zaneGittins · June 30, 2021 17:33
diff --git a/print-nightmare-sysmon.txt b/print-nightmare-sysmon.txt
 File created:
 RuleName: DLL
 UtcTime: 2021-06-30 17:17:08.957
 ProcessGuid: {9ca9a477-a70f-60dc-856d-f00000000000}
 ProcessId: 332
 Image: C:\Windows\System32\spoolsv.exe
 TargetFilename: C:\Windows\System32\spool\drivers\x64\3\New\Test.dll
 CreationUtcTime: 2021-06-30 17:14:41.231

 Network connection detected:
 RuleName: -
 UtcTime: 2021-06-12 03:59:03.535
 ProcessGuid: {9ca9a477-a709-60dc-6d06-000000003600}
 ProcessId: 7160
 Image: C:\Windows\System32\rundll32.exe
 User: NT AUTHORITY\SYSTEM
 Protocol: tcp
 Initiated: true
 SourceIsIpv6: false
 SourceIp: 192.168.91.133
 SourceHostname: GIBSONDC01.gibson.com
 SourcePort: 64133
 SourcePortName: -
 DestinationIsIpv6: false
 DestinationIp: <REDACTED>
 DestinationHostname: -
 DestinationPort: 8443
 DestinationPortName: -

 Process Create:
 RuleName: -
 UtcTime: 2021-06-30 17:16:57.196
 ProcessGuid: {9ca9a477-a709-60dc-e5e7-ef0000000000}
 ProcessId: 7160
 Image: C:\Windows\System32\rundll32.exe
 FileVersion: 10.0.17763.1 (WinBuild.160101.0800)
 Description: Windows host process (Rundll32)
 Product: Microsoft® Windows® Operating System
 Company: Microsoft Corporation
 OriginalFileName: RUNDLL32.EXE
 CommandLine: rundll32.exe
 CurrentDirectory: C:\Windows\system32\
 User: NT AUTHORITY\SYSTEM
 LogonGuid: {9ca9a477-5c3a-5fff-e703-000000000000}
 LogonId: 0x3E7
 TerminalSessionId: 0
 IntegrityLevel: System
 Hashes: MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A
 ParentProcessGuid: {9ca9a477-5c4c-5fff-2800-000000003600}
 ParentProcessId: 2676
 ParentImage: C:\Windows\System32\spoolsv.exe
 ParentCommandLine: C:\Windows\System32\spoolsv.exe
	File created:
	RuleName: DLL
	UtcTime: 2021-06-30 17:17:08.957
	ProcessGuid: {9ca9a477-a70f-60dc-856d-f00000000000}
	ProcessId: 332
	Image: C:\Windows\System32\spoolsv.exe
	TargetFilename: C:\Windows\System32\spool\drivers\x64\3\New\Test.dll
	CreationUtcTime: 2021-06-30 17:14:41.231

	Network connection detected:
	RuleName: -
	UtcTime: 2021-06-12 03:59:03.535
	ProcessGuid: {9ca9a477-a709-60dc-6d06-000000003600}
	ProcessId: 7160
	Image: C:\Windows\System32\rundll32.exe
	User: NT AUTHORITY\SYSTEM
	Protocol: tcp
	Initiated: true
	SourceIsIpv6: false
	SourceIp: 192.168.91.133
	SourceHostname: GIBSONDC01.gibson.com
	SourcePort: 64133
	SourcePortName: -
	DestinationIsIpv6: false
	DestinationIp: <REDACTED>
	DestinationHostname: -
	DestinationPort: 8443
	DestinationPortName: -

	Process Create:
	RuleName: -
	UtcTime: 2021-06-30 17:16:57.196
	ProcessGuid: {9ca9a477-a709-60dc-e5e7-ef0000000000}
	ProcessId: 7160
	Image: C:\Windows\System32\rundll32.exe
	FileVersion: 10.0.17763.1 (WinBuild.160101.0800)
	Description: Windows host process (Rundll32)
	Product: Microsoft® Windows® Operating System
	Company: Microsoft Corporation
	OriginalFileName: RUNDLL32.EXE
	CommandLine: rundll32.exe
	CurrentDirectory: C:\Windows\system32\
	User: NT AUTHORITY\SYSTEM
	LogonGuid: {9ca9a477-5c3a-5fff-e703-000000000000}
	LogonId: 0x3E7
	TerminalSessionId: 0
	IntegrityLevel: System
	Hashes: MD5=C73BA51880F5A7FB20C84185A23212EF,SHA256=01B407AF0200B66A34D9B1FA6D9EAAB758EFA36A36BB99B554384F59F8690B1A,IMPHASH=F27A7FC3A53E74F45BE370131953896A
	ParentProcessGuid: {9ca9a477-5c4c-5fff-2800-000000003600}
	ParentProcessId: 2676
	ParentImage: C:\Windows\System32\spoolsv.exe
	ParentCommandLine: C:\Windows\System32\spoolsv.exe