<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Sysmon' Guid='{5770385F-C22A-43E0-BF4C-06F5698FFBD9}'/><EventID>1</EventID><Version>5</Version><Level>4</Level><Task>1</Task><Opcode>0</Opcode><Keywords>0x8000000000000000</Keywords><TimeCreated SystemTime='2023-12-14T15:24:37.265954400Z'/><EventRecordID>218993</EventRecordID><Correlation/><Execution ProcessID='2572' ThreadID='2988'/><Channel>Microsoft-Windows-Sysmon/Operational</Channel><Computer>ar-win-dc.attackrange.local</Computer><Security UserID='S-1-5-18'/></System><EventData><Data Name='RuleName'>-</Data><Data Name='UtcTime'>2023-12-14 15:24:37.265</Data><Data Name='ProcessGuid'>{AE77D3C2-1E35-657B-1604-000000003403}</Data><Data Name='ProcessId'>4584</Data><Data Name='Image'>C:\Windows\System32\wbem\WMIC.exe</Data><Data Name='FileVersion'>10.0.14393.0 (rs1_release.160715-1616)</Data><Data Name='Description'>WMI Commandline Utility</Data><Data Name='Product'>Microsoft® Windows® Operating System</Data><Data Name='Company'>Microsoft Corporation</Data><Data Name='OriginalFileName'>wmic.exe</Data><Data Name='CommandLine'>wmic OS get Version /format:list</Data><Data Name='CurrentDirectory'>C:\Windows\system32\</Data><Data Name='User'>NT AUTHORITY\SYSTEM</Data><Data Name='LogonGuid'>{AE77D3C2-FEF1-657A-E703-000000000000}</Data><Data Name='LogonId'>0x3e7</Data><Data Name='TerminalSessionId'>0</Data><Data Name='IntegrityLevel'>System</Data><Data Name='Hashes'>MD5=2CEE7F1AD77D8817E0F043E5E5ED1C83,SHA256=6679EA8FBEB539B5852CE8838420471FED0600F5050F3370DBB355DAC76BF072,IMPHASH=1B1A3F43BF37B5BFE60751F2EE2F326E</Data><Data Name='ParentProcessGuid'>{AE77D3C2-0049-657B-8E00-000000003403}</Data><Data Name='ParentProcessId'>1328</Data><Data Name='ParentImage'>C:\Program Files\Amazon\SSM\ssm-agent-worker.exe</Data><Data Name='ParentCommandLine'>"C:\Program Files\Amazon\SSM\ssm-agent-worker.exe"</Data><Data Name='ParentUser'>NT AUTHORITY\SYSTEM</Data></EventData></Event>
<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Sysmon' Guid='{5770385F-C22A-43E0-BF4C-06F5698FFBD9}'/><EventID>1</EventID><Version>5</Version><Level>4</Level><Task>1</Task><Opcode>0</Opcode><Keywords>0x8000000000000000</Keywords><TimeCreated SystemTime='2023-12-14T15:24:37.212132500Z'/><EventRecordID>218992</EventRecordID><Correlation/><Execution ProcessID='2572' ThreadID='2988'/><Channel>Microsoft-Windows-Sysmon/Operational</Channel><Computer>ar-win-dc.attackrange.local</Computer><Security UserID='S-1-5-18'/></System><EventData><Data Name='RuleName'>-</Data><Data Name='UtcTime'>2023-12-14 15:24:37.211</Data><Data Name='ProcessGuid'>{AE77D3C2-1E35-657B-1504-000000003403}</Data><Data Name='ProcessId'>3428</Data><Data Name='Image'>C:\Windows\System32\wbem\WMIC.exe</Data><Data Name='FileVersion'>10.0.14393.0 (rs1_release.160715-1616)</Data><Data Name='Description'>WMI Commandline Utility</Data><Data Name='Product'>Microsoft® Windows® Operating System</Data><Data Name='Company'>Microsoft Corporation</Data><Data Name='OriginalFileName'>wmic.exe</Data><Data Name='CommandLine'>wmic OS get Caption /format:list</Data><Data Name='CurrentDirectory'>C:\Windows\system32\</Data><Data Name='User'>NT AUTHORITY\SYSTEM</Data><Data Name='LogonGuid'>{AE77D3C2-FEF1-657A-E703-000000000000}</Data><Data Name='LogonId'>0x3e7</Data><Data Name='TerminalSessionId'>0</Data><Data Name='IntegrityLevel'>System</Data><Data Name='Hashes'>MD5=2CEE7F1AD77D8817E0F043E5E5ED1C83,SHA256=6679EA8FBEB539B5852CE8838420471FED0600F5050F3370DBB355DAC76BF072,IMPHASH=1B1A3F43BF37B5BFE60751F2EE2F326E</Data><Data Name='ParentProcessGuid'>{AE77D3C2-0049-657B-8E00-000000003403}</Data><Data Name='ParentProcessId'>1328</Data><Data Name='ParentImage'>C:\Program Files\Amazon\SSM\ssm-agent-worker.exe</Data><Data Name='ParentCommandLine'>"C:\Program Files\Amazon\SSM\ssm-agent-worker.exe"</Data><Data Name='ParentUser'>NT AUTHORITY\SYSTEM</Data></EventData></Event>
<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Sysmon' Guid='{5770385F-C22A-43E0-BF4C-06F5698FFBD9}'/><EventID>1</EventID><Version>5</Version><Level>4</Level><Task>1</Task><Opcode>0</Opcode><Keywords>0x8000000000000000</Keywords><TimeCreated SystemTime='2023-12-14T15:24:37.156202000Z'/><EventRecordID>218989</EventRecordID><Correlation/><Execution ProcessID='2572' ThreadID='2988'/><Channel>Microsoft-Windows-Sysmon/Operational</Channel><Computer>ar-win-dc.attackrange.local</Computer><Security UserID='S-1-5-18'/></System><EventData><Data Name='RuleName'>-</Data><Data Name='UtcTime'>2023-12-14 15:24:37.155</Data><Data Name='ProcessGuid'>{AE77D3C2-1E35-657B-1404-000000003403}</Data><Data Name='ProcessId'>4976</Data><Data Name='Image'>C:\Windows\System32\wbem\WMIC.exe</Data><Data Name='FileVersion'>10.0.14393.0 (rs1_release.160715-1616)</Data><Data Name='Description'>WMI Commandline Utility</Data><Data Name='Product'>Microsoft® Windows® Operating System</Data><Data Name='Company'>Microsoft Corporation</Data><Data Name='OriginalFileName'>wmic.exe</Data><Data Name='CommandLine'>C:\Windows\System32\wbem\wmic.exe computersystem get Domain /value</Data><Data Name='CurrentDirectory'>C:\Windows\system32\</Data><Data Name='User'>NT AUTHORITY\SYSTEM</Data><Data Name='LogonGuid'>{AE77D3C2-FEF1-657A-E703-000000000000}</Data><Data Name='LogonId'>0x3e7</Data><Data Name='TerminalSessionId'>0</Data><Data Name='IntegrityLevel'>System</Data><Data Name='Hashes'>MD5=2CEE7F1AD77D8817E0F043E5E5ED1C83,SHA256=6679EA8FBEB539B5852CE8838420471FED0600F5050F3370DBB355DAC76BF072,IMPHASH=1B1A3F43BF37B5BFE60751F2EE2F326E</Data><Data Name='ParentProcessGuid'>{AE77D3C2-0049-657B-8E00-000000003403}</Data><Data Name='ParentProcessId'>1328</Data><Data Name='ParentImage'>C:\Program Files\Amazon\SSM\ssm-agent-worker.exe</Data><Data Name='ParentCommandLine'>"C:\Program Files\Amazon\SSM\ssm-agent-worker.exe"</Data><Data Name='ParentUser'>NT AUTHORITY\SYSTEM</Data></EventData></Event>
<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Sysmon' Guid='{5770385F-C22A-43E0-BF4C-06F5698FFBD9}'/><EventID>1</EventID><Version>5</Version><Level>4</Level><Task>1</Task><Opcode>0</Opcode><Keywords>0x8000000000000000</Keywords><TimeCreated SystemTime='2023-12-14T15:24:37.073049200Z'/><EventRecordID>218988</EventRecordID><Correlation/><Execution ProcessID='2572' ThreadID='2988'/><Channel>Microsoft-Windows-Sysmon/Operational</Channel><Computer>ar-win-dc.attackrange.local</Computer><Security UserID='S-1-5-18'/></System><EventData><Data Name='RuleName'>-</Data><Data Name='UtcTime'>2023-12-14 15:24:37.072</Data><Data Name='ProcessGuid'>{AE77D3C2-1E35-657B-1204-000000003403}</Data><Data Name='ProcessId'>2116</Data><Data Name='Image'>C:\Windows\System32\wbem\WMIC.exe</Data><Data Name='FileVersion'>10.0.14393.0 (rs1_release.160715-1616)</Data><Data Name='Description'>WMI Commandline Utility</Data><Data Name='Product'>Microsoft® Windows® Operating System</Data><Data Name='Company'>Microsoft Corporation</Data><Data Name='OriginalFileName'>wmic.exe</Data><Data Name='CommandLine'>C:\Windows\System32\wbem\wmic.exe computersystem get DNSHostName /value</Data><Data Name='CurrentDirectory'>C:\Windows\system32\</Data><Data Name='User'>NT AUTHORITY\SYSTEM</Data><Data Name='LogonGuid'>{AE77D3C2-FEF1-657A-E703-000000000000}</Data><Data Name='LogonId'>0x3e7</Data><Data Name='TerminalSessionId'>0</Data><Data Name='IntegrityLevel'>System</Data><Data Name='Hashes'>MD5=2CEE7F1AD77D8817E0F043E5E5ED1C83,SHA256=6679EA8FBEB539B5852CE8838420471FED0600F5050F3370DBB355DAC76BF072,IMPHASH=1B1A3F43BF37B5BFE60751F2EE2F326E</Data><Data Name='ParentProcessGuid'>{AE77D3C2-0049-657B-8E00-000000003403}</Data><Data Name='ParentProcessId'>1328</Data><Data Name='ParentImage'>C:\Program Files\Amazon\SSM\ssm-agent-worker.exe</Data><Data Name='ParentCommandLine'>"C:\Program Files\Amazon\SSM\ssm-agent-worker.exe"</Data><Data Name='ParentUser'>NT AUTHORITY\SYSTEM</Data></EventData></Event>
<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Sysmon' Guid='{5770385F-C22A-43E0-BF4C-06F5698FFBD9}'/><EventID>1</EventID><Version>5</Version><Level>4</Level><Task>1</Task><Opcode>0</Opcode><Keywords>0x8000000000000000</Keywords><TimeCreated SystemTime='2023-12-14T15:22:00.329156500Z'/><EventRecordID>164519</EventRecordID><Correlation/><Execution ProcessID='1960' ThreadID='2396'/><Channel>Microsoft-Windows-Sysmon/Operational</Channel><Computer>ar-win-2.attackrange.local</Computer><Security UserID='S-1-5-18'/></System><EventData><Data Name='RuleName'>-</Data><Data Name='UtcTime'>2023-12-14 15:22:00.328</Data><Data Name='ProcessGuid'>{C429ADC8-1D98-657B-EE03-000000003403}</Data><Data Name='ProcessId'>4976</Data><Data Name='Image'>C:\Windows\System32\wbem\WMIC.exe</Data><Data Name='FileVersion'>10.0.14393.0 (rs1_release.160715-1616)</Data><Data Name='Description'>WMI Commandline Utility</Data><Data Name='Product'>Microsoft® Windows® Operating System</Data><Data Name='Company'>Microsoft Corporation</Data><Data Name='OriginalFileName'>wmic.exe</Data><Data Name='CommandLine'>wmic OS get Version /format:list</Data><Data Name='CurrentDirectory'>C:\Windows\system32\</Data><Data Name='User'>NT AUTHORITY\SYSTEM</Data><Data Name='LogonGuid'>{C429ADC8-FEF3-657A-E703-000000000000}</Data><Data Name='LogonId'>0x3e7</Data><Data Name='TerminalSessionId'>0</Data><Data Name='IntegrityLevel'>System</Data><Data Name='Hashes'>MD5=2CEE7F1AD77D8817E0F043E5E5ED1C83,SHA256=6679EA8FBEB539B5852CE8838420471FED0600F5050F3370DBB355DAC76BF072,IMPHASH=1B1A3F43BF37B5BFE60751F2EE2F326E</Data><Data Name='ParentProcessGuid'>{C429ADC8-004A-657B-8F00-000000003403}</Data><Data Name='ParentProcessId'>616</Data><Data Name='ParentImage'>C:\Program Files\Amazon\SSM\ssm-agent-worker.exe</Data><Data Name='ParentCommandLine'>"C:\Program Files\Amazon\SSM\ssm-agent-worker.exe"</Data><Data Name='ParentUser'>NT AUTHORITY\SYSTEM</Data></EventData></Event>
<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Sysmon' Guid='{5770385F-C22A-43E0-BF4C-06F5698FFBD9}'/><EventID>1</EventID><Version>5</Version><Level>4</Level><Task>1</Task><Opcode>0</Opcode><Keywords>0x8000000000000000</Keywords><TimeCreated SystemTime='2023-12-14T15:22:00.242762500Z'/><EventRecordID>164518</EventRecordID><Correlation/><Execution ProcessID='1960' ThreadID='2396'/><Channel>Microsoft-Windows-Sysmon/Operational</Channel><Computer>ar-win-2.attackrange.local</Computer><Security UserID='S-1-5-18'/></System><EventData><Data Name='RuleName'>-</Data><Data Name='UtcTime'>2023-12-14 15:22:00.241</Data><Data Name='ProcessGuid'>{C429ADC8-1D98-657B-ED03-000000003403}</Data><Data Name='ProcessId'>5032</Data><Data Name='Image'>C:\Windows\System32\wbem\WMIC.exe</Data><Data Name='FileVersion'>10.0.14393.0 (rs1_release.160715-1616)</Data><Data Name='Description'>WMI Commandline Utility</Data><Data Name='Product'>Microsoft® Windows® Operating System</Data><Data Name='Company'>Microsoft Corporation</Data><Data Name='OriginalFileName'>wmic.exe</Data><Data Name='CommandLine'>wmic OS get Caption /format:list</Data><Data Name='CurrentDirectory'>C:\Windows\system32\</Data><Data Name='User'>NT AUTHORITY\SYSTEM</Data><Data Name='LogonGuid'>{C429ADC8-FEF3-657A-E703-000000000000}</Data><Data Name='LogonId'>0x3e7</Data><Data Name='TerminalSessionId'>0</Data><Data Name='IntegrityLevel'>System</Data><Data Name='Hashes'>MD5=2CEE7F1AD77D8817E0F043E5E5ED1C83,SHA256=6679EA8FBEB539B5852CE8838420471FED0600F5050F3370DBB355DAC76BF072,IMPHASH=1B1A3F43BF37B5BFE60751F2EE2F326E</Data><Data Name='ParentProcessGuid'>{C429ADC8-004A-657B-8F00-000000003403}</Data><Data Name='ParentProcessId'>616</Data><Data Name='ParentImage'>C:\Program Files\Amazon\SSM\ssm-agent-worker.exe</Data><Data Name='ParentCommandLine'>"C:\Program Files\Amazon\SSM\ssm-agent-worker.exe"</Data><Data Name='ParentUser'>NT AUTHORITY\SYSTEM</Data></EventData></Event>
<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Sysmon' Guid='{5770385F-C22A-43E0-BF4C-06F5698FFBD9}'/><EventID>1</EventID><Version>5</Version><Level>4</Level><Task>1</Task><Opcode>0</Opcode><Keywords>0x8000000000000000</Keywords><TimeCreated SystemTime='2023-12-14T15:22:00.162445000Z'/><EventRecordID>164517</EventRecordID><Correlation/><Execution ProcessID='1960' ThreadID='2396'/><Channel>Microsoft-Windows-Sysmon/Operational</Channel><Computer>ar-win-2.attackrange.local</Computer><Security UserID='S-1-5-18'/></System><EventData><Data Name='RuleName'>-</Data><Data Name='UtcTime'>2023-12-14 15:22:00.161</Data><Data Name='ProcessGuid'>{C429ADC8-1D98-657B-EC03-000000003403}</Data><Data Name='ProcessId'>4268</Data><Data Name='Image'>C:\Windows\System32\wbem\WMIC.exe</Data><Data Name='FileVersion'>10.0.14393.0 (rs1_release.160715-1616)</Data><Data Name='Description'>WMI Commandline Utility</Data><Data Name='Product'>Microsoft® Windows® Operating System</Data><Data Name='Company'>Microsoft Corporation</Data><Data Name='OriginalFileName'>wmic.exe</Data><Data Name='CommandLine'>C:\Windows\System32\wbem\wmic.exe computersystem get Domain /value</Data><Data Name='CurrentDirectory'>C:\Windows\system32\</Data><Data Name='User'>NT AUTHORITY\SYSTEM</Data><Data Name='LogonGuid'>{C429ADC8-FEF3-657A-E703-000000000000}</Data><Data Name='LogonId'>0x3e7</Data><Data Name='TerminalSessionId'>0</Data><Data Name='IntegrityLevel'>System</Data><Data Name='Hashes'>MD5=2CEE7F1AD77D8817E0F043E5E5ED1C83,SHA256=6679EA8FBEB539B5852CE8838420471FED0600F5050F3370DBB355DAC76BF072,IMPHASH=1B1A3F43BF37B5BFE60751F2EE2F326E</Data><Data Name='ParentProcessGuid'>{C429ADC8-004A-657B-8F00-000000003403}</Data><Data Name='ParentProcessId'>616</Data><Data Name='ParentImage'>C:\Program Files\Amazon\SSM\ssm-agent-worker.exe</Data><Data Name='ParentCommandLine'>"C:\Program Files\Amazon\SSM\ssm-agent-worker.exe"</Data><Data Name='ParentUser'>NT AUTHORITY\SYSTEM</Data></EventData></Event>
<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Sysmon' Guid='{5770385F-C22A-43E0-BF4C-06F5698FFBD9}'/><EventID>1</EventID><Version>5</Version><Level>4</Level><Task>1</Task><Opcode>0</Opcode><Keywords>0x8000000000000000</Keywords><TimeCreated SystemTime='2023-12-14T15:21:59.982368100Z'/><EventRecordID>164516</EventRecordID><Correlation/><Execution ProcessID='1960' ThreadID='2396'/><Channel>Microsoft-Windows-Sysmon/Operational</Channel><Computer>ar-win-2.attackrange.local</Computer><Security UserID='S-1-5-18'/></System><EventData><Data Name='RuleName'>-</Data><Data Name='UtcTime'>2023-12-14 15:21:59.980</Data><Data Name='ProcessGuid'>{C429ADC8-1D97-657B-EA03-000000003403}</Data><Data Name='ProcessId'>4132</Data><Data Name='Image'>C:\Windows\System32\wbem\WMIC.exe</Data><Data Name='FileVersion'>10.0.14393.0 (rs1_release.160715-1616)</Data><Data Name='Description'>WMI Commandline Utility</Data><Data Name='Product'>Microsoft® Windows® Operating System</Data><Data Name='Company'>Microsoft Corporation</Data><Data Name='OriginalFileName'>wmic.exe</Data><Data Name='CommandLine'>C:\Windows\System32\wbem\wmic.exe computersystem get DNSHostName /value</Data><Data Name='CurrentDirectory'>C:\Windows\system32\</Data><Data Name='User'>NT AUTHORITY\SYSTEM</Data><Data Name='LogonGuid'>{C429ADC8-FEF3-657A-E703-000000000000}</Data><Data Name='LogonId'>0x3e7</Data><Data Name='TerminalSessionId'>0</Data><Data Name='IntegrityLevel'>System</Data><Data Name='Hashes'>MD5=2CEE7F1AD77D8817E0F043E5E5ED1C83,SHA256=6679EA8FBEB539B5852CE8838420471FED0600F5050F3370DBB355DAC76BF072,IMPHASH=1B1A3F43BF37B5BFE60751F2EE2F326E</Data><Data Name='ParentProcessGuid'>{C429ADC8-004A-657B-8F00-000000003403}</Data><Data Name='ParentProcessId'>616</Data><Data Name='ParentImage'>C:\Program Files\Amazon\SSM\ssm-agent-worker.exe</Data><Data Name='ParentCommandLine'>"C:\Program Files\Amazon\SSM\ssm-agent-worker.exe"</Data><Data Name='ParentUser'>NT AUTHORITY\SYSTEM</Data></EventData></Event>
<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Sysmon' Guid='{5770385F-C22A-43E0-BF4C-06F5698FFBD9}'/><EventID>1</EventID><Version>5</Version><Level>4</Level><Task>1</Task><Opcode>0</Opcode><Keywords>0x8000000000000000</Keywords><TimeCreated SystemTime='2023-12-14T15:20:03.110075700Z'/><EventRecordID>218420</EventRecordID><Correlation/><Execution ProcessID='2572' ThreadID='2988'/><Channel>Microsoft-Windows-Sysmon/Operational</Channel><Computer>ar-win-dc.attackrange.local</Computer><Security UserID='S-1-5-18'/></System><EventData><Data Name='RuleName'>-</Data><Data Name='UtcTime'>2023-12-14 15:20:03.109</Data><Data Name='ProcessGuid'>{AE77D3C2-1D23-657B-FA03-000000003403}</Data><Data Name='ProcessId'>3956</Data><Data Name='Image'>C:\Windows\System32\wbem\WMIC.exe</Data><Data Name='FileVersion'>10.0.14393.0 (rs1_release.160715-1616)</Data><Data Name='Description'>WMI Commandline Utility</Data><Data Name='Product'>Microsoft® Windows® Operating System</Data><Data Name='Company'>Microsoft Corporation</Data><Data Name='OriginalFileName'>wmic.exe</Data><Data Name='CommandLine'>wmic  /node:"18.190.133.215" /user:admin /password:administrator┬áprocess list brief</Data><Data Name='CurrentDirectory'>C:\Temp\</Data><Data Name='User'>ATTACKRANGE\Administrator</Data><Data Name='LogonGuid'>{AE77D3C2-0DF6-657B-AB3A-100000000000}</Data><Data Name='LogonId'>0x103aab</Data><Data Name='TerminalSessionId'>2</Data><Data Name='IntegrityLevel'>High</Data><Data Name='Hashes'>MD5=2CEE7F1AD77D8817E0F043E5E5ED1C83,SHA256=6679EA8FBEB539B5852CE8838420471FED0600F5050F3370DBB355DAC76BF072,IMPHASH=1B1A3F43BF37B5BFE60751F2EE2F326E</Data><Data Name='ParentProcessGuid'>{AE77D3C2-1D0A-657B-F003-000000003403}</Data><Data Name='ParentProcessId'>4944</Data><Data Name='ParentImage'>C:\Windows\System32\cmd.exe</Data><Data Name='ParentCommandLine'>"cmd.exe" /s /k pushd "C:\Temp"</Data><Data Name='ParentUser'>ATTACKRANGE\Administrator</Data></EventData></Event>
<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Sysmon' Guid='{5770385F-C22A-43E0-BF4C-06F5698FFBD9}'/><EventID>1</EventID><Version>5</Version><Level>4</Level><Task>1</Task><Opcode>0</Opcode><Keywords>0x8000000000000000</Keywords><TimeCreated SystemTime='2023-12-14T15:20:03.001565100Z'/><EventRecordID>218419</EventRecordID><Correlation/><Execution ProcessID='2572' ThreadID='2988'/><Channel>Microsoft-Windows-Sysmon/Operational</Channel><Computer>ar-win-dc.attackrange.local</Computer><Security UserID='S-1-5-18'/></System><EventData><Data Name='RuleName'>-</Data><Data Name='UtcTime'>2023-12-14 15:20:03.000</Data><Data Name='ProcessGuid'>{AE77D3C2-1D23-657B-F903-000000003403}</Data><Data Name='ProcessId'>4516</Data><Data Name='Image'>C:\Windows\System32\wbem\WMIC.exe</Data><Data Name='FileVersion'>10.0.14393.0 (rs1_release.160715-1616)</Data><Data Name='Description'>WMI Commandline Utility</Data><Data Name='Product'>Microsoft® Windows® Operating System</Data><Data Name='Company'>Microsoft Corporation</Data><Data Name='OriginalFileName'>wmic.exe</Data><Data Name='CommandLine'>wmic  process 528 get commandline</Data><Data Name='CurrentDirectory'>C:\Temp\</Data><Data Name='User'>ATTACKRANGE\Administrator</Data><Data Name='LogonGuid'>{AE77D3C2-0DF6-657B-AB3A-100000000000}</Data><Data Name='LogonId'>0x103aab</Data><Data Name='TerminalSessionId'>2</Data><Data Name='IntegrityLevel'>High</Data><Data Name='Hashes'>MD5=2CEE7F1AD77D8817E0F043E5E5ED1C83,SHA256=6679EA8FBEB539B5852CE8838420471FED0600F5050F3370DBB355DAC76BF072,IMPHASH=1B1A3F43BF37B5BFE60751F2EE2F326E</Data><Data Name='ParentProcessGuid'>{AE77D3C2-1D0A-657B-F003-000000003403}</Data><Data Name='ParentProcessId'>4944</Data><Data Name='ParentImage'>C:\Windows\System32\cmd.exe</Data><Data Name='ParentCommandLine'>"cmd.exe" /s /k pushd "C:\Temp"</Data><Data Name='ParentUser'>ATTACKRANGE\Administrator</Data></EventData></Event>
<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Sysmon' Guid='{5770385F-C22A-43E0-BF4C-06F5698FFBD9}'/><EventID>1</EventID><Version>5</Version><Level>4</Level><Task>1</Task><Opcode>0</Opcode><Keywords>0x8000000000000000</Keywords><TimeCreated SystemTime='2023-12-14T15:20:02.853803600Z'/><EventRecordID>218418</EventRecordID><Correlation/><Execution ProcessID='2572' ThreadID='2988'/><Channel>Microsoft-Windows-Sysmon/Operational</Channel><Computer>ar-win-dc.attackrange.local</Computer><Security UserID='S-1-5-18'/></System><EventData><Data Name='RuleName'>-</Data><Data Name='UtcTime'>2023-12-14 15:20:02.853</Data><Data Name='ProcessGuid'>{AE77D3C2-1D22-657B-F803-000000003403}</Data><Data Name='ProcessId'>3564</Data><Data Name='Image'>C:\Windows\System32\wbem\WMIC.exe</Data><Data Name='FileVersion'>10.0.14393.0 (rs1_release.160715-1616)</Data><Data Name='Description'>WMI Commandline Utility</Data><Data Name='Product'>Microsoft® Windows® Operating System</Data><Data Name='Company'>Microsoft Corporation</Data><Data Name='OriginalFileName'>wmic.exe</Data><Data Name='CommandLine'>wmic  process get commandline -all</Data><Data Name='CurrentDirectory'>C:\Temp\</Data><Data Name='User'>ATTACKRANGE\Administrator</Data><Data Name='LogonGuid'>{AE77D3C2-0DF6-657B-AB3A-100000000000}</Data><Data Name='LogonId'>0x103aab</Data><Data Name='TerminalSessionId'>2</Data><Data Name='IntegrityLevel'>High</Data><Data Name='Hashes'>MD5=2CEE7F1AD77D8817E0F043E5E5ED1C83,SHA256=6679EA8FBEB539B5852CE8838420471FED0600F5050F3370DBB355DAC76BF072,IMPHASH=1B1A3F43BF37B5BFE60751F2EE2F326E</Data><Data Name='ParentProcessGuid'>{AE77D3C2-1D0A-657B-F003-000000003403}</Data><Data Name='ParentProcessId'>4944</Data><Data Name='ParentImage'>C:\Windows\System32\cmd.exe</Data><Data Name='ParentCommandLine'>"cmd.exe" /s /k pushd "C:\Temp"</Data><Data Name='ParentUser'>ATTACKRANGE\Administrator</Data></EventData></Event>
<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Sysmon' Guid='{5770385F-C22A-43E0-BF4C-06F5698FFBD9}'/><EventID>1</EventID><Version>5</Version><Level>4</Level><Task>1</Task><Opcode>0</Opcode><Keywords>0x8000000000000000</Keywords><TimeCreated SystemTime='2023-12-14T15:19:41.774809100Z'/><EventRecordID>218370</EventRecordID><Correlation/><Execution ProcessID='2572' ThreadID='2988'/><Channel>Microsoft-Windows-Sysmon/Operational</Channel><Computer>ar-win-dc.attackrange.local</Computer><Security UserID='S-1-5-18'/></System><EventData><Data Name='RuleName'>-</Data><Data Name='UtcTime'>2023-12-14 15:19:41.774</Data><Data Name='ProcessGuid'>{AE77D3C2-1D0D-657B-F203-000000003403}</Data><Data Name='ProcessId'>4584</Data><Data Name='Image'>C:\Windows\System32\wbem\WMIC.exe</Data><Data Name='FileVersion'>10.0.14393.0 (rs1_release.160715-1616)</Data><Data Name='Description'>WMI Commandline Utility</Data><Data Name='Product'>Microsoft® Windows® Operating System</Data><Data Name='Company'>Microsoft Corporation</Data><Data Name='OriginalFileName'>wmic.exe</Data><Data Name='CommandLine'>wmic  /node:"18.190.133.215" process list brief</Data><Data Name='CurrentDirectory'>C:\Temp\</Data><Data Name='User'>ATTACKRANGE\Administrator</Data><Data Name='LogonGuid'>{AE77D3C2-0DF6-657B-AB3A-100000000000}</Data><Data Name='LogonId'>0x103aab</Data><Data Name='TerminalSessionId'>2</Data><Data Name='IntegrityLevel'>High</Data><Data Name='Hashes'>MD5=2CEE7F1AD77D8817E0F043E5E5ED1C83,SHA256=6679EA8FBEB539B5852CE8838420471FED0600F5050F3370DBB355DAC76BF072,IMPHASH=1B1A3F43BF37B5BFE60751F2EE2F326E</Data><Data Name='ParentProcessGuid'>{AE77D3C2-1D0A-657B-F003-000000003403}</Data><Data Name='ParentProcessId'>4944</Data><Data Name='ParentImage'>C:\Windows\System32\cmd.exe</Data><Data Name='ParentCommandLine'>"cmd.exe" /s /k pushd "C:\Temp"</Data><Data Name='ParentUser'>ATTACKRANGE\Administrator</Data></EventData></Event>
<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Sysmon' Guid='{5770385F-C22A-43E0-BF4C-06F5698FFBD9}'/><EventID>1</EventID><Version>5</Version><Level>4</Level><Task>1</Task><Opcode>0</Opcode><Keywords>0x8000000000000000</Keywords><TimeCreated SystemTime='2023-12-14T15:19:37.271788600Z'/><EventRecordID>218357</EventRecordID><Correlation/><Execution ProcessID='2572' ThreadID='2988'/><Channel>Microsoft-Windows-Sysmon/Operational</Channel><Computer>ar-win-dc.attackrange.local</Computer><Security UserID='S-1-5-18'/></System><EventData><Data Name='RuleName'>-</Data><Data Name='UtcTime'>2023-12-14 15:19:37.271</Data><Data Name='ProcessGuid'>{AE77D3C2-1D09-657B-EF03-000000003403}</Data><Data Name='ProcessId'>4236</Data><Data Name='Image'>C:\Windows\System32\wbem\WMIC.exe</Data><Data Name='FileVersion'>10.0.14393.0 (rs1_release.160715-1616)</Data><Data Name='Description'>WMI Commandline Utility</Data><Data Name='Product'>Microsoft® Windows® Operating System</Data><Data Name='Company'>Microsoft Corporation</Data><Data Name='OriginalFileName'>wmic.exe</Data><Data Name='CommandLine'>wmic OS get Version /format:list</Data><Data Name='CurrentDirectory'>C:\Windows\system32\</Data><Data Name='User'>NT AUTHORITY\SYSTEM</Data><Data Name='LogonGuid'>{AE77D3C2-FEF1-657A-E703-000000000000}</Data><Data Name='LogonId'>0x3e7</Data><Data Name='TerminalSessionId'>0</Data><Data Name='IntegrityLevel'>System</Data><Data Name='Hashes'>MD5=2CEE7F1AD77D8817E0F043E5E5ED1C83,SHA256=6679EA8FBEB539B5852CE8838420471FED0600F5050F3370DBB355DAC76BF072,IMPHASH=1B1A3F43BF37B5BFE60751F2EE2F326E</Data><Data Name='ParentProcessGuid'>{AE77D3C2-0049-657B-8E00-000000003403}</Data><Data Name='ParentProcessId'>1328</Data><Data Name='ParentImage'>C:\Program Files\Amazon\SSM\ssm-agent-worker.exe</Data><Data Name='ParentCommandLine'>"C:\Program Files\Amazon\SSM\ssm-agent-worker.exe"</Data><Data Name='ParentUser'>NT AUTHORITY\SYSTEM</Data></EventData></Event>
<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Sysmon' Guid='{5770385F-C22A-43E0-BF4C-06F5698FFBD9}'/><EventID>1</EventID><Version>5</Version><Level>4</Level><Task>1</Task><Opcode>0</Opcode><Keywords>0x8000000000000000</Keywords><TimeCreated SystemTime='2023-12-14T15:19:37.220026500Z'/><EventRecordID>218356</EventRecordID><Correlation/><Execution ProcessID='2572' ThreadID='2988'/><Channel>Microsoft-Windows-Sysmon/Operational</Channel><Computer>ar-win-dc.attackrange.local</Computer><Security UserID='S-1-5-18'/></System><EventData><Data Name='RuleName'>-</Data><Data Name='UtcTime'>2023-12-14 15:19:37.219</Data><Data Name='ProcessGuid'>{AE77D3C2-1D09-657B-EE03-000000003403}</Data><Data Name='ProcessId'>1692</Data><Data Name='Image'>C:\Windows\System32\wbem\WMIC.exe</Data><Data Name='FileVersion'>10.0.14393.0 (rs1_release.160715-1616)</Data><Data Name='Description'>WMI Commandline Utility</Data><Data Name='Product'>Microsoft® Windows® Operating System</Data><Data Name='Company'>Microsoft Corporation</Data><Data Name='OriginalFileName'>wmic.exe</Data><Data Name='CommandLine'>wmic OS get Caption /format:list</Data><Data Name='CurrentDirectory'>C:\Windows\system32\</Data><Data Name='User'>NT AUTHORITY\SYSTEM</Data><Data Name='LogonGuid'>{AE77D3C2-FEF1-657A-E703-000000000000}</Data><Data Name='LogonId'>0x3e7</Data><Data Name='TerminalSessionId'>0</Data><Data Name='IntegrityLevel'>System</Data><Data Name='Hashes'>MD5=2CEE7F1AD77D8817E0F043E5E5ED1C83,SHA256=6679EA8FBEB539B5852CE8838420471FED0600F5050F3370DBB355DAC76BF072,IMPHASH=1B1A3F43BF37B5BFE60751F2EE2F326E</Data><Data Name='ParentProcessGuid'>{AE77D3C2-0049-657B-8E00-000000003403}</Data><Data Name='ParentProcessId'>1328</Data><Data Name='ParentImage'>C:\Program Files\Amazon\SSM\ssm-agent-worker.exe</Data><Data Name='ParentCommandLine'>"C:\Program Files\Amazon\SSM\ssm-agent-worker.exe"</Data><Data Name='ParentUser'>NT AUTHORITY\SYSTEM</Data></EventData></Event>
<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Sysmon' Guid='{5770385F-C22A-43E0-BF4C-06F5698FFBD9}'/><EventID>1</EventID><Version>5</Version><Level>4</Level><Task>1</Task><Opcode>0</Opcode><Keywords>0x8000000000000000</Keywords><TimeCreated SystemTime='2023-12-14T15:19:37.162902800Z'/><EventRecordID>218355</EventRecordID><Correlation/><Execution ProcessID='2572' ThreadID='2988'/><Channel>Microsoft-Windows-Sysmon/Operational</Channel><Computer>ar-win-dc.attackrange.local</Computer><Security UserID='S-1-5-18'/></System><EventData><Data Name='RuleName'>-</Data><Data Name='UtcTime'>2023-12-14 15:19:37.162</Data><Data Name='ProcessGuid'>{AE77D3C2-1D09-657B-ED03-000000003403}</Data><Data Name='ProcessId'>5032</Data><Data Name='Image'>C:\Windows\System32\wbem\WMIC.exe</Data><Data Name='FileVersion'>10.0.14393.0 (rs1_release.160715-1616)</Data><Data Name='Description'>WMI Commandline Utility</Data><Data Name='Product'>Microsoft® Windows® Operating System</Data><Data Name='Company'>Microsoft Corporation</Data><Data Name='OriginalFileName'>wmic.exe</Data><Data Name='CommandLine'>C:\Windows\System32\wbem\wmic.exe computersystem get Domain /value</Data><Data Name='CurrentDirectory'>C:\Windows\system32\</Data><Data Name='User'>NT AUTHORITY\SYSTEM</Data><Data Name='LogonGuid'>{AE77D3C2-FEF1-657A-E703-000000000000}</Data><Data Name='LogonId'>0x3e7</Data><Data Name='TerminalSessionId'>0</Data><Data Name='IntegrityLevel'>System</Data><Data Name='Hashes'>MD5=2CEE7F1AD77D8817E0F043E5E5ED1C83,SHA256=6679EA8FBEB539B5852CE8838420471FED0600F5050F3370DBB355DAC76BF072,IMPHASH=1B1A3F43BF37B5BFE60751F2EE2F326E</Data><Data Name='ParentProcessGuid'>{AE77D3C2-0049-657B-8E00-000000003403}</Data><Data Name='ParentProcessId'>1328</Data><Data Name='ParentImage'>C:\Program Files\Amazon\SSM\ssm-agent-worker.exe</Data><Data Name='ParentCommandLine'>"C:\Program Files\Amazon\SSM\ssm-agent-worker.exe"</Data><Data Name='ParentUser'>NT AUTHORITY\SYSTEM</Data></EventData></Event>
<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Sysmon' Guid='{5770385F-C22A-43E0-BF4C-06F5698FFBD9}'/><EventID>1</EventID><Version>5</Version><Level>4</Level><Task>1</Task><Opcode>0</Opcode><Keywords>0x8000000000000000</Keywords><TimeCreated SystemTime='2023-12-14T15:19:37.071322500Z'/><EventRecordID>218354</EventRecordID><Correlation/><Execution ProcessID='2572' ThreadID='2988'/><Channel>Microsoft-Windows-Sysmon/Operational</Channel><Computer>ar-win-dc.attackrange.local</Computer><Security UserID='S-1-5-18'/></System><EventData><Data Name='RuleName'>-</Data><Data Name='UtcTime'>2023-12-14 15:19:37.070</Data><Data Name='ProcessGuid'>{AE77D3C2-1D09-657B-EC03-000000003403}</Data><Data Name='ProcessId'>2348</Data><Data Name='Image'>C:\Windows\System32\wbem\WMIC.exe</Data><Data Name='FileVersion'>10.0.14393.0 (rs1_release.160715-1616)</Data><Data Name='Description'>WMI Commandline Utility</Data><Data Name='Product'>Microsoft® Windows® Operating System</Data><Data Name='Company'>Microsoft Corporation</Data><Data Name='OriginalFileName'>wmic.exe</Data><Data Name='CommandLine'>C:\Windows\System32\wbem\wmic.exe computersystem get DNSHostName /value</Data><Data Name='CurrentDirectory'>C:\Windows\system32\</Data><Data Name='User'>NT AUTHORITY\SYSTEM</Data><Data Name='LogonGuid'>{AE77D3C2-FEF1-657A-E703-000000000000}</Data><Data Name='LogonId'>0x3e7</Data><Data Name='TerminalSessionId'>0</Data><Data Name='IntegrityLevel'>System</Data><Data Name='Hashes'>MD5=2CEE7F1AD77D8817E0F043E5E5ED1C83,SHA256=6679EA8FBEB539B5852CE8838420471FED0600F5050F3370DBB355DAC76BF072,IMPHASH=1B1A3F43BF37B5BFE60751F2EE2F326E</Data><Data Name='ParentProcessGuid'>{AE77D3C2-0049-657B-8E00-000000003403}</Data><Data Name='ParentProcessId'>1328</Data><Data Name='ParentImage'>C:\Program Files\Amazon\SSM\ssm-agent-worker.exe</Data><Data Name='ParentCommandLine'>"C:\Program Files\Amazon\SSM\ssm-agent-worker.exe"</Data><Data Name='ParentUser'>NT AUTHORITY\SYSTEM</Data></EventData></Event>
<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Sysmon' Guid='{5770385F-C22A-43E0-BF4C-06F5698FFBD9}'/><EventID>1</EventID><Version>5</Version><Level>4</Level><Task>1</Task><Opcode>0</Opcode><Keywords>0x8000000000000000</Keywords><TimeCreated SystemTime='2023-12-14T15:19:30.329851900Z'/><EventRecordID>218333</EventRecordID><Correlation/><Execution ProcessID='2572' ThreadID='2988'/><Channel>Microsoft-Windows-Sysmon/Operational</Channel><Computer>ar-win-dc.attackrange.local</Computer><Security UserID='S-1-5-18'/></System><EventData><Data Name='RuleName'>-</Data><Data Name='UtcTime'>2023-12-14 15:19:30.329</Data><Data Name='ProcessGuid'>{AE77D3C2-1D02-657B-E803-000000003403}</Data><Data Name='ProcessId'>4152</Data><Data Name='Image'>C:\Windows\System32\wbem\WMIC.exe</Data><Data Name='FileVersion'>10.0.14393.0 (rs1_release.160715-1616)</Data><Data Name='Description'>WMI Commandline Utility</Data><Data Name='Product'>Microsoft® Windows® Operating System</Data><Data Name='Company'>Microsoft Corporation</Data><Data Name='OriginalFileName'>wmic.exe</Data><Data Name='CommandLine'>wmic  /node:"18.190.133.215" /user:admin /password:administrator┬áprocess list brief</Data><Data Name='CurrentDirectory'>C:\Temp\</Data><Data Name='User'>ATTACKRANGE\Administrator</Data><Data Name='LogonGuid'>{AE77D3C2-0DF6-657B-AB3A-100000000000}</Data><Data Name='LogonId'>0x103aab</Data><Data Name='TerminalSessionId'>2</Data><Data Name='IntegrityLevel'>High</Data><Data Name='Hashes'>MD5=2CEE7F1AD77D8817E0F043E5E5ED1C83,SHA256=6679EA8FBEB539B5852CE8838420471FED0600F5050F3370DBB355DAC76BF072,IMPHASH=1B1A3F43BF37B5BFE60751F2EE2F326E</Data><Data Name='ParentProcessGuid'>{AE77D3C2-1CEC-657B-E203-000000003403}</Data><Data Name='ParentProcessId'>3956</Data><Data Name='ParentImage'>C:\Windows\System32\cmd.exe</Data><Data Name='ParentCommandLine'>C:\Windows\system32\cmd.exe /c ""C:\Temp\svr.bat" "</Data><Data Name='ParentUser'>ATTACKRANGE\Administrator</Data></EventData></Event>
<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Sysmon' Guid='{5770385F-C22A-43E0-BF4C-06F5698FFBD9}'/><EventID>1</EventID><Version>5</Version><Level>4</Level><Task>1</Task><Opcode>0</Opcode><Keywords>0x8000000000000000</Keywords><TimeCreated SystemTime='2023-12-14T15:19:30.242790200Z'/><EventRecordID>218332</EventRecordID><Correlation/><Execution ProcessID='2572' ThreadID='2988'/><Channel>Microsoft-Windows-Sysmon/Operational</Channel><Computer>ar-win-dc.attackrange.local</Computer><Security UserID='S-1-5-18'/></System><EventData><Data Name='RuleName'>-</Data><Data Name='UtcTime'>2023-12-14 15:19:30.241</Data><Data Name='ProcessGuid'>{AE77D3C2-1D02-657B-E703-000000003403}</Data><Data Name='ProcessId'>3980</Data><Data Name='Image'>C:\Windows\System32\wbem\WMIC.exe</Data><Data Name='FileVersion'>10.0.14393.0 (rs1_release.160715-1616)</Data><Data Name='Description'>WMI Commandline Utility</Data><Data Name='Product'>Microsoft® Windows® Operating System</Data><Data Name='Company'>Microsoft Corporation</Data><Data Name='OriginalFileName'>wmic.exe</Data><Data Name='CommandLine'>wmic  process 528 get commandline</Data><Data Name='CurrentDirectory'>C:\Temp\</Data><Data Name='User'>ATTACKRANGE\Administrator</Data><Data Name='LogonGuid'>{AE77D3C2-0DF6-657B-AB3A-100000000000}</Data><Data Name='LogonId'>0x103aab</Data><Data Name='TerminalSessionId'>2</Data><Data Name='IntegrityLevel'>High</Data><Data Name='Hashes'>MD5=2CEE7F1AD77D8817E0F043E5E5ED1C83,SHA256=6679EA8FBEB539B5852CE8838420471FED0600F5050F3370DBB355DAC76BF072,IMPHASH=1B1A3F43BF37B5BFE60751F2EE2F326E</Data><Data Name='ParentProcessGuid'>{AE77D3C2-1CEC-657B-E203-000000003403}</Data><Data Name='ParentProcessId'>3956</Data><Data Name='ParentImage'>C:\Windows\System32\cmd.exe</Data><Data Name='ParentCommandLine'>C:\Windows\system32\cmd.exe /c ""C:\Temp\svr.bat" "</Data><Data Name='ParentUser'>ATTACKRANGE\Administrator</Data></EventData></Event>
<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Sysmon' Guid='{5770385F-C22A-43E0-BF4C-06F5698FFBD9}'/><EventID>1</EventID><Version>5</Version><Level>4</Level><Task>1</Task><Opcode>0</Opcode><Keywords>0x8000000000000000</Keywords><TimeCreated SystemTime='2023-12-14T15:19:30.074126100Z'/><EventRecordID>218331</EventRecordID><Correlation/><Execution ProcessID='2572' ThreadID='2988'/><Channel>Microsoft-Windows-Sysmon/Operational</Channel><Computer>ar-win-dc.attackrange.local</Computer><Security UserID='S-1-5-18'/></System><EventData><Data Name='RuleName'>-</Data><Data Name='UtcTime'>2023-12-14 15:19:30.073</Data><Data Name='ProcessGuid'>{AE77D3C2-1D02-657B-E503-000000003403}</Data><Data Name='ProcessId'>3092</Data><Data Name='Image'>C:\Windows\System32\wbem\WMIC.exe</Data><Data Name='FileVersion'>10.0.14393.0 (rs1_release.160715-1616)</Data><Data Name='Description'>WMI Commandline Utility</Data><Data Name='Product'>Microsoft® Windows® Operating System</Data><Data Name='Company'>Microsoft Corporation</Data><Data Name='OriginalFileName'>wmic.exe</Data><Data Name='CommandLine'>wmic  process get commandline -all</Data><Data Name='CurrentDirectory'>C:\Temp\</Data><Data Name='User'>ATTACKRANGE\Administrator</Data><Data Name='LogonGuid'>{AE77D3C2-0DF6-657B-AB3A-100000000000}</Data><Data Name='LogonId'>0x103aab</Data><Data Name='TerminalSessionId'>2</Data><Data Name='IntegrityLevel'>High</Data><Data Name='Hashes'>MD5=2CEE7F1AD77D8817E0F043E5E5ED1C83,SHA256=6679EA8FBEB539B5852CE8838420471FED0600F5050F3370DBB355DAC76BF072,IMPHASH=1B1A3F43BF37B5BFE60751F2EE2F326E</Data><Data Name='ParentProcessGuid'>{AE77D3C2-1CEC-657B-E203-000000003403}</Data><Data Name='ParentProcessId'>3956</Data><Data Name='ParentImage'>C:\Windows\System32\cmd.exe</Data><Data Name='ParentCommandLine'>C:\Windows\system32\cmd.exe /c ""C:\Temp\svr.bat" "</Data><Data Name='ParentUser'>ATTACKRANGE\Administrator</Data></EventData></Event>
<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Sysmon' Guid='{5770385F-C22A-43E0-BF4C-06F5698FFBD9}'/><EventID>1</EventID><Version>5</Version><Level>4</Level><Task>1</Task><Opcode>0</Opcode><Keywords>0x8000000000000000</Keywords><TimeCreated SystemTime='2023-12-14T15:19:08.924786900Z'/><EventRecordID>218288</EventRecordID><Correlation/><Execution ProcessID='2572' ThreadID='2988'/><Channel>Microsoft-Windows-Sysmon/Operational</Channel><Computer>ar-win-dc.attackrange.local</Computer><Security UserID='S-1-5-18'/></System><EventData><Data Name='RuleName'>-</Data><Data Name='UtcTime'>2023-12-14 15:19:08.923</Data><Data Name='ProcessGuid'>{AE77D3C2-1CEC-657B-E403-000000003403}</Data><Data Name='ProcessId'>3572</Data><Data Name='Image'>C:\Windows\System32\wbem\WMIC.exe</Data><Data Name='FileVersion'>10.0.14393.0 (rs1_release.160715-1616)</Data><Data Name='Description'>WMI Commandline Utility</Data><Data Name='Product'>Microsoft® Windows® Operating System</Data><Data Name='Company'>Microsoft Corporation</Data><Data Name='OriginalFileName'>wmic.exe</Data><Data Name='CommandLine'>wmic  /node:"18.190.133.215" process list brief</Data><Data Name='CurrentDirectory'>C:\Temp\</Data><Data Name='User'>ATTACKRANGE\Administrator</Data><Data Name='LogonGuid'>{AE77D3C2-0DF6-657B-AB3A-100000000000}</Data><Data Name='LogonId'>0x103aab</Data><Data Name='TerminalSessionId'>2</Data><Data Name='IntegrityLevel'>High</Data><Data Name='Hashes'>MD5=2CEE7F1AD77D8817E0F043E5E5ED1C83,SHA256=6679EA8FBEB539B5852CE8838420471FED0600F5050F3370DBB355DAC76BF072,IMPHASH=1B1A3F43BF37B5BFE60751F2EE2F326E</Data><Data Name='ParentProcessGuid'>{AE77D3C2-1CEC-657B-E203-000000003403}</Data><Data Name='ParentProcessId'>3956</Data><Data Name='ParentImage'>C:\Windows\System32\cmd.exe</Data><Data Name='ParentCommandLine'>C:\Windows\system32\cmd.exe /c ""C:\Temp\svr.bat" "</Data><Data Name='ParentUser'>ATTACKRANGE\Administrator</Data></EventData></Event>
<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Sysmon' Guid='{5770385F-C22A-43E0-BF4C-06F5698FFBD9}'/><EventID>1</EventID><Version>5</Version><Level>4</Level><Task>1</Task><Opcode>0</Opcode><Keywords>0x8000000000000000</Keywords><TimeCreated SystemTime='2023-12-14T15:17:00.380039300Z'/><EventRecordID>164443</EventRecordID><Correlation/><Execution ProcessID='1960' ThreadID='2396'/><Channel>Microsoft-Windows-Sysmon/Operational</Channel><Computer>ar-win-2.attackrange.local</Computer><Security UserID='S-1-5-18'/></System><EventData><Data Name='RuleName'>-</Data><Data Name='UtcTime'>2023-12-14 15:17:00.379</Data><Data Name='ProcessGuid'>{C429ADC8-1C6C-657B-D003-000000003403}</Data><Data Name='ProcessId'>4560</Data><Data Name='Image'>C:\Windows\System32\wbem\WMIC.exe</Data><Data Name='FileVersion'>10.0.14393.0 (rs1_release.160715-1616)</Data><Data Name='Description'>WMI Commandline Utility</Data><Data Name='Product'>Microsoft® Windows® Operating System</Data><Data Name='Company'>Microsoft Corporation</Data><Data Name='OriginalFileName'>wmic.exe</Data><Data Name='CommandLine'>wmic OS get Version /format:list</Data><Data Name='CurrentDirectory'>C:\Windows\system32\</Data><Data Name='User'>NT AUTHORITY\SYSTEM</Data><Data Name='LogonGuid'>{C429ADC8-FEF3-657A-E703-000000000000}</Data><Data Name='LogonId'>0x3e7</Data><Data Name='TerminalSessionId'>0</Data><Data Name='IntegrityLevel'>System</Data><Data Name='Hashes'>MD5=2CEE7F1AD77D8817E0F043E5E5ED1C83,SHA256=6679EA8FBEB539B5852CE8838420471FED0600F5050F3370DBB355DAC76BF072,IMPHASH=1B1A3F43BF37B5BFE60751F2EE2F326E</Data><Data Name='ParentProcessGuid'>{C429ADC8-004A-657B-8F00-000000003403}</Data><Data Name='ParentProcessId'>616</Data><Data Name='ParentImage'>C:\Program Files\Amazon\SSM\ssm-agent-worker.exe</Data><Data Name='ParentCommandLine'>"C:\Program Files\Amazon\SSM\ssm-agent-worker.exe"</Data><Data Name='ParentUser'>NT AUTHORITY\SYSTEM</Data></EventData></Event>
<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Sysmon' Guid='{5770385F-C22A-43E0-BF4C-06F5698FFBD9}'/><EventID>1</EventID><Version>5</Version><Level>4</Level><Task>1</Task><Opcode>0</Opcode><Keywords>0x8000000000000000</Keywords><TimeCreated SystemTime='2023-12-14T15:17:00.295062500Z'/><EventRecordID>164442</EventRecordID><Correlation/><Execution ProcessID='1960' ThreadID='2396'/><Channel>Microsoft-Windows-Sysmon/Operational</Channel><Computer>ar-win-2.attackrange.local</Computer><Security UserID='S-1-5-18'/></System><EventData><Data Name='RuleName'>-</Data><Data Name='UtcTime'>2023-12-14 15:17:00.294</Data><Data Name='ProcessGuid'>{C429ADC8-1C6C-657B-CF03-000000003403}</Data><Data Name='ProcessId'>3856</Data><Data Name='Image'>C:\Windows\System32\wbem\WMIC.exe</Data><Data Name='FileVersion'>10.0.14393.0 (rs1_release.160715-1616)</Data><Data Name='Description'>WMI Commandline Utility</Data><Data Name='Product'>Microsoft® Windows® Operating System</Data><Data Name='Company'>Microsoft Corporation</Data><Data Name='OriginalFileName'>wmic.exe</Data><Data Name='CommandLine'>wmic OS get Caption /format:list</Data><Data Name='CurrentDirectory'>C:\Windows\system32\</Data><Data Name='User'>NT AUTHORITY\SYSTEM</Data><Data Name='LogonGuid'>{C429ADC8-FEF3-657A-E703-000000000000}</Data><Data Name='LogonId'>0x3e7</Data><Data Name='TerminalSessionId'>0</Data><Data Name='IntegrityLevel'>System</Data><Data Name='Hashes'>MD5=2CEE7F1AD77D8817E0F043E5E5ED1C83,SHA256=6679EA8FBEB539B5852CE8838420471FED0600F5050F3370DBB355DAC76BF072,IMPHASH=1B1A3F43BF37B5BFE60751F2EE2F326E</Data><Data Name='ParentProcessGuid'>{C429ADC8-004A-657B-8F00-000000003403}</Data><Data Name='ParentProcessId'>616</Data><Data Name='ParentImage'>C:\Program Files\Amazon\SSM\ssm-agent-worker.exe</Data><Data Name='ParentCommandLine'>"C:\Program Files\Amazon\SSM\ssm-agent-worker.exe"</Data><Data Name='ParentUser'>NT AUTHORITY\SYSTEM</Data></EventData></Event>
<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Sysmon' Guid='{5770385F-C22A-43E0-BF4C-06F5698FFBD9}'/><EventID>1</EventID><Version>5</Version><Level>4</Level><Task>1</Task><Opcode>0</Opcode><Keywords>0x8000000000000000</Keywords><TimeCreated SystemTime='2023-12-14T15:17:00.182067200Z'/><EventRecordID>164441</EventRecordID><Correlation/><Execution ProcessID='1960' ThreadID='2396'/><Channel>Microsoft-Windows-Sysmon/Operational</Channel><Computer>ar-win-2.attackrange.local</Computer><Security UserID='S-1-5-18'/></System><EventData><Data Name='RuleName'>-</Data><Data Name='UtcTime'>2023-12-14 15:17:00.180</Data><Data Name='ProcessGuid'>{C429ADC8-1C6C-657B-CE03-000000003403}</Data><Data Name='ProcessId'>3400</Data><Data Name='Image'>C:\Windows\System32\wbem\WMIC.exe</Data><Data Name='FileVersion'>10.0.14393.0 (rs1_release.160715-1616)</Data><Data Name='Description'>WMI Commandline Utility</Data><Data Name='Product'>Microsoft® Windows® Operating System</Data><Data Name='Company'>Microsoft Corporation</Data><Data Name='OriginalFileName'>wmic.exe</Data><Data Name='CommandLine'>C:\Windows\System32\wbem\wmic.exe computersystem get Domain /value</Data><Data Name='CurrentDirectory'>C:\Windows\system32\</Data><Data Name='User'>NT AUTHORITY\SYSTEM</Data><Data Name='LogonGuid'>{C429ADC8-FEF3-657A-E703-000000000000}</Data><Data Name='LogonId'>0x3e7</Data><Data Name='TerminalSessionId'>0</Data><Data Name='IntegrityLevel'>System</Data><Data Name='Hashes'>MD5=2CEE7F1AD77D8817E0F043E5E5ED1C83,SHA256=6679EA8FBEB539B5852CE8838420471FED0600F5050F3370DBB355DAC76BF072,IMPHASH=1B1A3F43BF37B5BFE60751F2EE2F326E</Data><Data Name='ParentProcessGuid'>{C429ADC8-004A-657B-8F00-000000003403}</Data><Data Name='ParentProcessId'>616</Data><Data Name='ParentImage'>C:\Program Files\Amazon\SSM\ssm-agent-worker.exe</Data><Data Name='ParentCommandLine'>"C:\Program Files\Amazon\SSM\ssm-agent-worker.exe"</Data><Data Name='ParentUser'>NT AUTHORITY\SYSTEM</Data></EventData></Event>
<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Sysmon' Guid='{5770385F-C22A-43E0-BF4C-06F5698FFBD9}'/><EventID>1</EventID><Version>5</Version><Level>4</Level><Task>1</Task><Opcode>0</Opcode><Keywords>0x8000000000000000</Keywords><TimeCreated SystemTime='2023-12-14T15:16:59.976729800Z'/><EventRecordID>164440</EventRecordID><Correlation/><Execution ProcessID='1960' ThreadID='2396'/><Channel>Microsoft-Windows-Sysmon/Operational</Channel><Computer>ar-win-2.attackrange.local</Computer><Security UserID='S-1-5-18'/></System><EventData><Data Name='RuleName'>-</Data><Data Name='UtcTime'>2023-12-14 15:16:59.975</Data><Data Name='ProcessGuid'>{C429ADC8-1C6B-657B-CC03-000000003403}</Data><Data Name='ProcessId'>5108</Data><Data Name='Image'>C:\Windows\System32\wbem\WMIC.exe</Data><Data Name='FileVersion'>10.0.14393.0 (rs1_release.160715-1616)</Data><Data Name='Description'>WMI Commandline Utility</Data><Data Name='Product'>Microsoft® Windows® Operating System</Data><Data Name='Company'>Microsoft Corporation</Data><Data Name='OriginalFileName'>wmic.exe</Data><Data Name='CommandLine'>C:\Windows\System32\wbem\wmic.exe computersystem get DNSHostName /value</Data><Data Name='CurrentDirectory'>C:\Windows\system32\</Data><Data Name='User'>NT AUTHORITY\SYSTEM</Data><Data Name='LogonGuid'>{C429ADC8-FEF3-657A-E703-000000000000}</Data><Data Name='LogonId'>0x3e7</Data><Data Name='TerminalSessionId'>0</Data><Data Name='IntegrityLevel'>System</Data><Data Name='Hashes'>MD5=2CEE7F1AD77D8817E0F043E5E5ED1C83,SHA256=6679EA8FBEB539B5852CE8838420471FED0600F5050F3370DBB355DAC76BF072,IMPHASH=1B1A3F43BF37B5BFE60751F2EE2F326E</Data><Data Name='ParentProcessGuid'>{C429ADC8-004A-657B-8F00-000000003403}</Data><Data Name='ParentProcessId'>616</Data><Data Name='ParentImage'>C:\Program Files\Amazon\SSM\ssm-agent-worker.exe</Data><Data Name='ParentCommandLine'>"C:\Program Files\Amazon\SSM\ssm-agent-worker.exe"</Data><Data Name='ParentUser'>NT AUTHORITY\SYSTEM</Data></EventData></Event>
<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Sysmon' Guid='{5770385F-C22A-43E0-BF4C-06F5698FFBD9}'/><EventID>1</EventID><Version>5</Version><Level>4</Level><Task>1</Task><Opcode>0</Opcode><Keywords>0x8000000000000000</Keywords><TimeCreated SystemTime='2023-12-14T15:14:37.289750900Z'/><EventRecordID>217709</EventRecordID><Correlation/><Execution ProcessID='2572' ThreadID='2988'/><Channel>Microsoft-Windows-Sysmon/Operational</Channel><Computer>ar-win-dc.attackrange.local</Computer><Security UserID='S-1-5-18'/></System><EventData><Data Name='RuleName'>-</Data><Data Name='UtcTime'>2023-12-14 15:14:37.289</Data><Data Name='ProcessGuid'>{AE77D3C2-1BDD-657B-C303-000000003403}</Data><Data Name='ProcessId'>3520</Data><Data Name='Image'>C:\Windows\System32\wbem\WMIC.exe</Data><Data Name='FileVersion'>10.0.14393.0 (rs1_release.160715-1616)</Data><Data Name='Description'>WMI Commandline Utility</Data><Data Name='Product'>Microsoft® Windows® Operating System</Data><Data Name='Company'>Microsoft Corporation</Data><Data Name='OriginalFileName'>wmic.exe</Data><Data Name='CommandLine'>wmic OS get Version /format:list</Data><Data Name='CurrentDirectory'>C:\Windows\system32\</Data><Data Name='User'>NT AUTHORITY\SYSTEM</Data><Data Name='LogonGuid'>{AE77D3C2-FEF1-657A-E703-000000000000}</Data><Data Name='LogonId'>0x3e7</Data><Data Name='TerminalSessionId'>0</Data><Data Name='IntegrityLevel'>System</Data><Data Name='Hashes'>MD5=2CEE7F1AD77D8817E0F043E5E5ED1C83,SHA256=6679EA8FBEB539B5852CE8838420471FED0600F5050F3370DBB355DAC76BF072,IMPHASH=1B1A3F43BF37B5BFE60751F2EE2F326E</Data><Data Name='ParentProcessGuid'>{AE77D3C2-0049-657B-8E00-000000003403}</Data><Data Name='ParentProcessId'>1328</Data><Data Name='ParentImage'>C:\Program Files\Amazon\SSM\ssm-agent-worker.exe</Data><Data Name='ParentCommandLine'>"C:\Program Files\Amazon\SSM\ssm-agent-worker.exe"</Data><Data Name='ParentUser'>NT AUTHORITY\SYSTEM</Data></EventData></Event>
<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Sysmon' Guid='{5770385F-C22A-43E0-BF4C-06F5698FFBD9}'/><EventID>1</EventID><Version>5</Version><Level>4</Level><Task>1</Task><Opcode>0</Opcode><Keywords>0x8000000000000000</Keywords><TimeCreated SystemTime='2023-12-14T15:14:37.227479100Z'/><EventRecordID>217708</EventRecordID><Correlation/><Execution ProcessID='2572' ThreadID='2988'/><Channel>Microsoft-Windows-Sysmon/Operational</Channel><Computer>ar-win-dc.attackrange.local</Computer><Security UserID='S-1-5-18'/></System><EventData><Data Name='RuleName'>-</Data><Data Name='UtcTime'>2023-12-14 15:14:37.226</Data><Data Name='ProcessGuid'>{AE77D3C2-1BDD-657B-C203-000000003403}</Data><Data Name='ProcessId'>4812</Data><Data Name='Image'>C:\Windows\System32\wbem\WMIC.exe</Data><Data Name='FileVersion'>10.0.14393.0 (rs1_release.160715-1616)</Data><Data Name='Description'>WMI Commandline Utility</Data><Data Name='Product'>Microsoft® Windows® Operating System</Data><Data Name='Company'>Microsoft Corporation</Data><Data Name='OriginalFileName'>wmic.exe</Data><Data Name='CommandLine'>wmic OS get Caption /format:list</Data><Data Name='CurrentDirectory'>C:\Windows\system32\</Data><Data Name='User'>NT AUTHORITY\SYSTEM</Data><Data Name='LogonGuid'>{AE77D3C2-FEF1-657A-E703-000000000000}</Data><Data Name='LogonId'>0x3e7</Data><Data Name='TerminalSessionId'>0</Data><Data Name='IntegrityLevel'>System</Data><Data Name='Hashes'>MD5=2CEE7F1AD77D8817E0F043E5E5ED1C83,SHA256=6679EA8FBEB539B5852CE8838420471FED0600F5050F3370DBB355DAC76BF072,IMPHASH=1B1A3F43BF37B5BFE60751F2EE2F326E</Data><Data Name='ParentProcessGuid'>{AE77D3C2-0049-657B-8E00-000000003403}</Data><Data Name='ParentProcessId'>1328</Data><Data Name='ParentImage'>C:\Program Files\Amazon\SSM\ssm-agent-worker.exe</Data><Data Name='ParentCommandLine'>"C:\Program Files\Amazon\SSM\ssm-agent-worker.exe"</Data><Data Name='ParentUser'>NT AUTHORITY\SYSTEM</Data></EventData></Event>
<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Sysmon' Guid='{5770385F-C22A-43E0-BF4C-06F5698FFBD9}'/><EventID>1</EventID><Version>5</Version><Level>4</Level><Task>1</Task><Opcode>0</Opcode><Keywords>0x8000000000000000</Keywords><TimeCreated SystemTime='2023-12-14T15:14:37.170609300Z'/><EventRecordID>217707</EventRecordID><Correlation/><Execution ProcessID='2572' ThreadID='2988'/><Channel>Microsoft-Windows-Sysmon/Operational</Channel><Computer>ar-win-dc.attackrange.local</Computer><Security UserID='S-1-5-18'/></System><EventData><Data Name='RuleName'>-</Data><Data Name='UtcTime'>2023-12-14 15:14:37.169</Data><Data Name='ProcessGuid'>{AE77D3C2-1BDD-657B-C103-000000003403}</Data><Data Name='ProcessId'>2100</Data><Data Name='Image'>C:\Windows\System32\wbem\WMIC.exe</Data><Data Name='FileVersion'>10.0.14393.0 (rs1_release.160715-1616)</Data><Data Name='Description'>WMI Commandline Utility</Data><Data Name='Product'>Microsoft® Windows® Operating System</Data><Data Name='Company'>Microsoft Corporation</Data><Data Name='OriginalFileName'>wmic.exe</Data><Data Name='CommandLine'>C:\Windows\System32\wbem\wmic.exe computersystem get Domain /value</Data><Data Name='CurrentDirectory'>C:\Windows\system32\</Data><Data Name='User'>NT AUTHORITY\SYSTEM</Data><Data Name='LogonGuid'>{AE77D3C2-FEF1-657A-E703-000000000000}</Data><Data Name='LogonId'>0x3e7</Data><Data Name='TerminalSessionId'>0</Data><Data Name='IntegrityLevel'>System</Data><Data Name='Hashes'>MD5=2CEE7F1AD77D8817E0F043E5E5ED1C83,SHA256=6679EA8FBEB539B5852CE8838420471FED0600F5050F3370DBB355DAC76BF072,IMPHASH=1B1A3F43BF37B5BFE60751F2EE2F326E</Data><Data Name='ParentProcessGuid'>{AE77D3C2-0049-657B-8E00-000000003403}</Data><Data Name='ParentProcessId'>1328</Data><Data Name='ParentImage'>C:\Program Files\Amazon\SSM\ssm-agent-worker.exe</Data><Data Name='ParentCommandLine'>"C:\Program Files\Amazon\SSM\ssm-agent-worker.exe"</Data><Data Name='ParentUser'>NT AUTHORITY\SYSTEM</Data></EventData></Event>
<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Sysmon' Guid='{5770385F-C22A-43E0-BF4C-06F5698FFBD9}'/><EventID>1</EventID><Version>5</Version><Level>4</Level><Task>1</Task><Opcode>0</Opcode><Keywords>0x8000000000000000</Keywords><TimeCreated SystemTime='2023-12-14T15:14:37.067989600Z'/><EventRecordID>217706</EventRecordID><Correlation/><Execution ProcessID='2572' ThreadID='2988'/><Channel>Microsoft-Windows-Sysmon/Operational</Channel><Computer>ar-win-dc.attackrange.local</Computer><Security UserID='S-1-5-18'/></System><EventData><Data Name='RuleName'>-</Data><Data Name='UtcTime'>2023-12-14 15:14:37.067</Data><Data Name='ProcessGuid'>{AE77D3C2-1BDD-657B-BF03-000000003403}</Data><Data Name='ProcessId'>4876</Data><Data Name='Image'>C:\Windows\System32\wbem\WMIC.exe</Data><Data Name='FileVersion'>10.0.14393.0 (rs1_release.160715-1616)</Data><Data Name='Description'>WMI Commandline Utility</Data><Data Name='Product'>Microsoft® Windows® Operating System</Data><Data Name='Company'>Microsoft Corporation</Data><Data Name='OriginalFileName'>wmic.exe</Data><Data Name='CommandLine'>C:\Windows\System32\wbem\wmic.exe computersystem get DNSHostName /value</Data><Data Name='CurrentDirectory'>C:\Windows\system32\</Data><Data Name='User'>NT AUTHORITY\SYSTEM</Data><Data Name='LogonGuid'>{AE77D3C2-FEF1-657A-E703-000000000000}</Data><Data Name='LogonId'>0x3e7</Data><Data Name='TerminalSessionId'>0</Data><Data Name='IntegrityLevel'>System</Data><Data Name='Hashes'>MD5=2CEE7F1AD77D8817E0F043E5E5ED1C83,SHA256=6679EA8FBEB539B5852CE8838420471FED0600F5050F3370DBB355DAC76BF072,IMPHASH=1B1A3F43BF37B5BFE60751F2EE2F326E</Data><Data Name='ParentProcessGuid'>{AE77D3C2-0049-657B-8E00-000000003403}</Data><Data Name='ParentProcessId'>1328</Data><Data Name='ParentImage'>C:\Program Files\Amazon\SSM\ssm-agent-worker.exe</Data><Data Name='ParentCommandLine'>"C:\Program Files\Amazon\SSM\ssm-agent-worker.exe"</Data><Data Name='ParentUser'>NT AUTHORITY\SYSTEM</Data></EventData></Event>
<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Sysmon' Guid='{5770385F-C22A-43E0-BF4C-06F5698FFBD9}'/><EventID>1</EventID><Version>5</Version><Level>4</Level><Task>1</Task><Opcode>0</Opcode><Keywords>0x8000000000000000</Keywords><TimeCreated SystemTime='2023-12-14T15:12:00.373222700Z'/><EventRecordID>164323</EventRecordID><Correlation/><Execution ProcessID='1960' ThreadID='2396'/><Channel>Microsoft-Windows-Sysmon/Operational</Channel><Computer>ar-win-2.attackrange.local</Computer><Security UserID='S-1-5-18'/></System><EventData><Data Name='RuleName'>-</Data><Data Name='UtcTime'>2023-12-14 15:12:00.372</Data><Data Name='ProcessGuid'>{C429ADC8-1B40-657B-B203-000000003403}</Data><Data Name='ProcessId'>3608</Data><Data Name='Image'>C:\Windows\System32\wbem\WMIC.exe</Data><Data Name='FileVersion'>10.0.14393.0 (rs1_release.160715-1616)</Data><Data Name='Description'>WMI Commandline Utility</Data><Data Name='Product'>Microsoft® Windows® Operating System</Data><Data Name='Company'>Microsoft Corporation</Data><Data Name='OriginalFileName'>wmic.exe</Data><Data Name='CommandLine'>wmic OS get Version /format:list</Data><Data Name='CurrentDirectory'>C:\Windows\system32\</Data><Data Name='User'>NT AUTHORITY\SYSTEM</Data><Data Name='LogonGuid'>{C429ADC8-FEF3-657A-E703-000000000000}</Data><Data Name='LogonId'>0x3e7</Data><Data Name='TerminalSessionId'>0</Data><Data Name='IntegrityLevel'>System</Data><Data Name='Hashes'>MD5=2CEE7F1AD77D8817E0F043E5E5ED1C83,SHA256=6679EA8FBEB539B5852CE8838420471FED0600F5050F3370DBB355DAC76BF072,IMPHASH=1B1A3F43BF37B5BFE60751F2EE2F326E</Data><Data Name='ParentProcessGuid'>{C429ADC8-004A-657B-8F00-000000003403}</Data><Data Name='ParentProcessId'>616</Data><Data Name='ParentImage'>C:\Program Files\Amazon\SSM\ssm-agent-worker.exe</Data><Data Name='ParentCommandLine'>"C:\Program Files\Amazon\SSM\ssm-agent-worker.exe"</Data><Data Name='ParentUser'>NT AUTHORITY\SYSTEM</Data></EventData></Event>
<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Sysmon' Guid='{5770385F-C22A-43E0-BF4C-06F5698FFBD9}'/><EventID>1</EventID><Version>5</Version><Level>4</Level><Task>1</Task><Opcode>0</Opcode><Keywords>0x8000000000000000</Keywords><TimeCreated SystemTime='2023-12-14T15:12:00.295735600Z'/><EventRecordID>164322</EventRecordID><Correlation/><Execution ProcessID='1960' ThreadID='2396'/><Channel>Microsoft-Windows-Sysmon/Operational</Channel><Computer>ar-win-2.attackrange.local</Computer><Security UserID='S-1-5-18'/></System><EventData><Data Name='RuleName'>-</Data><Data Name='UtcTime'>2023-12-14 15:12:00.294</Data><Data Name='ProcessGuid'>{C429ADC8-1B40-657B-B103-000000003403}</Data><Data Name='ProcessId'>4896</Data><Data Name='Image'>C:\Windows\System32\wbem\WMIC.exe</Data><Data Name='FileVersion'>10.0.14393.0 (rs1_release.160715-1616)</Data><Data Name='Description'>WMI Commandline Utility</Data><Data Name='Product'>Microsoft® Windows® Operating System</Data><Data Name='Company'>Microsoft Corporation</Data><Data Name='OriginalFileName'>wmic.exe</Data><Data Name='CommandLine'>wmic OS get Caption /format:list</Data><Data Name='CurrentDirectory'>C:\Windows\system32\</Data><Data Name='User'>NT AUTHORITY\SYSTEM</Data><Data Name='LogonGuid'>{C429ADC8-FEF3-657A-E703-000000000000}</Data><Data Name='LogonId'>0x3e7</Data><Data Name='TerminalSessionId'>0</Data><Data Name='IntegrityLevel'>System</Data><Data Name='Hashes'>MD5=2CEE7F1AD77D8817E0F043E5E5ED1C83,SHA256=6679EA8FBEB539B5852CE8838420471FED0600F5050F3370DBB355DAC76BF072,IMPHASH=1B1A3F43BF37B5BFE60751F2EE2F326E</Data><Data Name='ParentProcessGuid'>{C429ADC8-004A-657B-8F00-000000003403}</Data><Data Name='ParentProcessId'>616</Data><Data Name='ParentImage'>C:\Program Files\Amazon\SSM\ssm-agent-worker.exe</Data><Data Name='ParentCommandLine'>"C:\Program Files\Amazon\SSM\ssm-agent-worker.exe"</Data><Data Name='ParentUser'>NT AUTHORITY\SYSTEM</Data></EventData></Event>
<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Sysmon' Guid='{5770385F-C22A-43E0-BF4C-06F5698FFBD9}'/><EventID>1</EventID><Version>5</Version><Level>4</Level><Task>1</Task><Opcode>0</Opcode><Keywords>0x8000000000000000</Keywords><TimeCreated SystemTime='2023-12-14T15:12:00.198568100Z'/><EventRecordID>164321</EventRecordID><Correlation/><Execution ProcessID='1960' ThreadID='2396'/><Channel>Microsoft-Windows-Sysmon/Operational</Channel><Computer>ar-win-2.attackrange.local</Computer><Security UserID='S-1-5-18'/></System><EventData><Data Name='RuleName'>-</Data><Data Name='UtcTime'>2023-12-14 15:12:00.197</Data><Data Name='ProcessGuid'>{C429ADC8-1B40-657B-B003-000000003403}</Data><Data Name='ProcessId'>896</Data><Data Name='Image'>C:\Windows\System32\wbem\WMIC.exe</Data><Data Name='FileVersion'>10.0.14393.0 (rs1_release.160715-1616)</Data><Data Name='Description'>WMI Commandline Utility</Data><Data Name='Product'>Microsoft® Windows® Operating System</Data><Data Name='Company'>Microsoft Corporation</Data><Data Name='OriginalFileName'>wmic.exe</Data><Data Name='CommandLine'>C:\Windows\System32\wbem\wmic.exe computersystem get Domain /value</Data><Data Name='CurrentDirectory'>C:\Windows\system32\</Data><Data Name='User'>NT AUTHORITY\SYSTEM</Data><Data Name='LogonGuid'>{C429ADC8-FEF3-657A-E703-000000000000}</Data><Data Name='LogonId'>0x3e7</Data><Data Name='TerminalSessionId'>0</Data><Data Name='IntegrityLevel'>System</Data><Data Name='Hashes'>MD5=2CEE7F1AD77D8817E0F043E5E5ED1C83,SHA256=6679EA8FBEB539B5852CE8838420471FED0600F5050F3370DBB355DAC76BF072,IMPHASH=1B1A3F43BF37B5BFE60751F2EE2F326E</Data><Data Name='ParentProcessGuid'>{C429ADC8-004A-657B-8F00-000000003403}</Data><Data Name='ParentProcessId'>616</Data><Data Name='ParentImage'>C:\Program Files\Amazon\SSM\ssm-agent-worker.exe</Data><Data Name='ParentCommandLine'>"C:\Program Files\Amazon\SSM\ssm-agent-worker.exe"</Data><Data Name='ParentUser'>NT AUTHORITY\SYSTEM</Data></EventData></Event>
<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Sysmon' Guid='{5770385F-C22A-43E0-BF4C-06F5698FFBD9}'/><EventID>1</EventID><Version>5</Version><Level>4</Level><Task>1</Task><Opcode>0</Opcode><Keywords>0x8000000000000000</Keywords><TimeCreated SystemTime='2023-12-14T15:11:59.974433100Z'/><EventRecordID>164320</EventRecordID><Correlation/><Execution ProcessID='1960' ThreadID='2396'/><Channel>Microsoft-Windows-Sysmon/Operational</Channel><Computer>ar-win-2.attackrange.local</Computer><Security UserID='S-1-5-18'/></System><EventData><Data Name='RuleName'>-</Data><Data Name='UtcTime'>2023-12-14 15:11:59.973</Data><Data Name='ProcessGuid'>{C429ADC8-1B3F-657B-AE03-000000003403}</Data><Data Name='ProcessId'>3764</Data><Data Name='Image'>C:\Windows\System32\wbem\WMIC.exe</Data><Data Name='FileVersion'>10.0.14393.0 (rs1_release.160715-1616)</Data><Data Name='Description'>WMI Commandline Utility</Data><Data Name='Product'>Microsoft® Windows® Operating System</Data><Data Name='Company'>Microsoft Corporation</Data><Data Name='OriginalFileName'>wmic.exe</Data><Data Name='CommandLine'>C:\Windows\System32\wbem\wmic.exe computersystem get DNSHostName /value</Data><Data Name='CurrentDirectory'>C:\Windows\system32\</Data><Data Name='User'>NT AUTHORITY\SYSTEM</Data><Data Name='LogonGuid'>{C429ADC8-FEF3-657A-E703-000000000000}</Data><Data Name='LogonId'>0x3e7</Data><Data Name='TerminalSessionId'>0</Data><Data Name='IntegrityLevel'>System</Data><Data Name='Hashes'>MD5=2CEE7F1AD77D8817E0F043E5E5ED1C83,SHA256=6679EA8FBEB539B5852CE8838420471FED0600F5050F3370DBB355DAC76BF072,IMPHASH=1B1A3F43BF37B5BFE60751F2EE2F326E</Data><Data Name='ParentProcessGuid'>{C429ADC8-004A-657B-8F00-000000003403}</Data><Data Name='ParentProcessId'>616</Data><Data Name='ParentImage'>C:\Program Files\Amazon\SSM\ssm-agent-worker.exe</Data><Data Name='ParentCommandLine'>"C:\Program Files\Amazon\SSM\ssm-agent-worker.exe"</Data><Data Name='ParentUser'>NT AUTHORITY\SYSTEM</Data></EventData></Event>