Source: Event Logs | Author: Florian Roth: Data: EventID: 4781, NewTargetUserName: dc-01, OldTargetUserName: dcadmin1$, PrivilegeList: -, Source: Microsoft-Windows-Security-Auditing, SubjectDomainName: AD01, SubjectLogonId: 0x16b8f4, SubjectUserName: user, SubjectUserSid: S-1-5-21-3384971621-2488082584-654606338-1105, TargetDomainName: AD01, TargetSid: S-1-5-21-3384971621-2488082584-654606338-1106, data0: dcadmin1$, data1: dc-01, data2: AD01, data3: S-1-5-21-3384971621-2488082584-654606338-1106, data4: S-1-5-21-3384971621-2488082584-654606338-1105, data5: user, data6: AD01, data7: 0x16b8f4, data8: - |
Source: Network Connection | Author: Ilyas Ochkov, oscd.community: Data: DestinationIp: 192.168.1.200, DestinationIsIpv6: false, DestinationPort: 88, EventID: 3, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, Initiated: true, ProcessId: 5580, Protocol: tcp, SourceIp: 192.168.1.201, SourceIsIpv6: false, SourcePort: 62723 |
Source: Event Logs | Author: oscd.community, Teymur Kheirkhabarov @HeirhabarovT, Zach Stanford @svch0st: Data: EventID: 4648, IpAddress: -, IpPort: -, LogonGuid: {00000000-0000-0000-0000-000000000000}, ProcessId: 0x15cc, ProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, Source: Microsoft-Windows-Security-Auditing, SubjectDomainName: AD01, SubjectLogonId: 0x5bfb9, SubjectUserName: user, SubjectUserSid: S-1-5-21-3384971621-2488082584-654606338-1105, TargetDomainName: AD01.LOCAL, TargetInfo: ldap/DC-01.ad01.local, TargetLogonGuid: {0d7257f6-ead0-9c49-99fe-cda91a935390}, TargetServerName: DC-01.ad01.local, TargetUserName: user, data0: S-1-5-21-3384971621-2488082584-654606338-1105, data1: user, data10: 0x15cc, data11: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, data12: -, data13: -, data2: AD01, data3: 0x5bfb9, data4: {00000000-0000-0000-0000-000000000000}, data5: user, data6: AD01.LOCAL, data7: {0d7257f6-ead0-9c49-99fe-cda91a935390}, data8: DC-01.ad01.local, data9: ldap/DC-01.ad01.local |
Source: Pipe created | Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: PipeName: \PSHost.132881894112152451.5580.DefaultAppDomain.powershell |