</td>\n", |
|
" <td>\"c:\\Program Files\\SplunkUniversalForwarder\\bin\\splunkd.exe\" service</td>\n", |
|
" <td>NT AUTHORITY\\SYSTEM</td>\n", |
|
" </tr>\n", |
|
" </tbody>\n", |
|
"</table>\n", |
|
"</div>" |
|
], |
|
"text/plain": [ |
|
" RuleName UtcTime ProcessGuid ProcessId Image FileVersion Description Product Company OriginalFileName CommandLine CurrentDirectory User LogonGuid LogonId TerminalSessionId IntegrityLevel Hashes ParentProcessGuid ParentProcessId ParentImage ParentCommandLine ParentUser\n", |
|
"0 - 2022-07-13 15:36:14.649 {56d91ad3-e66e-62ce-5e2f-000000002f00} 5552 C:\\Users\\thor\\Desktop\\Rubeus.exe 1.0.0.0 Rubeus Rubeus - Rubeus.exe \"C:\\Users\\thor\\Desktop\\Rubeus.exe\" asktgt /user:panther /password:WakandaForever! C:\\Users\\thor\\Desktop\\ MARVEL\\thor {56d91ad3-c9cc-62cd-3f60-0b0000000000} 0xB603F 2 High SHA1=5C8540D53ECD89542515C479D765D0B2E6481F35,MD5=A097BADFC8B38B5387B7B28AF6486C47,SHA256=AA29640B9A094E0A0A38AFCBE31C3C467852B5795991FACEE10628D62458D769,IMPHASH=F34D5F2D4577ED6D9CEEC516C1F5A744 {56d91ad3-ca5e-62cd-5501-000000002f00} 7968 C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe \"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" MARVEL\\thor \n", |
|
"1 - 2022-07-13 15:06:17.648 {56d91ad3-df69-62ce-452e-000000002f00} 5552 C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe 103.0.5060.114 Google Chrome Google Chrome Google LLC chrome.exe \"C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe\" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=47 --launch-time-ticks=71269923481 --mojo-platform-channel-handle=6468 --field-trial-handle=1700,i,7950739293659264102,16766236593476826016,131072 /prefetch:1 C:\\Program Files\\Google\\Chrome\\Application\\103.0.5060.114\\ MARVEL\\thor {56d91ad3-c9cc-62cd-c160-0b0000000000} 0xB60C1 2 Low SHA1=AF8A6E7216F67CA5D220084D07E1ED922AC72817,MD5=D3E37D1F3304AB7EDAA2E4D3AC183980,SHA256=AA395EE3B33142BD96382709C515F321D122E2499F773A457868C8666C9177A2,IMPHASH=6B4443349D1BF3B7F64F196B03E28222 {56d91ad3-ca26-62cd-2801-000000002f00} 4240 C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe \"C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe\" MARVEL\\thor \n", |
|
"2 - 2022-07-13 14:58:55.922 {56d91ad3-ddaf-62ce-f92d-000000002f00} 5552 C:\\Windows\\System32\\smartscreen.exe 10.0.19041.1052 (WinBuild.160101.0800) Windows Defender SmartScreen Microsoft® Windows® Operating System Microsoft Corporation smartscreen.exe C:\\Windows\\System32\\smartscreen.exe -Embedding C:\\Windows\\system32\\ MARVEL\\thor {56d91ad3-c9cc-62cd-c160-0b0000000000} 0xB60C1 2 Medium SHA1=183E877F488F2DF9F304F60A42514A334720399F,MD5=521ED922765BCA8F79BD76188F879311,SHA256=9605680FC164ACB985C031ECA2C8BC4909CF8B749C571DB6DE2B0B2C204C2163,IMPHASH=6DFBF12753AF176E3C203C407493A5B9 {56d91ad3-c9b2-62cd-0f00-000000002f00} 844 C:\\Windows\\System32\\svchost.exe C:\\Windows\\system32\\svchost.exe -k DcomLaunch -p NT AUTHORITY\\SYSTEM\n", |
|
"3 - 2022-07-13 14:56:00.159 {56d91ad3-dd00-62ce-e12d-000000002f00} 5552 C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe - - - - - \"c:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk-powershell.exe\" --ps2 C:\\Windows\\system32\\ NT AUTHORITY\\SYSTEM {56d91ad3-c9b1-62cd-e703-000000000000} 0x3E7 0 System SHA1=E73E8A345775B9E136D131758073B194CC629086,MD5=16D726D7FB24044AA736D7E3A0C6C307,SHA256=417219BE9BC27BF2906BE8BF3C253094B7A3B79A134CEDAEF9366E88A48D5E24,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9 {56d91ad3-c9b8-62cd-5500-000000002f00} 3452 C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunkd.exe \"c:\\Program Files\\SplunkUniversalForwarder\\bin\\splunkd.exe\" service NT AUTHORITY\\SYSTEM" |
|
] |
|
}, |
|
"execution_count": 69, |
|
"metadata": {}, |
|
"output_type": "execute_result" |
|
} |
|
], |
|
"source": [ |
|
"df" |
|
] |
|
}, |
|
{ |
|
"cell_type": "code", |
|
"execution_count": 70, |
|
"id": "9fc420f1-8f0b-4f19-9d6c-ad988a10f92a", |
|
"metadata": {}, |
|
"outputs": [ |
|
{ |
|
"name": "stderr", |
|
"output_type": "stream", |
|
"text": [ |
|
"/tmp/ipykernel_447/23119429.py:8: DeprecationWarning: ResultsReader is a deprecated function. Use the JSONResultsReader function instead in conjuction with the 'output_mode' query param set to 'json'\n", |
|
" reader = results.ResultsReader(query_results)\n" |
|
] |
|
} |
|
], |
|
"source": [ |
|
"LogonData = []\n", |
|
"for a in df['LogonId']:\n", |
|
" if a != \"0x3E7\":\n", |
|
" import splunklib.results as results\n", |
|
" #Query: \n", |
|
" query = \"search index=windows sourcetype=Sysmon EventCode=1 LogonId={}\".format(a)\n", |
|
" query_results = service.jobs.oneshot(query, count=0)\n", |
|
" reader = results.ResultsReader(query_results)\n", |
|
"\n", |
|
" results = []\n", |
|
"\n", |
|
" for result in reader:\n", |
|
" results.append(result)\n", |
|
"\n", |
|
" df_EID=pd.DataFrame(results)\n", |
|
" df2_EID = df_EID.Message\n", |
|
" df3_EID = df2_EID.str.split('\\n')\n", |
|
" df4_EID = [{a.split(\":\")[0].strip():\":\".join(a.split(\":\")[1:]).strip() for a in b if \":\".join(a.split(\":\")[1:]).strip() != ''} for b in df3_EID]\n", |
|
" LogonData.append(pd.DataFrame(df4_EID))\n", |
|
" break\n", |
|
"Logondf = pd.concat(LogonData)" |
|
] |
|
}, |
|
{ |
|
"cell_type": "code", |
|
"execution_count": 71, |
|
"id": "fcd72a97-b331-46e9-a7bb-16398a4c2287", |
|
"metadata": {}, |
|
"outputs": [ |
|
{ |
|
"data": { |
|
"text/html": [ |
|
"<div>\n", |
|
"<style scoped>\n", |
|
" .dataframe tbody tr th:only-of-type {\n", |
|
" vertical-align: middle;\n", |
|
" }\n", |
|
"\n", |
|
" .dataframe tbody tr th {\n", |
|
" vertical-align: top;\n", |
|
" }\n", |
|
"\n", |
|
" .dataframe thead th {\n", |
|
" text-align: right;\n", |
|
" }\n", |
|
"</style>\n", |
|
"<table border=\"1\" class=\"dataframe\">\n", |
|
" <thead>\n", |
|
" <tr style=\"text-align: right;\">\n", |
|
" <th></th>\n", |
|
" <th>RuleName</th>\n", |
|
" <th>UtcTime</th>\n", |
|
" <th>ProcessGuid</th>\n", |
|
" <th>ProcessId</th>\n", |
|
" <th>Image</th>\n", |
|
" <th>FileVersion</th>\n", |
|
" <th>Description</th>\n", |
|
" <th>Product</th>\n", |
|
" <th>Company</th>\n", |
|
" <th>OriginalFileName</th>\n", |
|
" <th>CommandLine</th>\n", |
|
" <th>CurrentDirectory</th>\n", |
|
" <th>User</th>\n", |
|
" <th>LogonGuid</th>\n", |
|
" <th>LogonId</th>\n", |
|
" <th>TerminalSessionId</th>\n", |
|
" <th>IntegrityLevel</th>\n", |
|
" <th>Hashes</th>\n", |
|
" <th>ParentProcessGuid</th>\n", |
|
" <th>ParentProcessId</th>\n", |
|
" <th>ParentImage</th>\n", |
|
" <th>ParentCommandLine</th>\n", |
|
" <th>ParentUser</th>\n", |
|
" </tr>\n", |
|
" </thead>\n", |
|
" <tbody>\n", |
|
" <tr>\n", |
|
" <th>0</th>\n", |
|
" <td>-</td>\n", |
|
" <td>2022-07-13 15:36:14.649</td>\n", |
|
" <td>{56d91ad3-e66e-62ce-5e2f-000000002f00}</td>\n", |
|
" <td>5552</td>\n", |
|
" <td>C:\\Users\\thor\\Desktop\\Rubeus.exe</td>\n", |
|
" <td>1.0.0.0</td>\n", |
|
" <td>Rubeus</td>\n", |
|
" <td>Rubeus</td>\n", |
|
" <td>-</td>\n", |
|
" <td>Rubeus.exe</td>\n", |
|
" <td>\"C:\\Users\\thor\\Desktop\\Rubeus.exe\" asktgt /user:panther /password:WakandaForever!</td>\n", |
|
" <td>C:\\Users\\thor\\Desktop\\</td>\n", |
|
" <td>MARVEL\\thor</td>\n", |
|
" <td>{56d91ad3-c9cc-62cd-3f60-0b0000000000}</td>\n", |
|
" <td>0xB603F</td>\n", |
|
" <td>2</td>\n", |
|
" <td>High</td>\n", |
|
" <td>SHA1=5C8540D53ECD89542515C479D765D0B2E6481F35,MD5=A097BADFC8B38B5387B7B28AF6486C47,SHA256=AA29640B9A094E0A0A38AFCBE31C3C467852B5795991FACEE10628D62458D769,IMPHASH=F34D5F2D4577ED6D9CEEC516C1F5A744</td>\n", |
|
" <td>{56d91ad3-ca5e-62cd-5501-000000002f00}</td>\n", |
|
" <td>7968</td>\n", |
|
" <td>C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe</td>\n", |
|
" <td>\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"</td>\n", |
|
" <td>MARVEL\\thor</td>\n", |
|
" </tr>\n", |
|
" <tr>\n", |
|
" <th>1</th>\n", |
|
" <td>-</td>\n", |
|
" <td>2022-07-13 15:32:19.853</td>\n", |
|
" <td>{56d91ad3-e583-62ce-382f-000000002f00}</td>\n", |
|
" <td>3548</td>\n", |
|
" <td>C:\\Users\\thor\\Desktop\\Rubeus.exe</td>\n", |
|
" <td>1.0.0.0</td>\n", |
|
" <td>Rubeus</td>\n", |
|
" <td>Rubeus</td>\n", |
|
" <td>-</td>\n", |
|
" <td>Rubeus.exe</td>\n", |
|
" <td>\"C:\\Users\\thor\\Desktop\\Rubeus.exe\" kerberoast /tgtdeleg</td>\n", |
|
" <td>C:\\Users\\thor\\Desktop\\</td>\n", |
|
" <td>MARVEL\\thor</td>\n", |
|
" <td>{56d91ad3-c9cc-62cd-3f60-0b0000000000}</td>\n", |
|
" <td>0xB603F</td>\n", |
|
" <td>2</td>\n", |
|
" <td>High</td>\n", |
|
" <td>SHA1=5C8540D53ECD89542515C479D765D0B2E6481F35,MD5=A097BADFC8B38B5387B7B28AF6486C47,SHA256=AA29640B9A094E0A0A38AFCBE31C3C467852B5795991FACEE10628D62458D769,IMPHASH=F34D5F2D4577ED6D9CEEC516C1F5A744</td>\n", |
|
" <td>{56d91ad3-ca5e-62cd-5501-000000002f00}</td>\n", |
|
" <td>7968</td>\n", |
|
" <td>C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe</td>\n", |
|
" <td>\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"</td>\n", |
|
" <td>MARVEL\\thor</td>\n", |
|
" </tr>\n", |
|
" <tr>\n", |
|
" <th>2</th>\n", |
|
" <td>-</td>\n", |
|
" <td>2022-07-13 15:32:18.204</td>\n", |
|
" <td>{56d91ad3-e582-62ce-372f-000000002f00}</td>\n", |
|
" <td>2476</td>\n", |
|
" <td>C:\\Windows\\System32\\klist.exe</td>\n", |
|
" <td>10.0.19041.1387 (WinBuild.160101.0800)</td>\n", |
|
" <td>Tool for managing the Kerberos ticket cache</td>\n", |
|
" <td>Microsoft® Windows® Operating System</td>\n", |
|
" <td>Microsoft Corporation</td>\n", |
|
" <td>klist.exe</td>\n", |
|
" <td>\"C:\\Windows\\system32\\klist.exe\" purge</td>\n", |
|
" <td>C:\\Users\\thor\\Desktop\\</td>\n", |
|
" <td>MARVEL\\thor</td>\n", |
|
" <td>{56d91ad3-c9cc-62cd-3f60-0b0000000000}</td>\n", |
|
" <td>0xB603F</td>\n", |
|
" <td>2</td>\n", |
|
" <td>High</td>\n", |
|
" <td>SHA1=12F183A0F99F35026E7BAFF0D26A5548A361BECB,MD5=0ED88604DAA88979CE5B96D03FEBCFE4,SHA256=26E63196C5739A2D5CAFAAFE77842C7D48193B74D3416243D6A155B19B63A524,IMPHASH=D235A5641DE014C6EFBCA43F72899449</td>\n", |
|
" <td>{56d91ad3-ca5e-62cd-5501-000000002f00}</td>\n", |
|
" <td>7968</td>\n", |
|
" <td>C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe</td>\n", |
|
" <td>\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"</td>\n", |
|
" <td>MARVEL\\thor</td>\n", |
|
" </tr>\n", |
|
" <tr>\n", |
|
" <th>3</th>\n", |
|
" <td>-</td>\n", |
|
" <td>2022-07-13 15:01:18.712</td>\n", |
|
" <td>{56d91ad3-de3e-62ce-152e-000000002f00}</td>\n", |
|
" <td>7204</td>\n", |
|
" <td>C:\\Users\\thor\\Desktop\\Rubeus.exe</td>\n", |
|
" <td>1.0.0.0</td>\n", |
|
" <td>Rubeus</td>\n", |
|
" <td>Rubeus</td>\n", |
|
" <td>-</td>\n", |
|
" <td>Rubeus.exe</td>\n", |
|
" <td>\"C:\\Users\\thor\\Desktop\\Rubeus.exe\" kerberoast /tgtdeleg</td>\n", |
|
" <td>C:\\Users\\thor\\Desktop\\</td>\n", |
|
" <td>MARVEL\\thor</td>\n", |
|
" <td>{56d91ad3-c9cc-62cd-3f60-0b0000000000}</td>\n", |
|
" <td>0xB603F</td>\n", |
|
" <td>2</td>\n", |
|
" <td>High</td>\n", |
|
" <td>SHA1=5C8540D53ECD89542515C479D765D0B2E6481F35,MD5=A097BADFC8B38B5387B7B28AF6486C47,SHA256=AA29640B9A094E0A0A38AFCBE31C3C467852B5795991FACEE10628D62458D769,IMPHASH=F34D5F2D4577ED6D9CEEC516C1F5A744</td>\n", |
|
" <td>{56d91ad3-ca5e-62cd-5501-000000002f00}</td>\n", |
|
" <td>7968</td>\n", |
|
" <td>C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe</td>\n", |
|
" <td>\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"</td>\n", |
|
" <td>MARVEL\\thor</td>\n", |
|
" </tr>\n", |
|
" <tr>\n", |
|
" <th>4</th>\n", |
|
" <td>-</td>\n", |
|
" <td>2022-07-13 14:59:38.424</td>\n", |
|
" <td>{56d91ad3-ddda-62ce-012e-000000002f00}</td>\n", |
|
" <td>9228</td>\n", |
|
" <td>C:\\Users\\thor\\Desktop\\Rubeus.exe</td>\n", |
|
" <td>1.0.0.0</td>\n", |
|
" <td>Rubeus</td>\n", |
|
" <td>Rubeus</td>\n", |
|
" <td>-</td>\n", |
|
" <td>Rubeus.exe</td>\n", |
|
" <td>\"C:\\Users\\thor\\Desktop\\Rubeus.exe\" kerberoast</td>\n", |
|
" <td>C:\\Users\\thor\\Desktop\\</td>\n", |
|
" <td>MARVEL\\thor</td>\n", |
|
" <td>{56d91ad3-c9cc-62cd-3f60-0b0000000000}</td>\n", |
|
" <td>0xB603F</td>\n", |
|
" <td>2</td>\n", |
|
" <td>High</td>\n", |
|
" <td>SHA1=5C8540D53ECD89542515C479D765D0B2E6481F35,MD5=A097BADFC8B38B5387B7B28AF6486C47,SHA256=AA29640B9A094E0A0A38AFCBE31C3C467852B5795991FACEE10628D62458D769,IMPHASH=F34D5F2D4577ED6D9CEEC516C1F5A744</td>\n", |
|
" <td>{56d91ad3-ca5e-62cd-5501-000000002f00}</td>\n", |
|
" <td>7968</td>\n", |
|
" <td>C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe</td>\n", |
|
" <td>\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"</td>\n", |
|
" <td>MARVEL\\thor</td>\n", |
|
" </tr>\n", |
|
" <tr>\n", |
|
" <th>5</th>\n", |
|
" <td>-</td>\n", |
|
" <td>2022-07-13 14:58:33.255</td>\n", |
|
" <td>{56d91ad3-dd99-62ce-f52d-000000002f00}</td>\n", |
|
" <td>3100</td>\n", |
|
" <td>C:\\Users\\thor\\Desktop\\Rubeus.exe</td>\n", |
|
" <td>1.0.0.0</td>\n", |
|
" <td>Rubeus</td>\n", |
|
" <td>Rubeus</td>\n", |
|
" <td>-</td>\n", |
|
" <td>Rubeus.exe</td>\n", |
|
" <td>\"C:\\Users\\thor\\Desktop\\Rubeus.exe\" asktgt kerberoast</td>\n", |
|
" <td>C:\\Users\\thor\\Desktop\\</td>\n", |
|
" <td>MARVEL\\thor</td>\n", |
|
" <td>{56d91ad3-c9cc-62cd-3f60-0b0000000000}</td>\n", |
|
" <td>0xB603F</td>\n", |
|
" <td>2</td>\n", |
|
" <td>High</td>\n", |
|
" <td>SHA1=5C8540D53ECD89542515C479D765D0B2E6481F35,MD5=A097BADFC8B38B5387B7B28AF6486C47,SHA256=AA29640B9A094E0A0A38AFCBE31C3C467852B5795991FACEE10628D62458D769,IMPHASH=F34D5F2D4577ED6D9CEEC516C1F5A744</td>\n", |
|
" <td>{56d91ad3-ca5e-62cd-5501-000000002f00}</td>\n", |
|
" <td>7968</td>\n", |
|
" <td>C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe</td>\n", |
|
" <td>\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"</td>\n", |
|
" <td>MARVEL\\thor</td>\n", |
|
" </tr>\n", |
|
" <tr>\n", |
|
" <th>6</th>\n", |
|
" <td>-</td>\n", |
|
" <td>2022-07-13 14:53:51.822</td>\n", |
|
" <td>{56d91ad3-dc7f-62ce-cc2d-000000002f00}</td>\n", |
|
" <td>200</td>\n", |
|
" <td>C:\\Users\\thor\\Desktop\\Rubeus.exe</td>\n", |
|
" <td>1.0.0.0</td>\n", |
|
" <td>Rubeus</td>\n", |
|
" <td>Rubeus</td>\n", |
|
" <td>-</td>\n", |
|
" <td>Rubeus.exe</td>\n", |
|
" <td>\"C:\\Users\\thor\\Desktop\\Rubeus.exe\" asktgt /user:panther /password:WakandaForever!</td>\n", |
|
" <td>C:\\Users\\thor\\Desktop\\</td>\n", |
|
" <td>MARVEL\\thor</td>\n", |
|
" <td>{56d91ad3-c9cc-62cd-3f60-0b0000000000}</td>\n", |
|
" <td>0xB603F</td>\n", |
|
" <td>2</td>\n", |
|
" <td>High</td>\n", |
|
" <td>SHA1=5C8540D53ECD89542515C479D765D0B2E6481F35,MD5=A097BADFC8B38B5387B7B28AF6486C47,SHA256=AA29640B9A094E0A0A38AFCBE31C3C467852B5795991FACEE10628D62458D769,IMPHASH=F34D5F2D4577ED6D9CEEC516C1F5A744</td>\n", |
|
" <td>{56d91ad3-ca5e-62cd-5501-000000002f00}</td>\n", |
|
" <td>7968</td>\n", |
|
" <td>C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe</td>\n", |
|
" <td>\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"</td>\n", |
|
" <td>MARVEL\\thor</td>\n", |
|
" </tr>\n", |
|
" <tr>\n", |
|
" <th>7</th>\n", |
|
" <td>-</td>\n", |
|
" <td>2022-07-13 14:53:48.482</td>\n", |
|
" <td>{56d91ad3-dc7c-62ce-cb2d-000000002f00}</td>\n", |
|
" <td>8680</td>\n", |
|
" <td>C:\\Windows\\System32\\klist.exe</td>\n", |
|
" <td>10.0.19041.1387 (WinBuild.160101.0800)</td>\n", |
|
" <td>Tool for managing the Kerberos ticket cache</td>\n", |
|
" <td>Microsoft® Windows® Operating System</td>\n", |
|
" <td>Microsoft Corporation</td>\n", |
|
" <td>klist.exe</td>\n", |
|
" <td>\"C:\\Windows\\system32\\klist.exe\" purge</td>\n", |
|
" <td>C:\\Users\\thor\\Desktop\\</td>\n", |
|
" <td>MARVEL\\thor</td>\n", |
|
" <td>{56d91ad3-c9cc-62cd-3f60-0b0000000000}</td>\n", |
|
" <td>0xB603F</td>\n", |
|
" <td>2</td>\n", |
|
" <td>High</td>\n", |
|
" <td>SHA1=12F183A0F99F35026E7BAFF0D26A5548A361BECB,MD5=0ED88604DAA88979CE5B96D03FEBCFE4,SHA256=26E63196C5739A2D5CAFAAFE77842C7D48193B74D3416243D6A155B19B63A524,IMPHASH=D235A5641DE014C6EFBCA43F72899449</td>\n", |
|
" <td>{56d91ad3-ca5e-62cd-5501-000000002f00}</td>\n", |
|
" <td>7968</td>\n", |
|
" <td>C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe</td>\n", |
|
" <td>\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"</td>\n", |
|
" <td>MARVEL\\thor</td>\n", |
|
" </tr>\n", |
|
" <tr>\n", |
|
" <th>8</th>\n", |
|
" <td>-</td>\n", |
|
" <td>2022-07-13 14:53:38.250</td>\n", |
|
" <td>{56d91ad3-dc72-62ce-ca2d-000000002f00}</td>\n", |
|
" <td>8012</td>\n", |
|
" <td>C:\\Windows\\System32\\auditpol.exe</td>\n", |
|
" <td>10.0.19041.546 (WinBuild.160101.0800)</td>\n", |
|
" <td>Audit Policy Program</td>\n", |
|
" <td>Microsoft® Windows® Operating System</td>\n", |
|
" <td>Microsoft Corporation</td>\n", |
|
" <td>AUDITPOL.EXE</td>\n", |
|
" <td>\"C:\\Windows\\system32\\auditpol.exe\" /set /category:* /success:enable</td>\n", |
|
" <td>C:\\Users\\thor\\Desktop\\</td>\n", |
|
" <td>MARVEL\\thor</td>\n", |
|
" <td>{56d91ad3-c9cc-62cd-3f60-0b0000000000}</td>\n", |
|
" <td>0xB603F</td>\n", |
|
" <td>2</td>\n", |
|
" <td>High</td>\n", |
|
" <td>SHA1=E6A50645A361D5C763802FFA6E3C749FB81E96D7,MD5=0CBBB1FFE1AF93272D498FB8FBBFFCC6,SHA256=D1C6EC7F394B59D067DFD47A6A65978E4C2CC73437457A4B78209E5F516471CC,IMPHASH=90AC86A122E388FC7E7952289389E5B0</td>\n", |
|
" <td>{56d91ad3-ca5e-62cd-5501-000000002f00}</td>\n", |
|
" <td>7968</td>\n", |
|
" <td>C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe</td>\n", |
|
" <td>\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"</td>\n", |
|
" <td>MARVEL\\thor</td>\n", |
|
" </tr>\n", |
|
" <tr>\n", |
|
" <th>9</th>\n", |
|
" <td>-</td>\n", |
|
" <td>2022-07-13 14:51:28.865</td>\n", |
|
" <td>{56d91ad3-dbf0-62ce-b02d-000000002f00}</td>\n", |
|
" <td>7088</td>\n", |
|
" <td>C:\\Users\\thor\\Desktop\\Rubeus.exe</td>\n", |
|
" <td>1.0.0.0</td>\n", |
|
" <td>Rubeus</td>\n", |
|
" <td>Rubeus</td>\n", |
|
" <td>-</td>\n", |
|
" <td>Rubeus.exe</td>\n", |
|
" <td>\"C:\\Users\\thor\\Desktop\\Rubeus.exe\" asktgt /user:panther /password:WakandaForever!</td>\n", |
|
" <td>C:\\Users\\thor\\Desktop\\</td>\n", |
|
" <td>MARVEL\\thor</td>\n", |
|
" <td>{56d91ad3-c9cc-62cd-3f60-0b0000000000}</td>\n", |
|
" <td>0xB603F</td>\n", |
|
" <td>2</td>\n", |
|
" <td>High</td>\n", |
|
" <td>SHA1=5C8540D53ECD89542515C479D765D0B2E6481F35,MD5=A097BADFC8B38B5387B7B28AF6486C47,SHA256=AA29640B9A094E0A0A38AFCBE31C3C467852B5795991FACEE10628D62458D769,IMPHASH=F34D5F2D4577ED6D9CEEC516C1F5A744</td>\n", |
|
" <td>{56d91ad3-ca5e-62cd-5501-000000002f00}</td>\n", |
|
" <td>7968</td>\n", |
|
" <td>C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe</td>\n", |
|
" <td>\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"</td>\n", |
|
" <td>MARVEL\\thor</td>\n", |
|
" </tr>\n", |
|
" <tr>\n", |
|
" <th>10</th>\n", |
|
" <td>-</td>\n", |
|
" <td>2022-07-13 14:45:35.253</td>\n", |
|
" <td>{56d91ad3-da8f-62ce-6c2d-000000002f00}</td>\n", |
|
" <td>7056</td>\n", |
|
" <td>C:\\Windows\\System32\\klist.exe</td>\n", |
|
" <td>10.0.19041.1387 (WinBuild.160101.0800)</td>\n", |
|
" <td>Tool for managing the Kerberos ticket cache</td>\n", |
|
" <td>Microsoft® Windows® Operating System</td>\n", |
|
" <td>Microsoft Corporation</td>\n", |
|
" <td>klist.exe</td>\n", |
|
" <td>\"C:\\Windows\\system32\\klist.exe\" purge</td>\n", |
|
" <td>C:\\Users\\thor\\Desktop\\</td>\n", |
|
" <td>MARVEL\\thor</td>\n", |
|
" <td>{56d91ad3-c9cc-62cd-3f60-0b0000000000}</td>\n", |
|
" <td>0xB603F</td>\n", |
|
" <td>2</td>\n", |
|
" <td>High</td>\n", |
|
" <td>SHA1=12F183A0F99F35026E7BAFF0D26A5548A361BECB,MD5=0ED88604DAA88979CE5B96D03FEBCFE4,SHA256=26E63196C5739A2D5CAFAAFE77842C7D48193B74D3416243D6A155B19B63A524,IMPHASH=D235A5641DE014C6EFBCA43F72899449</td>\n", |
|
" <td>{56d91ad3-ca5e-62cd-5501-000000002f00}</td>\n", |
|
" <td>7968</td>\n", |
|
" <td>C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe</td>\n", |
|
" <td>\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"</td>\n", |
|
" <td>MARVEL\\thor</td>\n", |
|
" </tr>\n", |
|
" <tr>\n", |
|
" <th>11</th>\n", |
|
" <td>-</td>\n", |
|
" <td>2022-07-13 00:33:37.653</td>\n", |
|
" <td>{56d91ad3-12e1-62ce-8f0d-000000002f00}</td>\n", |
|
" <td>4736</td>\n", |
|
" <td>C:\\Windows\\System32\\taskhostw.exe</td>\n", |
|
" <td>10.0.19041.906 (WinBuild.160101.0800)</td>\n", |
|
" <td>Host Process for Windows Tasks</td>\n", |
|
" <td>Microsoft® Windows® Operating System</td>\n", |
|
" <td>Microsoft Corporation</td>\n", |
|
" <td>taskhostw.exe</td>\n", |
|
" <td>taskhostw.exe</td>\n", |
|
" <td>C:\\Windows\\system32\\</td>\n", |
|
" <td>MARVEL\\thor</td>\n", |
|
" <td>{56d91ad3-c9cc-62cd-3f60-0b0000000000}</td>\n", |
|
" <td>0xB603F</td>\n", |
|
" <td>2</td>\n", |
|
" <td>High</td>\n", |
|
" <td>SHA1=FED4B4A753A9541389AA670C69E624BE07569CCD,MD5=564E4806AB18F93B93D551CD10C1598E,SHA256=0322728DBCE3A577C4A13B907AD7375D27E74880B63F7371384F67D19197A0AD,IMPHASH=3A0C6863CDE566AF997DB2DEFFF9D924</td>\n", |
|
" <td>{56d91ad3-c9b4-62cd-1f00-000000002f00}</td>\n", |
|
" <td>1296</td>\n", |
|
" <td>C:\\Windows\\System32\\svchost.exe</td>\n", |
|
" <td>C:\\Windows\\system32\\svchost.exe -k netsvcs -p -s Schedule</td>\n", |
|
" <td>NT AUTHORITY\\SYSTEM</td>\n", |
|
" </tr>\n", |
|
" <tr>\n", |
|
" <th>12</th>\n", |
|
" <td>-</td>\n", |
|
" <td>2022-07-13 00:32:57.679</td>\n", |
|
" <td>{56d91ad3-12b9-62ce-6d0d-000000002f00}</td>\n", |
|
" <td>1320</td>\n", |
|
" <td>C:\\Users\\thor\\AppData\\Local\\Temp\\844F0763-DCD0-4FAD-B804-60032786B303\\DismHost.exe</td>\n", |
|
" <td>10.0.19041.746 (WinBuild.160101.0800)</td>\n", |
|
" <td>Dism Host Servicing Process</td>\n", |
|
" <td>Microsoft® Windows® Operating System</td>\n", |
|
" <td>Microsoft Corporation</td>\n", |
|
" <td>DismHost.exe</td>\n", |
|
" <td>C:\\Users\\thor\\AppData\\Local\\Temp\\844F0763-DCD0-4FAD-B804-60032786B303\\dismhost.exe {432304F9-73D7-4EEE-B662-354362A6C263}</td>\n", |
|
" <td>C:\\Windows\\system32\\</td>\n", |
|
" <td>MARVEL\\thor</td>\n", |
|
" <td>{56d91ad3-c9cc-62cd-3f60-0b0000000000}</td>\n", |
|
" <td>0xB603F</td>\n", |
|
" <td>2</td>\n", |
|
" <td>High</td>\n", |
|
" <td>SHA1=DBB14DCDA6502AB1D23A7C77D405DAFBCBEB439E,MD5=E5D5E9C1F65B8EC7AA5B7F1B1ACDD731,SHA256=E30508E2088BC16B2A84233CED64995F738DEAEF2366AC6C86B35C93BBCD9D80,IMPHASH=D204EB506D6ABBEB4C51A54E8F6C1789</td>\n", |
|
" <td>{56d91ad3-12a7-62ce-5b0d-000000002f00}</td>\n", |
|
" <td>6904</td>\n", |
|
" <td>C:\\Windows\\System32\\cleanmgr.exe</td>\n", |
|
" <td>C:\\Windows\\system32\\cleanmgr.exe /autoclean /d C:</td>\n", |
|
" <td>MARVEL\\thor</td>\n", |
|
" </tr>\n", |
|
" <tr>\n", |
|
" <th>13</th>\n", |
|
" <td>-</td>\n", |
|
" <td>2022-07-13 00:32:41.271</td>\n", |
|
" <td>{56d91ad3-12a9-62ce-5f0d-000000002f00}</td>\n", |
|
" <td>1096</td>\n", |
|
" <td>C:\\Windows\\System32\\conhost.exe</td>\n", |
|
" <td>10.0.19041.1320 (WinBuild.160101.0800)</td>\n", |
|
" <td>Console Window Host</td>\n", |
|
" <td>Microsoft® Windows® Operating System</td>\n", |
|
" <td>Microsoft Corporation</td>\n", |
|
" <td>CONHOST.EXE</td>\n", |
|
" <td>\\??\\C:\\Windows\\system32\\conhost.exe 0xffffffff -ForceV1</td>\n", |
|
" <td>C:\\Windows</td>\n", |
|
" <td>MARVEL\\thor</td>\n", |
|
" <td>{56d91ad3-c9cc-62cd-3f60-0b0000000000}</td>\n", |
|
" <td>0xB603F</td>\n", |
|
" <td>2</td>\n", |
|
" <td>High</td>\n", |
|
" <td>SHA1=BA93B6F897778B91DB9D179E14C352AF82210061,MD5=D837FA4DEE7D84C19FF6F71FC48A6625,SHA256=22117361C2C34CB18BEEE2CA9770B3AA6C8D032A0941991454DD222BEC6D9295,IMPHASH=5E04B84014354D11014564789EE9BDA7</td>\n", |
|
" <td>{56d91ad3-12a9-62ce-5e0d-000000002f00}</td>\n", |
|
" <td>1964</td>\n", |
|
" <td>C:\\Windows\\System32\\sdiagnhost.exe</td>\n", |
|
" <td>C:\\Windows\\System32\\sdiagnhost.exe -Embedding</td>\n", |
|
" <td>MARVEL\\thor</td>\n", |
|
" </tr>\n", |
|
" <tr>\n", |
|
" <th>14</th>\n", |
|
" <td>-</td>\n", |
|
" <td>2022-07-13 00:32:41.223</td>\n", |
|
" <td>{56d91ad3-12a9-62ce-5e0d-000000002f00}</td>\n", |
|
" <td>1964</td>\n", |
|
" <td>C:\\Windows\\System32\\sdiagnhost.exe</td>\n", |
|
" <td>10.0.19041.1 (WinBuild.160101.0800)</td>\n", |
|
" <td>Scripted Diagnostics Native Host</td>\n", |
|
" <td>Microsoft® Windows® Operating System</td>\n", |
|
" <td>Microsoft Corporation</td>\n", |
|
" <td>sdiagnhost.exe</td>\n", |
|
" <td>C:\\Windows\\System32\\sdiagnhost.exe -Embedding</td>\n", |
|
" <td>C:\\Windows\\system32\\</td>\n", |
|
" <td>MARVEL\\thor</td>\n", |
|
" <td>{56d91ad3-c9cc-62cd-3f60-0b0000000000}</td>\n", |
|
" <td>0xB603F</td>\n", |
|
" <td>2</td>\n", |
|
" <td>High</td>\n", |
|
" <td>SHA1=540745F1CE67423A156069218680B9DA873B4778,MD5=6A21B1893DDE94CB87BA56111375888A,SHA256=761815301A00D0B3A7BB4959A5004B623C55009CE701C6E867C96F468DC1323A,IMPHASH=88C840A970A1633DCA61E1CD2D926E21</td>\n", |
|
" <td>{56d91ad3-c9b2-62cd-0f00-000000002f00}</td>\n", |
|
" <td>844</td>\n", |
|
" <td>C:\\Windows\\System32\\svchost.exe</td>\n", |
|
" <td>C:\\Windows\\system32\\svchost.exe -k DcomLaunch -p</td>\n", |
|
" <td>NT AUTHORITY\\SYSTEM</td>\n", |
|
" </tr>\n", |
|
" <tr>\n", |
|
" <th>15</th>\n", |
|
" <td>-</td>\n", |
|
" <td>2022-07-13 00:32:39.738</td>\n", |
|
" <td>{56d91ad3-12a7-62ce-5b0d-000000002f00}</td>\n", |
|
" <td>6904</td>\n", |
|
" <td>C:\\Windows\\System32\\cleanmgr.exe</td>\n", |
|
" <td>10.0.19041.1266 (WinBuild.160101.0800)</td>\n", |
|
" <td>Disk Space Cleanup Manager for Windows</td>\n", |
|
" <td>Microsoft® Windows® Operating System</td>\n", |
|
" <td>Microsoft Corporation</td>\n", |
|
" <td>CLEANMGR.DLL</td>\n", |
|
" <td>C:\\Windows\\system32\\cleanmgr.exe /autoclean /d C:</td>\n", |
|
" <td>C:\\Windows\\system32\\</td>\n", |
|
" <td>MARVEL\\thor</td>\n", |
|
" <td>{56d91ad3-c9cc-62cd-3f60-0b0000000000}</td>\n", |
|
" <td>0xB603F</td>\n", |
|
" <td>2</td>\n", |
|
" <td>High</td>\n", |
|
" <td>SHA1=D0782098CBF41490EA1E54DB5D21A679F332A113,MD5=CD0D99EBE88D11F55136EAE39CCF8F6E,SHA256=ACD2CBFB4C9FB8FE20C21A7EC99445D1426CEE90FF3091115EB4C9484B69EA9D,IMPHASH=98FFD535813DA56E7646C88F49DBE567</td>\n", |
|
" <td>{56d91ad3-c9b4-62cd-1f00-000000002f00}</td>\n", |
|
" <td>1296</td>\n", |
|
" <td>C:\\Windows\\System32\\svchost.exe</td>\n", |
|
" <td>C:\\Windows\\system32\\svchost.exe -k netsvcs -p -s Schedule</td>\n", |
|
" <td>NT AUTHORITY\\SYSTEM</td>\n", |
|
" </tr>\n", |
|
" <tr>\n", |
|
" <th>16</th>\n", |
|
" <td>-</td>\n", |
|
" <td>2022-07-13 00:32:38.954</td>\n", |
|
" <td>{56d91ad3-12a6-62ce-4f0d-000000002f00}</td>\n", |
|
" <td>4808</td>\n", |
|
" <td>C:\\Windows\\System32\\taskhostw.exe</td>\n", |
|
" <td>10.0.19041.906 (WinBuild.160101.0800)</td>\n", |
|
" <td>Host Process for Windows Tasks</td>\n", |
|
" <td>Microsoft® Windows® Operating System</td>\n", |
|
" <td>Microsoft Corporation</td>\n", |
|
" <td>taskhostw.exe</td>\n", |
|
" <td>taskhostw.exe</td>\n", |
|
" <td>C:\\Windows\\system32\\</td>\n", |
|
" <td>MARVEL\\thor</td>\n", |
|
" <td>{56d91ad3-c9cc-62cd-3f60-0b0000000000}</td>\n", |
|
" <td>0xB603F</td>\n", |
|
" <td>2</td>\n", |
|
" <td>High</td>\n", |
|
" <td>SHA1=FED4B4A753A9541389AA670C69E624BE07569CCD,MD5=564E4806AB18F93B93D551CD10C1598E,SHA256=0322728DBCE3A577C4A13B907AD7375D27E74880B63F7371384F67D19197A0AD,IMPHASH=3A0C6863CDE566AF997DB2DEFFF9D924</td>\n", |
|
" <td>{56d91ad3-c9b4-62cd-1f00-000000002f00}</td>\n", |
|
" <td>1296</td>\n", |
|
" <td>C:\\Windows\\System32\\svchost.exe</td>\n", |
|
" <td>C:\\Windows\\system32\\svchost.exe -k netsvcs -p -s Schedule</td>\n", |
|
" <td>NT AUTHORITY\\SYSTEM</td>\n", |
|
" </tr>\n", |
|
" <tr>\n", |
|
" <th>17</th>\n", |
|
" <td>-</td>\n", |
|
" <td>2022-07-12 19:27:35.194</td>\n", |
|
" <td>{56d91ad3-cb27-62cd-9201-000000002f00}</td>\n", |
|
" <td>2312</td>\n", |
|
" <td>C:\\Users\\thor\\Desktop\\Rubeus.exe</td>\n", |
|
" <td>1.0.0.0</td>\n", |
|
" <td>Rubeus</td>\n", |
|
" <td>Rubeus</td>\n", |
|
" <td>-</td>\n", |
|
" <td>Rubeus.exe</td>\n", |
|
" <td>\"C:\\Users\\thor\\Desktop\\Rubeus.exe\" asktgt /user:panther /password:WakandaForever!</td>\n", |
|
" <td>C:\\Users\\thor\\Desktop\\</td>\n", |
|
" <td>MARVEL\\thor</td>\n", |
|
" <td>{56d91ad3-c9cc-62cd-3f60-0b0000000000}</td>\n", |
|
" <td>0xB603F</td>\n", |
|
" <td>2</td>\n", |
|
" <td>High</td>\n", |
|
" <td>SHA1=5C8540D53ECD89542515C479D765D0B2E6481F35,MD5=A097BADFC8B38B5387B7B28AF6486C47,SHA256=AA29640B9A094E0A0A38AFCBE31C3C467852B5795991FACEE10628D62458D769,IMPHASH=F34D5F2D4577ED6D9CEEC516C1F5A744</td>\n", |
|
" <td>{56d91ad3-ca5e-62cd-5501-000000002f00}</td>\n", |
|
" <td>7968</td>\n", |
|
" <td>C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe</td>\n", |
|
" <td>\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"</td>\n", |
|
" <td>MARVEL\\thor</td>\n", |
|
" </tr>\n", |
|
" <tr>\n", |
|
" <th>18</th>\n", |
|
" <td>-</td>\n", |
|
" <td>2022-07-12 19:26:43.102</td>\n", |
|
" <td>{56d91ad3-caf3-62cd-7401-000000002f00}</td>\n", |
|
" <td>2608</td>\n", |
|
" <td>C:\\Users\\thor\\Desktop\\Rubeus.exe</td>\n", |
|
" <td>1.0.0.0</td>\n", |
|
" <td>Rubeus</td>\n", |
|
" <td>Rubeus</td>\n", |
|
" <td>-</td>\n", |
|
" <td>Rubeus.exe</td>\n", |
|
" <td>\"C:\\Users\\thor\\Desktop\\Rubeus.exe\" asktgt /user:panther /password:WakandaForever1!</td>\n", |
|
" <td>C:\\Users\\thor\\Desktop\\</td>\n", |
|
" <td>MARVEL\\thor</td>\n", |
|
" <td>{56d91ad3-c9cc-62cd-3f60-0b0000000000}</td>\n", |
|
" <td>0xB603F</td>\n", |
|
" <td>2</td>\n", |
|
" <td>High</td>\n", |
|
" <td>SHA1=5C8540D53ECD89542515C479D765D0B2E6481F35,MD5=A097BADFC8B38B5387B7B28AF6486C47,SHA256=AA29640B9A094E0A0A38AFCBE31C3C467852B5795991FACEE10628D62458D769,IMPHASH=F34D5F2D4577ED6D9CEEC516C1F5A744</td>\n", |
|
" <td>{56d91ad3-ca5e-62cd-5501-000000002f00}</td>\n", |
|
" <td>7968</td>\n", |
|
" <td>C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe</td>\n", |
|
" <td>\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"</td>\n", |
|
" <td>MARVEL\\thor</td>\n", |
|
" </tr>\n", |
|
" <tr>\n", |
|
" <th>19</th>\n", |
|
" <td>-</td>\n", |
|
" <td>2022-07-12 19:26:33.398</td>\n", |
|
" <td>{56d91ad3-cae9-62cd-6f01-000000002f00}</td>\n", |
|
" <td>1176</td>\n", |
|
" <td>C:\\Windows\\System32\\auditpol.exe</td>\n", |
|
" <td>10.0.19041.546 (WinBuild.160101.0800)</td>\n", |
|
" <td>Audit Policy Program</td>\n", |
|
" <td>Microsoft® Windows® Operating System</td>\n", |
|
" <td>Microsoft Corporation</td>\n", |
|
" <td>AUDITPOL.EXE</td>\n", |
|
" <td>\"C:\\Windows\\system32\\auditpol.exe\" /set /category:* /success:enable</td>\n", |
|
" <td>C:\\Users\\thor\\Desktop\\</td>\n", |
|
" <td>MARVEL\\thor</td>\n", |
|
" <td>{56d91ad3-c9cc-62cd-3f60-0b0000000000}</td>\n", |
|
" <td>0xB603F</td>\n", |
|
" <td>2</td>\n", |
|
" <td>High</td>\n", |
|
" <td>SHA1=E6A50645A361D5C763802FFA6E3C749FB81E96D7,MD5=0CBBB1FFE1AF93272D498FB8FBBFFCC6,SHA256=D1C6EC7F394B59D067DFD47A6A65978E4C2CC73437457A4B78209E5F516471CC,IMPHASH=90AC86A122E388FC7E7952289389E5B0</td>\n", |
|
" <td>{56d91ad3-ca5e-62cd-5501-000000002f00}</td>\n", |
|
" <td>7968</td>\n", |
|
" <td>C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe</td>\n", |
|
" <td>\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"</td>\n", |
|
" <td>MARVEL\\thor</td>\n", |
|
" </tr>\n", |
|
" <tr>\n", |
|
" <th>20</th>\n", |
|
" <td>-</td>\n", |
|
" <td>2022-07-12 19:25:27.022</td>\n", |
|
" <td>{56d91ad3-caa7-62cd-6501-000000002f00}</td>\n", |
|
" <td>7304</td>\n", |
|
" <td>C:\\Windows\\System32\\mmc.exe</td>\n", |
|
" <td>10.0.19041.746 (WinBuild.160101.0800)</td>\n", |
|
" <td>Microsoft Management Console</td>\n", |
|
" <td>Microsoft® Windows® Operating System</td>\n", |
|
" <td>Microsoft Corporation</td>\n", |
|
" <td>mmc.exe</td>\n", |
|
" <td>\"C:\\Windows\\system32\\mmc.exe\" \"C:\\Windows\\system32\\eventvwr.msc\" /s</td>\n", |
|
" <td>C:\\Windows\\system32\\</td>\n", |
|
" <td>MARVEL\\thor</td>\n", |
|
" <td>{56d91ad3-c9cc-62cd-3f60-0b0000000000}</td>\n", |
|
" <td>0xB603F</td>\n", |
|
" <td>2</td>\n", |
|
" <td>High</td>\n", |
|
" <td>SHA1=9269F1FBCF65FEFBC88A2E239519C21EFE0F6BA5,MD5=8C86B80518406F14A4952D67185032D6,SHA256=895EEF1EDA5700A425934AE3782D4741DFEFB7DEAFA53891BDE490150187B98A,IMPHASH=6D8477830CFE8D50B7224D91F4DD7CB9</td>\n", |
|
" <td>{56d91ad3-c9d8-62cd-d500-000000002f00}</td>\n", |
|
" <td>7196</td>\n", |
|
" <td>C:\\Windows\\explorer.exe</td>\n", |
|
" <td>C:\\Windows\\Explorer.EXE</td>\n", |
|
" <td>MARVEL\\thor</td>\n", |
|
" </tr>\n", |
|
" <tr>\n", |
|
" <th>21</th>\n", |
|
" <td>-</td>\n", |
|
" <td>2022-07-12 19:24:14.820</td>\n", |
|
" <td>{56d91ad3-ca5e-62cd-5601-000000002f00}</td>\n", |
|
" <td>5084</td>\n", |
|
" <td>C:\\Windows\\System32\\conhost.exe</td>\n", |
|
" <td>10.0.19041.1320 (WinBuild.160101.0800)</td>\n", |
|
" <td>Console Window Host</td>\n", |
|
" <td>Microsoft® Windows® Operating System</td>\n", |
|
" <td>Microsoft Corporation</td>\n", |
|
" <td>CONHOST.EXE</td>\n", |
|
" <td>\\??\\C:\\Windows\\system32\\conhost.exe 0xffffffff -ForceV1</td>\n", |
|
" <td>C:\\Windows</td>\n", |
|
" <td>MARVEL\\thor</td>\n", |
|
" <td>{56d91ad3-c9cc-62cd-3f60-0b0000000000}</td>\n", |
|
" <td>0xB603F</td>\n", |
|
" <td>2</td>\n", |
|
" <td>High</td>\n", |
|
" <td>SHA1=BA93B6F897778B91DB9D179E14C352AF82210061,MD5=D837FA4DEE7D84C19FF6F71FC48A6625,SHA256=22117361C2C34CB18BEEE2CA9770B3AA6C8D032A0941991454DD222BEC6D9295,IMPHASH=5E04B84014354D11014564789EE9BDA7</td>\n", |
|
" <td>{56d91ad3-ca5e-62cd-5501-000000002f00}</td>\n", |
|
" <td>7968</td>\n", |
|
" <td>C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe</td>\n", |
|
" <td>\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"</td>\n", |
|
" <td>MARVEL\\thor</td>\n", |
|
" </tr>\n", |
|
" <tr>\n", |
|
" <th>22</th>\n", |
|
" <td>-</td>\n", |
|
" <td>2022-07-12 19:24:14.498</td>\n", |
|
" <td>{56d91ad3-ca5e-62cd-5501-000000002f00}</td>\n", |
|
" <td>7968</td>\n", |
|
" <td>C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe</td>\n", |
|
" <td>10.0.19041.546 (WinBuild.160101.0800)</td>\n", |
|
" <td>Windows PowerShell</td>\n", |
|
" <td>Microsoft® Windows® Operating System</td>\n", |
|
" <td>Microsoft Corporation</td>\n", |
|
" <td>PowerShell.EXE</td>\n", |
|
" <td>\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"</td>\n", |
|
" <td>C:\\Windows\\system32\\</td>\n", |
|
" <td>MARVEL\\thor</td>\n", |
|
" <td>{56d91ad3-c9cc-62cd-3f60-0b0000000000}</td>\n", |
|
" <td>0xB603F</td>\n", |
|
" <td>2</td>\n", |
|
" <td>High</td>\n", |
|
" <td>SHA1=F43D9BB316E30AE1A3494AC5B0624F6BEA1BF054,MD5=04029E121A0CFA5991749937DD22A1D9,SHA256=9F914D42706FE215501044ACD85A32D58AAEF1419D404FDDFA5D3B48F66CCD9F,IMPHASH=7C955A0ABC747F57CCC4324480737EF7</td>\n", |
|
" <td>{56d91ad3-c9d8-62cd-d500-000000002f00}</td>\n", |
|
" <td>7196</td>\n", |
|
" <td>C:\\Windows\\explorer.exe</td>\n", |
|
" <td>C:\\Windows\\Explorer.EXE</td>\n", |
|
" <td>MARVEL\\thor</td>\n", |
|
" </tr>\n", |
|
" <tr>\n", |
|
" <th>23</th>\n", |
|
" <td>-</td>\n", |
|
" <td>2022-07-12 19:23:06.122</td>\n", |
|
" <td>{56d91ad3-ca1a-62cd-1e01-000000002f00}</td>\n", |
|
" <td>9940</td>\n", |
|
" <td>C:\\Windows\\System32\\taskhostw.exe</td>\n", |
|
" <td>10.0.19041.906 (WinBuild.160101.0800)</td>\n", |
|
" <td>Host Process for Windows Tasks</td>\n", |
|
" <td>Microsoft® Windows® Operating System</td>\n", |
|
" <td>Microsoft Corporation</td>\n", |
|
" <td>taskhostw.exe</td>\n", |
|
" <td>taskhostw.exe $(Arg0)</td>\n", |
|
" <td>C:\\Windows\\system32\\</td>\n", |
|
" <td>MARVEL\\thor</td>\n", |
|
" <td>{56d91ad3-c9cc-62cd-3f60-0b0000000000}</td>\n", |
|
" <td>0xB603F</td>\n", |
|
" <td>2</td>\n", |
|
" <td>High</td>\n", |
|
" <td>SHA1=FED4B4A753A9541389AA670C69E624BE07569CCD,MD5=564E4806AB18F93B93D551CD10C1598E,SHA256=0322728DBCE3A577C4A13B907AD7375D27E74880B63F7371384F67D19197A0AD,IMPHASH=3A0C6863CDE566AF997DB2DEFFF9D924</td>\n", |
|
" <td>{56d91ad3-c9b4-62cd-1f00-000000002f00}</td>\n", |
|
" <td>1296</td>\n", |
|
" <td>C:\\Windows\\System32\\svchost.exe</td>\n", |
|
" <td>C:\\Windows\\system32\\svchost.exe -k netsvcs -p -s Schedule</td>\n", |
|
" <td>NT AUTHORITY\\SYSTEM</td>\n", |
|
" </tr>\n", |
|
" <tr>\n", |
|
" <th>24</th>\n", |
|
" <td>-</td>\n", |
|
" <td>2022-07-12 19:21:56.825</td>\n", |
|
" <td>{56d91ad3-c9d4-62cd-cb00-000000002f00}</td>\n", |
|
" <td>6308</td>\n", |
|
" <td>C:\\Windows\\System32\\taskhostw.exe</td>\n", |
|
" <td>10.0.19041.906 (WinBuild.160101.0800)</td>\n", |
|
" <td>Host Process for Windows Tasks</td>\n", |
|
" <td>Microsoft® Windows® Operating System</td>\n", |
|
" <td>Microsoft Corporation</td>\n", |
|
" <td>taskhostw.exe</td>\n", |
|
" <td>taskhostw.exe</td>\n", |
|
" <td>C:\\Windows\\system32\\</td>\n", |
|
" <td>MARVEL\\thor</td>\n", |
|
" <td>{56d91ad3-c9cc-62cd-3f60-0b0000000000}</td>\n", |
|
" <td>0xB603F</td>\n", |
|
" <td>2</td>\n", |
|
" <td>High</td>\n", |
|
" <td>SHA1=FED4B4A753A9541389AA670C69E624BE07569CCD,MD5=564E4806AB18F93B93D551CD10C1598E,SHA256=0322728DBCE3A577C4A13B907AD7375D27E74880B63F7371384F67D19197A0AD,IMPHASH=3A0C6863CDE566AF997DB2DEFFF9D924</td>\n", |
|
" <td>{56d91ad3-c9b4-62cd-1f00-000000002f00}</td>\n", |
|
" <td>1296</td>\n", |
|
" <td>C:\\Windows\\System32\\svchost.exe</td>\n", |
|
" <td>C:\\Windows\\system32\\svchost.exe -k netsvcs -p -s Schedule</td>\n", |
|
" <td>NT AUTHORITY\\SYSTEM</td>\n", |
|
" </tr>\n", |
|
" </tbody>\n", |
|
"</table>\n", |
|
"</div>" |
|
], |
|
"text/plain": [ |
|
" RuleName UtcTime ProcessGuid ProcessId Image FileVersion Description Product Company OriginalFileName CommandLine CurrentDirectory User LogonGuid LogonId TerminalSessionId IntegrityLevel Hashes ParentProcessGuid ParentProcessId ParentImage ParentCommandLine ParentUser\n", |
|
"0 - 2022-07-13 15:36:14.649 {56d91ad3-e66e-62ce-5e2f-000000002f00} 5552 C:\\Users\\thor\\Desktop\\Rubeus.exe 1.0.0.0 Rubeus Rubeus - Rubeus.exe \"C:\\Users\\thor\\Desktop\\Rubeus.exe\" asktgt /user:panther /password:WakandaForever! C:\\Users\\thor\\Desktop\\ MARVEL\\thor {56d91ad3-c9cc-62cd-3f60-0b0000000000} 0xB603F 2 High SHA1=5C8540D53ECD89542515C479D765D0B2E6481F35,MD5=A097BADFC8B38B5387B7B28AF6486C47,SHA256=AA29640B9A094E0A0A38AFCBE31C3C467852B5795991FACEE10628D62458D769,IMPHASH=F34D5F2D4577ED6D9CEEC516C1F5A744 {56d91ad3-ca5e-62cd-5501-000000002f00} 7968 C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe \"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" MARVEL\\thor \n", |
|
"1 - 2022-07-13 15:32:19.853 {56d91ad3-e583-62ce-382f-000000002f00} 3548 C:\\Users\\thor\\Desktop\\Rubeus.exe 1.0.0.0 Rubeus Rubeus - Rubeus.exe \"C:\\Users\\thor\\Desktop\\Rubeus.exe\" kerberoast /tgtdeleg C:\\Users\\thor\\Desktop\\ MARVEL\\thor {56d91ad3-c9cc-62cd-3f60-0b0000000000} 0xB603F 2 High SHA1=5C8540D53ECD89542515C479D765D0B2E6481F35,MD5=A097BADFC8B38B5387B7B28AF6486C47,SHA256=AA29640B9A094E0A0A38AFCBE31C3C467852B5795991FACEE10628D62458D769,IMPHASH=F34D5F2D4577ED6D9CEEC516C1F5A744 {56d91ad3-ca5e-62cd-5501-000000002f00} 7968 C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe \"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" MARVEL\\thor \n", |
|
"2 - 2022-07-13 15:32:18.204 {56d91ad3-e582-62ce-372f-000000002f00} 2476 C:\\Windows\\System32\\klist.exe 10.0.19041.1387 (WinBuild.160101.0800) Tool for managing the Kerberos ticket cache Microsoft® Windows® Operating System Microsoft Corporation klist.exe \"C:\\Windows\\system32\\klist.exe\" purge C:\\Users\\thor\\Desktop\\ MARVEL\\thor {56d91ad3-c9cc-62cd-3f60-0b0000000000} 0xB603F 2 High SHA1=12F183A0F99F35026E7BAFF0D26A5548A361BECB,MD5=0ED88604DAA88979CE5B96D03FEBCFE4,SHA256=26E63196C5739A2D5CAFAAFE77842C7D48193B74D3416243D6A155B19B63A524,IMPHASH=D235A5641DE014C6EFBCA43F72899449 {56d91ad3-ca5e-62cd-5501-000000002f00} 7968 C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe \"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" MARVEL\\thor \n", |
|
"3 - 2022-07-13 15:01:18.712 {56d91ad3-de3e-62ce-152e-000000002f00} 7204 C:\\Users\\thor\\Desktop\\Rubeus.exe 1.0.0.0 Rubeus Rubeus - Rubeus.exe \"C:\\Users\\thor\\Desktop\\Rubeus.exe\" kerberoast /tgtdeleg C:\\Users\\thor\\Desktop\\ MARVEL\\thor {56d91ad3-c9cc-62cd-3f60-0b0000000000} 0xB603F 2 High SHA1=5C8540D53ECD89542515C479D765D0B2E6481F35,MD5=A097BADFC8B38B5387B7B28AF6486C47,SHA256=AA29640B9A094E0A0A38AFCBE31C3C467852B5795991FACEE10628D62458D769,IMPHASH=F34D5F2D4577ED6D9CEEC516C1F5A744 {56d91ad3-ca5e-62cd-5501-000000002f00} 7968 C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe \"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" MARVEL\\thor \n", |
|
"4 - 2022-07-13 14:59:38.424 {56d91ad3-ddda-62ce-012e-000000002f00} 9228 C:\\Users\\thor\\Desktop\\Rubeus.exe 1.0.0.0 Rubeus Rubeus - Rubeus.exe \"C:\\Users\\thor\\Desktop\\Rubeus.exe\" kerberoast C:\\Users\\thor\\Desktop\\ MARVEL\\thor {56d91ad3-c9cc-62cd-3f60-0b0000000000} 0xB603F 2 High SHA1=5C8540D53ECD89542515C479D765D0B2E6481F35,MD5=A097BADFC8B38B5387B7B28AF6486C47,SHA256=AA29640B9A094E0A0A38AFCBE31C3C467852B5795991FACEE10628D62458D769,IMPHASH=F34D5F2D4577ED6D9CEEC516C1F5A744 {56d91ad3-ca5e-62cd-5501-000000002f00} 7968 C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe \"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" MARVEL\\thor \n", |
|
"5 - 2022-07-13 14:58:33.255 {56d91ad3-dd99-62ce-f52d-000000002f00} 3100 C:\\Users\\thor\\Desktop\\Rubeus.exe 1.0.0.0 Rubeus Rubeus - Rubeus.exe \"C:\\Users\\thor\\Desktop\\Rubeus.exe\" asktgt kerberoast C:\\Users\\thor\\Desktop\\ MARVEL\\thor {56d91ad3-c9cc-62cd-3f60-0b0000000000} 0xB603F 2 High SHA1=5C8540D53ECD89542515C479D765D0B2E6481F35,MD5=A097BADFC8B38B5387B7B28AF6486C47,SHA256=AA29640B9A094E0A0A38AFCBE31C3C467852B5795991FACEE10628D62458D769,IMPHASH=F34D5F2D4577ED6D9CEEC516C1F5A744 {56d91ad3-ca5e-62cd-5501-000000002f00} 7968 C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe \"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" MARVEL\\thor \n", |
|
"6 - 2022-07-13 14:53:51.822 {56d91ad3-dc7f-62ce-cc2d-000000002f00} 200 C:\\Users\\thor\\Desktop\\Rubeus.exe 1.0.0.0 Rubeus Rubeus - Rubeus.exe \"C:\\Users\\thor\\Desktop\\Rubeus.exe\" asktgt /user:panther /password:WakandaForever! C:\\Users\\thor\\Desktop\\ MARVEL\\thor {56d91ad3-c9cc-62cd-3f60-0b0000000000} 0xB603F 2 High SHA1=5C8540D53ECD89542515C479D765D0B2E6481F35,MD5=A097BADFC8B38B5387B7B28AF6486C47,SHA256=AA29640B9A094E0A0A38AFCBE31C3C467852B5795991FACEE10628D62458D769,IMPHASH=F34D5F2D4577ED6D9CEEC516C1F5A744 {56d91ad3-ca5e-62cd-5501-000000002f00} 7968 C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe \"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" MARVEL\\thor \n", |
|
"7 - 2022-07-13 14:53:48.482 {56d91ad3-dc7c-62ce-cb2d-000000002f00} 8680 C:\\Windows\\System32\\klist.exe 10.0.19041.1387 (WinBuild.160101.0800) Tool for managing the Kerberos ticket cache Microsoft® Windows® Operating System Microsoft Corporation klist.exe \"C:\\Windows\\system32\\klist.exe\" purge C:\\Users\\thor\\Desktop\\ MARVEL\\thor {56d91ad3-c9cc-62cd-3f60-0b0000000000} 0xB603F 2 High SHA1=12F183A0F99F35026E7BAFF0D26A5548A361BECB,MD5=0ED88604DAA88979CE5B96D03FEBCFE4,SHA256=26E63196C5739A2D5CAFAAFE77842C7D48193B74D3416243D6A155B19B63A524,IMPHASH=D235A5641DE014C6EFBCA43F72899449 {56d91ad3-ca5e-62cd-5501-000000002f00} 7968 C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe \"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" MARVEL\\thor \n", |
|
"8 - 2022-07-13 14:53:38.250 {56d91ad3-dc72-62ce-ca2d-000000002f00} 8012 C:\\Windows\\System32\\auditpol.exe 10.0.19041.546 (WinBuild.160101.0800) Audit Policy Program Microsoft® Windows® Operating System Microsoft Corporation AUDITPOL.EXE \"C:\\Windows\\system32\\auditpol.exe\" /set /category:* /success:enable C:\\Users\\thor\\Desktop\\ MARVEL\\thor {56d91ad3-c9cc-62cd-3f60-0b0000000000} 0xB603F 2 High SHA1=E6A50645A361D5C763802FFA6E3C749FB81E96D7,MD5=0CBBB1FFE1AF93272D498FB8FBBFFCC6,SHA256=D1C6EC7F394B59D067DFD47A6A65978E4C2CC73437457A4B78209E5F516471CC,IMPHASH=90AC86A122E388FC7E7952289389E5B0 {56d91ad3-ca5e-62cd-5501-000000002f00} 7968 C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe \"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" MARVEL\\thor \n", |
|
"9 - 2022-07-13 14:51:28.865 {56d91ad3-dbf0-62ce-b02d-000000002f00} 7088 C:\\Users\\thor\\Desktop\\Rubeus.exe 1.0.0.0 Rubeus Rubeus - Rubeus.exe \"C:\\Users\\thor\\Desktop\\Rubeus.exe\" asktgt /user:panther /password:WakandaForever! C:\\Users\\thor\\Desktop\\ MARVEL\\thor {56d91ad3-c9cc-62cd-3f60-0b0000000000} 0xB603F 2 High SHA1=5C8540D53ECD89542515C479D765D0B2E6481F35,MD5=A097BADFC8B38B5387B7B28AF6486C47,SHA256=AA29640B9A094E0A0A38AFCBE31C3C467852B5795991FACEE10628D62458D769,IMPHASH=F34D5F2D4577ED6D9CEEC516C1F5A744 {56d91ad3-ca5e-62cd-5501-000000002f00} 7968 C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe \"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" MARVEL\\thor \n", |
|
"10 - 2022-07-13 14:45:35.253 {56d91ad3-da8f-62ce-6c2d-000000002f00} 7056 C:\\Windows\\System32\\klist.exe 10.0.19041.1387 (WinBuild.160101.0800) Tool for managing the Kerberos ticket cache Microsoft® Windows® Operating System Microsoft Corporation klist.exe \"C:\\Windows\\system32\\klist.exe\" purge C:\\Users\\thor\\Desktop\\ MARVEL\\thor {56d91ad3-c9cc-62cd-3f60-0b0000000000} 0xB603F 2 High SHA1=12F183A0F99F35026E7BAFF0D26A5548A361BECB,MD5=0ED88604DAA88979CE5B96D03FEBCFE4,SHA256=26E63196C5739A2D5CAFAAFE77842C7D48193B74D3416243D6A155B19B63A524,IMPHASH=D235A5641DE014C6EFBCA43F72899449 {56d91ad3-ca5e-62cd-5501-000000002f00} 7968 C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe \"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" MARVEL\\thor \n", |
|
"11 - 2022-07-13 00:33:37.653 {56d91ad3-12e1-62ce-8f0d-000000002f00} 4736 C:\\Windows\\System32\\taskhostw.exe 10.0.19041.906 (WinBuild.160101.0800) Host Process for Windows Tasks Microsoft® Windows® Operating System Microsoft Corporation taskhostw.exe taskhostw.exe C:\\Windows\\system32\\ MARVEL\\thor {56d91ad3-c9cc-62cd-3f60-0b0000000000} 0xB603F 2 High SHA1=FED4B4A753A9541389AA670C69E624BE07569CCD,MD5=564E4806AB18F93B93D551CD10C1598E,SHA256=0322728DBCE3A577C4A13B907AD7375D27E74880B63F7371384F67D19197A0AD,IMPHASH=3A0C6863CDE566AF997DB2DEFFF9D924 {56d91ad3-c9b4-62cd-1f00-000000002f00} 1296 C:\\Windows\\System32\\svchost.exe C:\\Windows\\system32\\svchost.exe -k netsvcs -p -s Schedule NT AUTHORITY\\SYSTEM\n", |
|
"12 - 2022-07-13 00:32:57.679 {56d91ad3-12b9-62ce-6d0d-000000002f00} 1320 C:\\Users\\thor\\AppData\\Local\\Temp\\844F0763-DCD0-4FAD-B804-60032786B303\\DismHost.exe 10.0.19041.746 (WinBuild.160101.0800) Dism Host Servicing Process Microsoft® Windows® Operating System Microsoft Corporation DismHost.exe C:\\Users\\thor\\AppData\\Local\\Temp\\844F0763-DCD0-4FAD-B804-60032786B303\\dismhost.exe {432304F9-73D7-4EEE-B662-354362A6C263} C:\\Windows\\system32\\ MARVEL\\thor {56d91ad3-c9cc-62cd-3f60-0b0000000000} 0xB603F 2 High SHA1=DBB14DCDA6502AB1D23A7C77D405DAFBCBEB439E,MD5=E5D5E9C1F65B8EC7AA5B7F1B1ACDD731,SHA256=E30508E2088BC16B2A84233CED64995F738DEAEF2366AC6C86B35C93BBCD9D80,IMPHASH=D204EB506D6ABBEB4C51A54E8F6C1789 {56d91ad3-12a7-62ce-5b0d-000000002f00} 6904 C:\\Windows\\System32\\cleanmgr.exe C:\\Windows\\system32\\cleanmgr.exe /autoclean /d C: MARVEL\\thor \n", |
|
"13 - 2022-07-13 00:32:41.271 {56d91ad3-12a9-62ce-5f0d-000000002f00} 1096 C:\\Windows\\System32\\conhost.exe 10.0.19041.1320 (WinBuild.160101.0800) Console Window Host Microsoft® Windows® Operating System Microsoft Corporation CONHOST.EXE \\??\\C:\\Windows\\system32\\conhost.exe 0xffffffff -ForceV1 C:\\Windows MARVEL\\thor {56d91ad3-c9cc-62cd-3f60-0b0000000000} 0xB603F 2 High SHA1=BA93B6F897778B91DB9D179E14C352AF82210061,MD5=D837FA4DEE7D84C19FF6F71FC48A6625,SHA256=22117361C2C34CB18BEEE2CA9770B3AA6C8D032A0941991454DD222BEC6D9295,IMPHASH=5E04B84014354D11014564789EE9BDA7 {56d91ad3-12a9-62ce-5e0d-000000002f00} 1964 C:\\Windows\\System32\\sdiagnhost.exe C:\\Windows\\System32\\sdiagnhost.exe -Embedding MARVEL\\thor \n", |
|
"14 - 2022-07-13 00:32:41.223 {56d91ad3-12a9-62ce-5e0d-000000002f00} 1964 C:\\Windows\\System32\\sdiagnhost.exe 10.0.19041.1 (WinBuild.160101.0800) Scripted Diagnostics Native Host Microsoft® Windows® Operating System Microsoft Corporation sdiagnhost.exe C:\\Windows\\System32\\sdiagnhost.exe -Embedding C:\\Windows\\system32\\ MARVEL\\thor {56d91ad3-c9cc-62cd-3f60-0b0000000000} 0xB603F 2 High SHA1=540745F1CE67423A156069218680B9DA873B4778,MD5=6A21B1893DDE94CB87BA56111375888A,SHA256=761815301A00D0B3A7BB4959A5004B623C55009CE701C6E867C96F468DC1323A,IMPHASH=88C840A970A1633DCA61E1CD2D926E21 {56d91ad3-c9b2-62cd-0f00-000000002f00} 844 C:\\Windows\\System32\\svchost.exe C:\\Windows\\system32\\svchost.exe -k DcomLaunch -p NT AUTHORITY\\SYSTEM\n", |
|
"15 - 2022-07-13 00:32:39.738 {56d91ad3-12a7-62ce-5b0d-000000002f00} 6904 C:\\Windows\\System32\\cleanmgr.exe 10.0.19041.1266 (WinBuild.160101.0800) Disk Space Cleanup Manager for Windows Microsoft® Windows® Operating System Microsoft Corporation CLEANMGR.DLL C:\\Windows\\system32\\cleanmgr.exe /autoclean /d C: C:\\Windows\\system32\\ MARVEL\\thor {56d91ad3-c9cc-62cd-3f60-0b0000000000} 0xB603F 2 High SHA1=D0782098CBF41490EA1E54DB5D21A679F332A113,MD5=CD0D99EBE88D11F55136EAE39CCF8F6E,SHA256=ACD2CBFB4C9FB8FE20C21A7EC99445D1426CEE90FF3091115EB4C9484B69EA9D,IMPHASH=98FFD535813DA56E7646C88F49DBE567 {56d91ad3-c9b4-62cd-1f00-000000002f00} 1296 C:\\Windows\\System32\\svchost.exe C:\\Windows\\system32\\svchost.exe -k netsvcs -p -s Schedule NT AUTHORITY\\SYSTEM\n", |
|
"16 - 2022-07-13 00:32:38.954 {56d91ad3-12a6-62ce-4f0d-000000002f00} 4808 C:\\Windows\\System32\\taskhostw.exe 10.0.19041.906 (WinBuild.160101.0800) Host Process for Windows Tasks Microsoft® Windows® Operating System Microsoft Corporation taskhostw.exe taskhostw.exe C:\\Windows\\system32\\ MARVEL\\thor {56d91ad3-c9cc-62cd-3f60-0b0000000000} 0xB603F 2 High SHA1=FED4B4A753A9541389AA670C69E624BE07569CCD,MD5=564E4806AB18F93B93D551CD10C1598E,SHA256=0322728DBCE3A577C4A13B907AD7375D27E74880B63F7371384F67D19197A0AD,IMPHASH=3A0C6863CDE566AF997DB2DEFFF9D924 {56d91ad3-c9b4-62cd-1f00-000000002f00} 1296 C:\\Windows\\System32\\svchost.exe C:\\Windows\\system32\\svchost.exe -k netsvcs -p -s Schedule NT AUTHORITY\\SYSTEM\n", |
|
"17 - 2022-07-12 19:27:35.194 {56d91ad3-cb27-62cd-9201-000000002f00} 2312 C:\\Users\\thor\\Desktop\\Rubeus.exe 1.0.0.0 Rubeus Rubeus - Rubeus.exe \"C:\\Users\\thor\\Desktop\\Rubeus.exe\" asktgt /user:panther /password:WakandaForever! C:\\Users\\thor\\Desktop\\ MARVEL\\thor {56d91ad3-c9cc-62cd-3f60-0b0000000000} 0xB603F 2 High SHA1=5C8540D53ECD89542515C479D765D0B2E6481F35,MD5=A097BADFC8B38B5387B7B28AF6486C47,SHA256=AA29640B9A094E0A0A38AFCBE31C3C467852B5795991FACEE10628D62458D769,IMPHASH=F34D5F2D4577ED6D9CEEC516C1F5A744 {56d91ad3-ca5e-62cd-5501-000000002f00} 7968 C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe \"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" MARVEL\\thor \n", |
|
"18 - 2022-07-12 19:26:43.102 {56d91ad3-caf3-62cd-7401-000000002f00} 2608 C:\\Users\\thor\\Desktop\\Rubeus.exe 1.0.0.0 Rubeus Rubeus - Rubeus.exe \"C:\\Users\\thor\\Desktop\\Rubeus.exe\" asktgt /user:panther /password:WakandaForever1! C:\\Users\\thor\\Desktop\\ MARVEL\\thor {56d91ad3-c9cc-62cd-3f60-0b0000000000} 0xB603F 2 High SHA1=5C8540D53ECD89542515C479D765D0B2E6481F35,MD5=A097BADFC8B38B5387B7B28AF6486C47,SHA256=AA29640B9A094E0A0A38AFCBE31C3C467852B5795991FACEE10628D62458D769,IMPHASH=F34D5F2D4577ED6D9CEEC516C1F5A744 {56d91ad3-ca5e-62cd-5501-000000002f00} 7968 C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe \"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" MARVEL\\thor \n", |
|
"19 - 2022-07-12 19:26:33.398 {56d91ad3-cae9-62cd-6f01-000000002f00} 1176 C:\\Windows\\System32\\auditpol.exe 10.0.19041.546 (WinBuild.160101.0800) Audit Policy Program Microsoft® Windows® Operating System Microsoft Corporation AUDITPOL.EXE \"C:\\Windows\\system32\\auditpol.exe\" /set /category:* /success:enable C:\\Users\\thor\\Desktop\\ MARVEL\\thor {56d91ad3-c9cc-62cd-3f60-0b0000000000} 0xB603F 2 High SHA1=E6A50645A361D5C763802FFA6E3C749FB81E96D7,MD5=0CBBB1FFE1AF93272D498FB8FBBFFCC6,SHA256=D1C6EC7F394B59D067DFD47A6A65978E4C2CC73437457A4B78209E5F516471CC,IMPHASH=90AC86A122E388FC7E7952289389E5B0 {56d91ad3-ca5e-62cd-5501-000000002f00} 7968 C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe \"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" MARVEL\\thor \n", |
|
"20 - 2022-07-12 19:25:27.022 {56d91ad3-caa7-62cd-6501-000000002f00} 7304 C:\\Windows\\System32\\mmc.exe 10.0.19041.746 (WinBuild.160101.0800) Microsoft Management Console Microsoft® Windows® Operating System Microsoft Corporation mmc.exe \"C:\\Windows\\system32\\mmc.exe\" \"C:\\Windows\\system32\\eventvwr.msc\" /s C:\\Windows\\system32\\ MARVEL\\thor {56d91ad3-c9cc-62cd-3f60-0b0000000000} 0xB603F 2 High SHA1=9269F1FBCF65FEFBC88A2E239519C21EFE0F6BA5,MD5=8C86B80518406F14A4952D67185032D6,SHA256=895EEF1EDA5700A425934AE3782D4741DFEFB7DEAFA53891BDE490150187B98A,IMPHASH=6D8477830CFE8D50B7224D91F4DD7CB9 {56d91ad3-c9d8-62cd-d500-000000002f00} 7196 C:\\Windows\\explorer.exe C:\\Windows\\Explorer.EXE MARVEL\\thor \n", |
|
"21 - 2022-07-12 19:24:14.820 {56d91ad3-ca5e-62cd-5601-000000002f00} 5084 C:\\Windows\\System32\\conhost.exe 10.0.19041.1320 (WinBuild.160101.0800) Console Window Host Microsoft® Windows® Operating System Microsoft Corporation CONHOST.EXE \\??\\C:\\Windows\\system32\\conhost.exe 0xffffffff -ForceV1 C:\\Windows MARVEL\\thor {56d91ad3-c9cc-62cd-3f60-0b0000000000} 0xB603F 2 High SHA1=BA93B6F897778B91DB9D179E14C352AF82210061,MD5=D837FA4DEE7D84C19FF6F71FC48A6625,SHA256=22117361C2C34CB18BEEE2CA9770B3AA6C8D032A0941991454DD222BEC6D9295,IMPHASH=5E04B84014354D11014564789EE9BDA7 {56d91ad3-ca5e-62cd-5501-000000002f00} 7968 C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe \"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" MARVEL\\thor \n", |
|
"22 - 2022-07-12 19:24:14.498 {56d91ad3-ca5e-62cd-5501-000000002f00} 7968 C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe 10.0.19041.546 (WinBuild.160101.0800) Windows PowerShell Microsoft® Windows® Operating System Microsoft Corporation PowerShell.EXE \"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" C:\\Windows\\system32\\ MARVEL\\thor {56d91ad3-c9cc-62cd-3f60-0b0000000000} 0xB603F 2 High SHA1=F43D9BB316E30AE1A3494AC5B0624F6BEA1BF054,MD5=04029E121A0CFA5991749937DD22A1D9,SHA256=9F914D42706FE215501044ACD85A32D58AAEF1419D404FDDFA5D3B48F66CCD9F,IMPHASH=7C955A0ABC747F57CCC4324480737EF7 {56d91ad3-c9d8-62cd-d500-000000002f00} 7196 C:\\Windows\\explorer.exe C:\\Windows\\Explorer.EXE MARVEL\\thor \n", |
|
"23 - 2022-07-12 19:23:06.122 {56d91ad3-ca1a-62cd-1e01-000000002f00} 9940 C:\\Windows\\System32\\taskhostw.exe 10.0.19041.906 (WinBuild.160101.0800) Host Process for Windows Tasks Microsoft® Windows® Operating System Microsoft Corporation taskhostw.exe taskhostw.exe $(Arg0) C:\\Windows\\system32\\ MARVEL\\thor {56d91ad3-c9cc-62cd-3f60-0b0000000000} 0xB603F 2 High SHA1=FED4B4A753A9541389AA670C69E624BE07569CCD,MD5=564E4806AB18F93B93D551CD10C1598E,SHA256=0322728DBCE3A577C4A13B907AD7375D27E74880B63F7371384F67D19197A0AD,IMPHASH=3A0C6863CDE566AF997DB2DEFFF9D924 {56d91ad3-c9b4-62cd-1f00-000000002f00} 1296 C:\\Windows\\System32\\svchost.exe C:\\Windows\\system32\\svchost.exe -k netsvcs -p -s Schedule NT AUTHORITY\\SYSTEM\n", |
|
"24 - 2022-07-12 19:21:56.825 {56d91ad3-c9d4-62cd-cb00-000000002f00} 6308 C:\\Windows\\System32\\taskhostw.exe 10.0.19041.906 (WinBuild.160101.0800) Host Process for Windows Tasks Microsoft® Windows® Operating System Microsoft Corporation taskhostw.exe taskhostw.exe C:\\Windows\\system32\\ MARVEL\\thor {56d91ad3-c9cc-62cd-3f60-0b0000000000} 0xB603F 2 High SHA1=FED4B4A753A9541389AA670C69E624BE07569CCD,MD5=564E4806AB18F93B93D551CD10C1598E,SHA256=0322728DBCE3A577C4A13B907AD7375D27E74880B63F7371384F67D19197A0AD,IMPHASH=3A0C6863CDE566AF997DB2DEFFF9D924 {56d91ad3-c9b4-62cd-1f00-000000002f00} 1296 C:\\Windows\\System32\\svchost.exe C:\\Windows\\system32\\svchost.exe -k netsvcs -p -s Schedule NT AUTHORITY\\SYSTEM" |
|
] |
|
}, |
|
"execution_count": 71, |
|
"metadata": {}, |
|
"output_type": "execute_result" |
|
} |
|
], |
|
"source": [ |
|
"Logondf" |
|
] |
|
}, |
|
{ |
|
"cell_type": "code", |
|
"execution_count": null, |
|
"id": "92422cca-fb2a-47c8-a769-55fcefa103b1", |
|
"metadata": {}, |
|
"outputs": [], |
|
"source": [] |
|
} |
|
], |
|
"metadata": { |
|
"kernelspec": { |
|
"display_name": "Python 3 (ipykernel)", |
|
"language": "python", |
|
"name": "python3" |
|
}, |
|
"language_info": { |
|
"codemirror_mode": { |
|
"name": "ipython", |
|
"version": 3 |
|
}, |
|
"file_extension": ".py", |
|
"mimetype": "text/x-python", |
|
"name": "python", |
|
"nbconvert_exporter": "python", |
|
"pygments_lexer": "ipython3", |
|
"version": "3.9.7" |
|
} |
|
}, |
|
"nbformat": 4, |
|
"nbformat_minor": 5 |
|
} |