03/28/2022 11:02:43 PM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4105 EventType=5 Type=Verbose ComputerName=win-host-987.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-1166625382-1442148322-2337405042-2397 SidType=0 TaskCategory=Starting Command OpCode=On create calls RecordNumber=12624141 Keywords=None Message=Started invocation of ScriptBlock ID: 64c7c321-e44d-4baf-a300-841669d9940a Runspace ID: 1e891da0-43f6-4e4c-9d5b-2151b23b80e3 03/28/2022 11:02:43 PM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4106 EventType=5 Type=Verbose ComputerName=win-host-987.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-1166625382-1442148322-2337405042-2397 SidType=0 TaskCategory=Stopping Command OpCode=On create calls RecordNumber=12624140 Keywords=None Message=Completed invocation of ScriptBlock ID: 5fac000e-a2f5-4259-88ec-b8ba8a211c50 Runspace ID: 1e891da0-43f6-4e4c-9d5b-2151b23b80e3 03/28/2022 11:02:43 PM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4106 EventType=5 Type=Verbose ComputerName=win-host-987.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-1166625382-1442148322-2337405042-2397 SidType=0 TaskCategory=Stopping Command OpCode=On create calls RecordNumber=12624139 Keywords=None Message=Completed invocation of ScriptBlock ID: 1c1519d2-b1b2-4af9-9be1-6cdefebce033 Runspace ID: 1e891da0-43f6-4e4c-9d5b-2151b23b80e3 03/28/2022 11:02:43 PM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4105 EventType=5 Type=Verbose ComputerName=win-host-987.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-1166625382-1442148322-2337405042-2397 SidType=0 TaskCategory=Starting Command OpCode=On create calls RecordNumber=12624138 Keywords=None Message=Started invocation of ScriptBlock ID: 1c1519d2-b1b2-4af9-9be1-6cdefebce033 Runspace ID: 1e891da0-43f6-4e4c-9d5b-2151b23b80e3 03/28/2022 11:02:43 PM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4105 EventType=5 Type=Verbose ComputerName=win-host-987.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-1166625382-1442148322-2337405042-2397 SidType=0 TaskCategory=Starting Command OpCode=On create calls RecordNumber=12624137 Keywords=None Message=Started invocation of ScriptBlock ID: 5fac000e-a2f5-4259-88ec-b8ba8a211c50 Runspace ID: 1e891da0-43f6-4e4c-9d5b-2151b23b80e3 03/28/2022 11:02:43 PM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4104 EventType=5 Type=Verbose ComputerName=win-host-987.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-1166625382-1442148322-2337405042-2397 SidType=0 TaskCategory=Execute a Remote Command OpCode=On create calls RecordNumber=12624136 Keywords=None Message=Creating Scriptblock text (1 of 1): prompt ScriptBlock ID: 5fac000e-a2f5-4259-88ec-b8ba8a211c50 Path: 03/28/2022 11:02:43 PM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4106 EventType=5 Type=Verbose ComputerName=win-host-987.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-1166625382-1442148322-2337405042-2397 SidType=0 TaskCategory=Stopping Command OpCode=On create calls RecordNumber=12624135 Keywords=None Message=Completed invocation of ScriptBlock ID: 1086bb02-5211-44e3-af56-bb837316fc3b Runspace ID: 1e891da0-43f6-4e4c-9d5b-2151b23b80e3 03/28/2022 11:02:43 PM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4105 EventType=5 Type=Verbose ComputerName=win-host-987.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-1166625382-1442148322-2337405042-2397 SidType=0 TaskCategory=Starting Command OpCode=On create calls RecordNumber=12624134 Keywords=None Message=Started invocation of ScriptBlock ID: 1086bb02-5211-44e3-af56-bb837316fc3b Runspace ID: 1e891da0-43f6-4e4c-9d5b-2151b23b80e3 03/28/2022 11:02:43 PM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4106 EventType=5 Type=Verbose ComputerName=win-host-987.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-1166625382-1442148322-2337405042-2397 SidType=0 TaskCategory=Stopping Command OpCode=On create calls RecordNumber=12624133 Keywords=None Message=Completed invocation of ScriptBlock ID: 82e42fe3-10bf-49e2-b39b-a04af42f8ccf Runspace ID: 1e891da0-43f6-4e4c-9d5b-2151b23b80e3 03/28/2022 11:02:43 PM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4105 EventType=5 Type=Verbose ComputerName=win-host-987.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-1166625382-1442148322-2337405042-2397 SidType=0 TaskCategory=Starting Command OpCode=On create calls RecordNumber=12624132 Keywords=None Message=Started invocation of ScriptBlock ID: 82e42fe3-10bf-49e2-b39b-a04af42f8ccf Runspace ID: 1e891da0-43f6-4e4c-9d5b-2151b23b80e3 03/28/2022 11:02:43 PM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4104 EventType=5 Type=Verbose ComputerName=win-host-987.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-1166625382-1442148322-2337405042-2397 SidType=0 TaskCategory=Execute a Remote Command OpCode=On create calls RecordNumber=12624131 Keywords=None Message=Creating Scriptblock text (1 of 1): Get-ADComputer -Filter {TrustedForDelegation -eq $true -and primarygroupid -eq 515} ScriptBlock ID: 82e42fe3-10bf-49e2-b39b-a04af42f8ccf Path: 03/28/2022 11:02:43 PM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4106 EventType=5 Type=Verbose ComputerName=win-host-987.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-1166625382-1442148322-2337405042-2397 SidType=0 TaskCategory=Stopping Command OpCode=On create calls RecordNumber=12624130 Keywords=None Message=Completed invocation of ScriptBlock ID: 64c7c321-e44d-4baf-a300-841669d9940a Runspace ID: 1e891da0-43f6-4e4c-9d5b-2151b23b80e3 03/28/2022 11:02:48 PM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4105 EventType=5 Type=Verbose ComputerName=win-host-987.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-1166625382-1442148322-2337405042-2397 SidType=0 TaskCategory=Starting Command OpCode=On create calls RecordNumber=12624153 Keywords=None Message=Started invocation of ScriptBlock ID: 64c7c321-e44d-4baf-a300-841669d9940a Runspace ID: 1e891da0-43f6-4e4c-9d5b-2151b23b80e3 03/28/2022 11:02:48 PM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4106 EventType=5 Type=Verbose ComputerName=win-host-987.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-1166625382-1442148322-2337405042-2397 SidType=0 TaskCategory=Stopping Command OpCode=On create calls RecordNumber=12624152 Keywords=None Message=Completed invocation of ScriptBlock ID: 992726d4-26c5-4011-bf91-c56a3d4ca6f2 Runspace ID: 1e891da0-43f6-4e4c-9d5b-2151b23b80e3 03/28/2022 11:02:48 PM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4106 EventType=5 Type=Verbose ComputerName=win-host-987.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-1166625382-1442148322-2337405042-2397 SidType=0 TaskCategory=Stopping Command OpCode=On create calls RecordNumber=12624151 Keywords=None Message=Completed invocation of ScriptBlock ID: 1c1519d2-b1b2-4af9-9be1-6cdefebce033 Runspace ID: 1e891da0-43f6-4e4c-9d5b-2151b23b80e3 03/28/2022 11:02:48 PM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4105 EventType=5 Type=Verbose ComputerName=win-host-987.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-1166625382-1442148322-2337405042-2397 SidType=0 TaskCategory=Starting Command OpCode=On create calls RecordNumber=12624150 Keywords=None Message=Started invocation of ScriptBlock ID: 1c1519d2-b1b2-4af9-9be1-6cdefebce033 Runspace ID: 1e891da0-43f6-4e4c-9d5b-2151b23b80e3 03/28/2022 11:02:48 PM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4105 EventType=5 Type=Verbose ComputerName=win-host-987.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-1166625382-1442148322-2337405042-2397 SidType=0 TaskCategory=Starting Command OpCode=On create calls RecordNumber=12624149 Keywords=None Message=Started invocation of ScriptBlock ID: 992726d4-26c5-4011-bf91-c56a3d4ca6f2 Runspace ID: 1e891da0-43f6-4e4c-9d5b-2151b23b80e3 03/28/2022 11:02:48 PM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4104 EventType=5 Type=Verbose ComputerName=win-host-987.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-1166625382-1442148322-2337405042-2397 SidType=0 TaskCategory=Execute a Remote Command OpCode=On create calls RecordNumber=12624148 Keywords=None Message=Creating Scriptblock text (1 of 1): prompt ScriptBlock ID: 992726d4-26c5-4011-bf91-c56a3d4ca6f2 Path: 03/28/2022 11:02:48 PM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4106 EventType=5 Type=Verbose ComputerName=win-host-987.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-1166625382-1442148322-2337405042-2397 SidType=0 TaskCategory=Stopping Command OpCode=On create calls RecordNumber=12624147 Keywords=None Message=Completed invocation of ScriptBlock ID: 1086bb02-5211-44e3-af56-bb837316fc3b Runspace ID: 1e891da0-43f6-4e4c-9d5b-2151b23b80e3 03/28/2022 11:02:48 PM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4105 EventType=5 Type=Verbose ComputerName=win-host-987.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-1166625382-1442148322-2337405042-2397 SidType=0 TaskCategory=Starting Command OpCode=On create calls RecordNumber=12624146 Keywords=None Message=Started invocation of ScriptBlock ID: 1086bb02-5211-44e3-af56-bb837316fc3b Runspace ID: 1e891da0-43f6-4e4c-9d5b-2151b23b80e3 03/28/2022 11:02:48 PM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4106 EventType=5 Type=Verbose ComputerName=win-host-987.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-1166625382-1442148322-2337405042-2397 SidType=0 TaskCategory=Stopping Command OpCode=On create calls RecordNumber=12624145 Keywords=None Message=Completed invocation of ScriptBlock ID: 660cf73e-16c9-46c1-b730-65fb67f81ae2 Runspace ID: 1e891da0-43f6-4e4c-9d5b-2151b23b80e3 03/28/2022 11:02:48 PM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4105 EventType=5 Type=Verbose ComputerName=win-host-987.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-1166625382-1442148322-2337405042-2397 SidType=0 TaskCategory=Starting Command OpCode=On create calls RecordNumber=12624144 Keywords=None Message=Started invocation of ScriptBlock ID: 660cf73e-16c9-46c1-b730-65fb67f81ae2 Runspace ID: 1e891da0-43f6-4e4c-9d5b-2151b23b80e3 03/28/2022 11:02:48 PM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4104 EventType=5 Type=Verbose ComputerName=win-host-987.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-1166625382-1442148322-2337405042-2397 SidType=0 TaskCategory=Execute a Remote Command OpCode=On create calls RecordNumber=12624143 Keywords=None Message=Creating Scriptblock text (1 of 1): Get-ADComputer -Filter {TrustedForDelegation -eq $true } ScriptBlock ID: 660cf73e-16c9-46c1-b730-65fb67f81ae2 Path: 03/28/2022 11:02:48 PM LogName=Microsoft-Windows-PowerShell/Operational SourceName=Microsoft-Windows-PowerShell EventCode=4106 EventType=5 Type=Verbose ComputerName=win-host-987.attackrange.local User=NOT_TRANSLATED Sid=S-1-5-21-1166625382-1442148322-2337405042-2397 SidType=0 TaskCategory=Stopping Command OpCode=On create calls RecordNumber=12624142 Keywords=None Message=Completed invocation of ScriptBlock ID: 64c7c321-e44d-4baf-a300-841669d9940a Runspace ID: 1e891da0-43f6-4e4c-9d5b-2151b23b80e3