Windows

windowsvictim

9689

C:\Users\user2\ntuser.dat

"edgeupdate"

BITS

9

WINDEV2202EVAL\user2

unknown

9617

User Account Changed

unknown

"9AEFBC8D-3E49-4448-B988-5F313E7F68B0"

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

MSExchangeOABAppPool

SystemIndex

Account Management

Application

Système local

1 user registry handles leaked from \Registry\User\S-1-5-21-712794737-353456615-3249761964-1001:
Process 576 (\Device\HarddiskVolume2\Windows\System32\winlogon.exe) has opened key \REGISTRY\USER\S-1-5-21-712794737-353456615-3249761964-1001

The process cannot access the file because it is being used by another process.

Non trouvé (404). 0x80190194 (-2145844844 HTTP_E_STATUS_NOT_FOUND)

3221225539

-

9689

‎mardi ‎16 ‎mars ‎2021 08:29:24    

9617

"Wlclntfy"

Context: Windows Application

Details:
   The volume change journal is being deleted.  (HRESULT : 0x8007049a) (0x8007049a)

4860

C:\Users\TEMP

"{e23b33b0-c8c9-472c-a5f9-f2bdfea0f156}"

3F31C91E-2545-4B7B-9311-9529E8BFFEF6

C:\Users\User\Downloads\ProfSvcLPE.exe

4336

0x8080000000000000

4

C:\Windows\System32\bitsperf.dll

BCD00000000, COMPONENTS,

GetCACaps
GetCACaps: Not Found
{"Message":"The authority \"vmw-keyid-e7286866ba6366b54d95a3bc555d89931e800152.microsoftaik.azure.net\" does not exist."}
HTTP/1.1 404 Not Found
Date: Tue, 01 Mar 2022 19:17:49 GMT
Content-Length: 121
Content-Type: application/json; charset=utf-8
X-Content-Type-Options: nosniff
Strict-Transport-Security: max-age=31536000;includeSubDomains
x-ms-request-id: 07abe409-5f87-4a2a-8370-5361e9a5bb9e

10

GET(250ms)

0

"9576"

9576

1716

"49754"

Full Index Reset

9617

9689

GetCACaps

3221225539

'2022-07-26 17:31:46.583705 UTC'

        1109    0    4    0    0    0x80000000000000            3857                    Application    win10-base        

"8568"

csc://{S-1-5-21-712794737-353456615-3249761964-1001}/

https://VMW-KeyId-e7286866ba6366b54d95a3bc555d89931e800152.microsoftaik.azure.net/templates/Aik/scep

      2      2022-03-07 15:22:24.267074 UTC    

"S-1-5-21-582766833-432816504-4207985818-1009"

2

C:\

1359

windowsvictim

windowsvictim

windowsvictim_7db9e240-15f7-410a-8cd9-cc1fa9f3f50a

9617

86400

0

0

1

0

TEST-THKWMDWTQP

0

Software\Microsoft\EventSystem\EventLog

0

0

0

1

Mutual Authentication Required

NT AUTHORITY\NetworkService

windows

application

User Account Changed

9689

User Account Changed

592

562

"S-1-5-21-582766833-432816504-4207985818-1009"

Microsoft Windows

WIN-FPV0DSIC9O6.sigma.fr

7693

"Microsoft-Windows-DNS-Server-Service"

0

60

Metabase Add Key

DNS Server

7693

_msdcs.sigma.fr    ForestDnsZones.sigma.fr    0D000000

60

"71A551F5-C893-4849-886B-B5EC8502641E"

0x8000000000100000

4

0

"6628"

6628

60

7693

'2022-06-03 10:04:40.847180 UTC'

        769    0    4    0    0    0x8000000000000010            9                    DNS Server    WIN-FPV0DSIC9O6.sigma.fr        

"6844"

"S-1-5-21-2121334350-1110938707-2888912545-500"

0

.

WIN-FPV0DSIC9O6.sigma.fr

Win2022-AD

60

65433

_msdcs.sigma.fr

sigma.fr

sigma.fr.dns

windows

dns-server

Metabase Add Key

7693

Metabase Add Key

523

493

"S-1-5-21-2121334350-1110938707-2888912545-500"

Microsoft Windows

MXS01.snapattack.local

1

"MSExchange CmdletLogs"

1

66

MSExchange Management

1

New-MailboxExportRequest,-Mailbox "snapattack" -Name "03a5108c89f64c4993c8faf52d4322ca" -ContentFilter "Subject -eq '03a5108c89f64c4993c8faf52d4322ca'" -FilePath "\127.0.0.1\c$\inetpub\wwwroot\aspnet_client\fbxvgf.aspx",snapattack.local/Users/snapattack,S-1-5-21-2783883905-3325768869-1243185101-500,S-1-5-21-2783883905-3325768869-1243185101-500,Remote-PowerShell-Unknown,20280 w3wp#MSExchangePowerShellAppPool,,19,00:00:00.3437022,View Entire Forest: 'False', Default Scope: 'snapattack.local', Configuration Domain Controller: 'DC01.snapattack.local', Preferred Global Catalog: 'DC01.snapattack.local', Preferred Domain Controllers: '{ DC01.snapattack.local }',,,,,,,False,,0 objects execution has been proxied to remote server.,,,1,ActivityId: 72e61d11-0b45-4821-90a2-08848e150425,ServicePlan:;IsAdmin:True;,,en-US    

66

0x80000000000000

4

"16384"

66

1

'2022-05-03 18:36:53.520477 UTC'

        1    4    1    0x80000000000000            66    MSExchange Management    MXS01.snapattack.local        

MXS01.snapattack.local

MXS01_ec25d050-3a58-4db1-a8f0-0b397e2cf39a

66

windows

msexchange-management

1

432

402

Microsoft Windows

training1

8197

"Microsoft-Windows-PowerShell"

C:\Users\bob\desktop\capattack\modules\stop.ps1

prompt

4

68147

"F0414E1E-7305-0002-9755-41F00573D801"

Microsoft-Windows-PowerShell/Operational

Severity = Warning
        Host Name = ConsoleHost
        Host Version = 5.1.22000.653
        Host ID = 541d5dcc-3581-44f9-be3f-c72032a1a0d0
        Host Application = powershell -WindowStyle Hidden -exec bypass
        Engine Version = 5.1.22000.653
        Runspace ID = c93372c9-8497-4ada-b4a0-8e7f67b2d07e
        Pipeline ID = 280
        Command Name = Invoke-WebRequest
        Command Type = Cmdlet
        Script Name = 
        Command Path = 
        Sequence Number = 4995
        User = WINDOWSVICTIM\User
        Connected User = 
        Shell ID = Microsoft.PowerShell

ྠ

An unknown element "" was received. This can happen if the remote process closed or ended abnormally.

8197

Opened

68147

"A0C1853B-5C40-4B15-8766-3CF1C58F985A"

0aacaf17-f104-4cde-8fab-27831ef15a2e

0x8000000000000020

5

20

PackageManagement: A package is installed.

00000000-0000-0000-0000-000000000000

"9868"

9868

68147

1aa6385f-8a7d-4de1-ba84-96a62662dc3a

576808c7-2ec5-4ebc-8c72-0b7608c807a7

00000000-0000-0000-0000-000000000000

8197

at System.Management.Automation.Remoting.Server.OutOfProcessMediatorBase.Start(String initialCommand, String configurationName)

'2022-07-28 14:45:54.626336 UTC'

        8197    1    5    1    10    0x0            68162                    Microsoft-Windows-PowerShell/Operational    EC2AMAZ-NNKUICG        

"6032"

Package=AADInternals, Version=0.6.8, Provider=PowerShellGet, Source=PSGallery, Status=Installed, DestinationPath=

"S-1-5-21-582766833-432816504-4207985818-1009"

1

training1

training1_a6b51cc8-8b81-4d7e-a2c9-90e7ef573946

68147

9868

Opened

DefaultAppDomain

windows

powershell

8197

516

486

"S-1-5-21-582766833-432816504-4207985818-1009"

Microsoft Windows

windowsvictim

800

"PowerShell"

8

75963

A process was assigned a primary token

Windows PowerShell

800

Stopped,Available,  NewEngineState=Stopped
  PreviousEngineState=Available

   SequenceNumber=15

   HostName=ConsoleHost
    HostVersion=5.1.17763.2268
  HostId=0081ab7c-fe58-4e1a-863c-3cf3182de39c
 HostApplication=powershell.exe
  EngineVersion=5.1.17763.2268
    RunspaceId=31e8c8db-2b2b-46e4-af37-46642b996c32
 PipelineId=
 CommandName=
    CommandType=
    ScriptName=
 CommandPath=
    CommandLine=    

75963

0x80000000000000

4

0

"0"

0

"0"

75963

800

N/A

'2022-07-15 12:06:22.041268 UTC'

        800    4    8    0x80000000000000            75856    Windows PowerShell    EC2AMAZ-1CL0VOR        

"0"

0

windowsvictim

windowsvictim_32d8f699-9b6a-46e8-8381-9f403508b83f

75963

windows

powershell-classic

A process was assigned a primary token

800

A process was assigned a primary token

465

435

Microsoft Windows

823

Microsoft-Windows-PrintService

823

747EF6FD-E535-4D16-B510-42C90F6873A1

2612

2612

823

'2022-07-20 16:47:56.388245 UTC'

2648

S-1-5-21-2414553406-2212388514-3030099854-1009

windows

printservice-admin

519

489

http://schemas.microsoft.com/win/2004/08/events/event

\device\harddiskvolume4\windows\system32\svchost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

windowsvictim

8222

"VSSAudit"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\wevtutil.exe

-

3

0

success

win:unknown

843214

Windows Firewall settings were restored to the default values

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

wevtutil.exe

Windows

krbtgt

success

user

SeServiceLogonRight

%%4484

983103

-

SeServiceLogonRight

EC2AMAZ-1CL0VOR

%%1794

user

%%16390

"DB372A64-1DDF-0000-34E1-C3F65585D801"

Local Read (ExecQuery)

root\cimv2\security\MicrosoftVolumeEncryption:__Win32Provider.Name="Win32_EncryptableVolumeProvider"

UNKNOWN

-

%%8448, %%8450

VSSAudit

Negotiate

0x73c

C:\Windows\System32\ntdsutil.exe

training1

user

290

31114833-2891-4EDD-A8EC-2FF8549AA491

windefend_datagram_v4

%%16388

%%8273

Account Management

%%16385

Security

1ED2BBF9-11F0-4084-B21F-AD83A8E6DCDC

Monitor

10.0.4.126

2022-06-15 13:07:13.665388 UTC

Guacamole RDP

484

*PNP09FF

Condition ID:  {d78e1e87-8644-4ea5-9437-d809ecefc971}
  Match value:    Equal to
    Condition value:    
    00000000  5c 00 64 00 65 00 76 00-69 00 63 00 65 00 5c 00  .d.e.v.i.c.e..
    00000010  68 00 61 00 72 00 64 00-64 00 69 00 73 00 6b 00  h.a.r.d.d.i.s.k.
    00000020  76 00 6f 00 6c 00 75 00-6d 00 65 00 32 00 5c 00  v.o.l.u.m.e.2..
    00000030  70 00 72 00 6f 00 67 00-72 00 61 00 6d 00 20 00  p.r.o.g.r.a.m. .
    00000040  66 00 69 00 6c 00 65 00-73 00 20 00 28 00 78 00  f.i.l.e.s. .(.x.
    00000050  38 00 36 00 29 00 5c 00-6d 00 69 00 63 00 72 00  8.6.)..m.i.c.r.
    00000060  6f 00 73 00 6f 00 66 00-74 00 5c 00 65 00 64 00  o.s.o.f.t..e.d.
    00000070  67 00 65 00 5c 00 61 00-70 00 70 00 6c 00 69 00  g.e..a.p.p.l.i.
    00000080  63 00 61 00 74 00 69 00-6f 00 6e 00 5c 00 6d 00  c.a.t.i.o.n..m.
    00000090  73 00 65 00 64 00 67 00-65 00 2e 00 65 00 78 00  s.e.d.g.e...e.x.
    000000a0  65 00 00 00                                      e...


   Condition ID:   {0c1ba1af-5765-453f-af22-a8f791ac775b}
  Match value:    Equal to
    Condition value:    0x14e9

  Condition ID:   {3971ef2b-623e-4f9a-8cb1-6e79b806b9a7}
  Match value:    Equal to
    Condition value:    0x11

0

AES-256 , SHA2-512

%%14644

827ed4bc-54ff-4032-b410-02f985a5c118

239.255.255.250

5355

Generic Non-PnP Monitor

DISPLAY\Default_Monitor\1&1f0c3c2f&0&UID256

%%14593

-

%%1793

-

%%1842

SeAssignPrimaryTokenPrivilege
            SeIncreaseQuotaPrivilege
            SeSecurityPrivilege
         SeTakeOwnershipPrivilege
            SeLoadDriverPrivilege
           SeSystemtimePrivilege
           SeBackupPrivilege
           SeRestorePrivilege
          SeShutdownPrivilege
         SeSystemEnvironmentPrivilege
            SeUndockPrivilege
           SeManageVolumePrivilege

0xc000006d

8222

1

S-1-5-21-582766833-432816504-4207985818-1009,EC2AMAZ-NNKUICG\user,0x0000000000000274,C:\Windows\System32\vssadmin.exe,{5d0247f2-6dbc-4295-8ba8-a779b444c3f6},{bc77a77b-e166-46aa-a3a0-9a46334b947a},{b5946137-7b9f-4925-af80-51abd60b20d5},EC2AMAZ-NNKUICG,\?\Volume{e3c0cc15-0000-0000-0000-100000000000}\,\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1    

1

843214

0x10d178

EC2AMAZ-NNKUICG

0x0

68102

00307222-72B1-4AEF-8A7F-62AF4B4604DF

Microsoft Edge (mDNS-In)

Query User Default

70338

%%16388

512

%{S-1-5-21-2414553406-2212388514-3030099854-513}
      %{S-1-1-0}
      %{S-1-5-114}
        %{S-1-5-32-544}
     %{S-1-5-32-545}
     %{S-1-5-2}
      %{S-1-5-11}
     %{S-1-5-15}
     %{S-1-5-113}
        %{S-1-5-64-10}
      %{S-1-16-12288}

EC2AMAZ-NNKUICG

Users

"{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}"

0xd24

%%1826

%%1793

%%1793

%%1833

16

::1

49901

-

%%1826

C:\ProgramData\Microsoft\Crypto\SystemKeys\c56b3f40b196d4f8d43940688b5b8765_4d6cbdb8-0892-45ee-9d0d-f2e8b7a5fa78

te-8811d5ab-8de8-4b50-a578-845af8f06794

%%2500

0x80a0000000000000

46

A3B42C97-9F04-4672-B87E-CEE9C483257F

ALE Receive/Accept v6 Layer

48

4

-

-

S-1-5-21-2158604247-1726342757-1935066190-500      doadmin      DOAZLAB      0xb82dc

6D906345-171E-BA8F-34F0-A0F6E60FC960

%%1797

0x9fb6c3

UserManager

3

1207182

0xcedae

3

S-1-16-12288

Edge

-

S-1-5-21-582766833-432816504-4207985818-1010

Transaction = '1' -> '0'
     Synchronization = '3' -> '0'
        JustInTimeActivation = '1' -> '0'
       EventTrackingEnabled = '1' -> '0'

0x2260

C:\Windows\System32\conhost.exe

S:ARAI(RA;;;;;WD;("IMAGELOAD",TU,0x0,1))

0x15

%%1800

%%1873

InterfacesForComponent

ID = {D155805A-726F-4163-8879-E4AAC4F058F3}
        AppPartitionID = {41E90F3E-56C1-4633-81C3-6E8BAC8BDD70}

root\cimv2\security\MicrosoftVolumeEncryption

Name = T1218.009
       ApplicationProxyServerName = 
       ProcessType = 2
     CommandLine = 
      ServiceName = 
      RunAsUserType = 1
       Identity = Interactive User
     Description = 
      IsSystem = N
        Authentication = 4
      ShutdownAfter = 3
       RunForever = N
      Password = **
     Activation = Inproc
     Changeable = Y
      Deleteable = Y
      CreatedBy = 
        AccessChecksLevel = 0
       ApplicationAccessChecksEnabled = 1
      cCOL_SecurityDescriptor =

WMI

WMI Namespace

ConfigXML

D:(A;;GA;;;BA)(A;;GA;;;SY)

0x15

%%1800

%%1873

0

%%2480

Object Access

%%14644

MICROSOFT_AUTHENTICATION_PACKAGE_V1_0

%%1794

2

513

SeTakeOwnershipPrivilege

2022-06-28 15:09:44.051913 UTC

"760"

9048

0x8f8

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Public

%%1793

---
 {19195a5a-6da0-11d0-afd3-00c04fd930c9}
%%1537
%%1538
%%1539
%%1540
%%5392
%%5393
%%5394
%%5395
%%5396
%%5397
%%5398
%%5399
%%5400
        {c7407360-20bf-11d0-a768-00aa006e0529}
          {bf9679a4-0de6-11d0-a285-00aa003049e2}
          {bf9679a5-0de6-11d0-a285-00aa003049e2}
          {bf9679a6-0de6-11d0-a285-00aa003049e2}
          {bf9679bb-0de6-11d0-a285-00aa003049e2}
          {bf9679c2-0de6-11d0-a285-00aa003049e2}
          {bf9679c3-0de6-11d0-a285-00aa003049e2}
          {bf967a09-0de6-11d0-a285-00aa003049e2}
          {bf967a0b-0de6-11d0-a285-00aa003049e2}
      {b8119fd0-04f6-4762-ab7a-4986c76b3f9a}
          {bf967a34-0de6-11d0-a285-00aa003049e2}
          {bf967a33-0de6-11d0-a285-00aa003049e2}
          {bf9679c5-0de6-11d0-a285-00aa003049e2}
          {bf967a61-0de6-11d0-a285-00aa003049e2}
          {bf967977-0de6-11d0-a285-00aa003049e2}
          {bf96795e-0de6-11d0-a285-00aa003049e2}
          {bf9679ea-0de6-11d0-a285-00aa003049e2}
      {ab721a52-1e2f-11d0-9819-00aa0040529b}

0x0

6

382FC699-0C62-4D70-B30A-FBD3D01201AB

MPSSVC

%%16388

DECC16CA-3F33-4346-BE1E-8FB4AE0F3D62

Microsoft Software Key Storage Provider

%%16387

"0"

%%8100

843214

PSEXESVC.exe

S-1-0-0

S-1-0-0

-

1768FEC9-9F65-11EC-B264-0EE277C94A07

-

3221226021

0x0

Local Port

{5C6A0A6C-7D33-4849-8164-F43696BFF0D9}

Usermode Font Driver Host

threatactor

%%1793

LocalSystem

%SystemRoot%\PSEXESVC.exe

krbtgt

S-1-5-21-989241848-306340870-1210095284-502

0x10

2

RDP-Tcp#1

Enable Windows Defender Firewall

No

C:\Windows

\*\E$

-

8222

::

0xb88

5355

0x8f8

49901

-

EC2AMAZ-NNKUICG

0xc000006d

3C1CD879-1B8C-4AB4-8F83-5ED129176EF3

windefend

%%16388

0xc000006a

0xc000006a

0CCE9215-69AE-11D9-BED3-505054503030

%%12544

training1

1207182

0xcedae